Edit tour

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Analysis ID:	1582689
MD5:	2c832dc5f84a0437cc5c4869ffc21648
SHA1:	ca494cde7576e0eb7035b2368971fb151e652b12
SHA256:	d9cfe4c08b2f71b517ba47fe43f8825085b0f4cf9b8e8627ee40e54ec9f6bb05
Tags:	exeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 2C832DC5F84A0437CC5C4869FFC21648)

retrofit.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 2C832DC5F84A0437CC5C4869FFC21648)

svchost.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wscript.exe (PID: 7812 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

retrofit.exe (PID: 7860 cmdline: "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe" MD5: 2C832DC5F84A0437CC5C4869FFC21648)

svchost.exe (PID: 7920 cmdline: "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author
7.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.210000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.210000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , ProcessId: 7812, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe, ParentProcessId: 7684, ParentProcessName: retrofit.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 7724, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs" , ProcessId: 7812, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe, ParentProcessId: 7684, ParentProcessName: retrofit.exe, ProcessCommandLine: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe", ProcessId: 7724, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe, ProcessId: 7684, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Virustotal: Detection: 40%			Perma Link

Multi AV Scanner detection for submitted file

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 40%			Perma Link
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 39%

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: retrofit.exe, 00000002.00000003.1388938901.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000002.00000003.1392040286.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1871088725.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1868567699.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1522898313.0000000003590000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1523441831.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1973709193.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1975653817.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.0000000003800000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: retrofit.exe, 00000002.00000003.1388938901.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000002.00000003.1392040286.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1908330271.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1871088725.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1868567699.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1522898313.0000000003590000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1523441831.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1973709193.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1975653817.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.0000000003800000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009C445A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CC6D1 FindFirstFileW,FindClose,	0_2_009CC6D1
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009CC75C
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CEF95
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF0F2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CF3F3
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C37EF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3B12
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CBCBC
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0086445A
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086C6D1 FindFirstFileW,FindClose,	2_2_0086C6D1
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0086C75C
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0086EF95
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0086F0F2
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0086F3F3
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_008637EF
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00863B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00863B12
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0086BCBC

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009D22EE

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009D4164

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_009D4164
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00874164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00874164

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009D3F66

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_009C001C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_009ECABC
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0088CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0088CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00963B3A
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f763d211-9
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f1f0677b-9
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.1369995094.0000000003533000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e64c9f4a-6
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.1369995094.0000000003533000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1afc51cc-0
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00803B3A
Source: retrofit.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: retrofit.exe, 00000002.00000002.1392966069.00000000008B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b2890801-2
Source: retrofit.exe, 00000002.00000002.1392966069.00000000008B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_af8f7f39-6
Source: retrofit.exe, 00000005.00000002.1534536807.00000000008B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_99d2aa3d-c
Source: retrofit.exe, 00000005.00000002.1534536807.00000000008B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_dacc8faf-8
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_738eeead-b
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6feab213-c
Source: retrofit.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_48488fd6-3
Source: retrofit.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_89805165-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0023C613 NtClose,	3_2_0023C613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72B60 NtClose,LdrInitializeThunk,	3_2_02E72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_02E72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E735C0 NtCreateMutant,LdrInitializeThunk,	3_2_02E735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E74340 NtSetContextThread,	3_2_02E74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E74650 NtSuspendThread,	3_2_02E74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72AF0 NtWriteFile,	3_2_02E72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72AD0 NtReadFile,	3_2_02E72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72AB0 NtWaitForSingleObject,	3_2_02E72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72BE0 NtQueryValueKey,	3_2_02E72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72BF0 NtAllocateVirtualMemory,	3_2_02E72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72BA0 NtEnumerateValueKey,	3_2_02E72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72B80 NtQueryInformationFile,	3_2_02E72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72EE0 NtQueueApcThread,	3_2_02E72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72EA0 NtAdjustPrivilegesToken,	3_2_02E72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72E80 NtReadVirtualMemory,	3_2_02E72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72E30 NtWriteVirtualMemory,	3_2_02E72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72FE0 NtCreateFile,	3_2_02E72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72FA0 NtQuerySection,	3_2_02E72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72FB0 NtResumeThread,	3_2_02E72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72F90 NtProtectVirtualMemory,	3_2_02E72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72F60 NtCreateProcessEx,	3_2_02E72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72F30 NtCreateSection,	3_2_02E72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72CF0 NtOpenProcess,	3_2_02E72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72CC0 NtQueryVirtualMemory,	3_2_02E72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72CA0 NtQueryInformationToken,	3_2_02E72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72C60 NtCreateKey,	3_2_02E72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72C70 NtFreeVirtualMemory,	3_2_02E72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72C00 NtQueryInformationProcess,	3_2_02E72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72DD0 NtDelayExecution,	3_2_02E72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72DB0 NtEnumerateKey,	3_2_02E72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72D30 NtUnmapViewOfSection,	3_2_02E72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72D00 NtSetInformationFile,	3_2_02E72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72D10 NtMapViewOfSection,	3_2_02E72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E73090 NtSetValueKey,	3_2_02E73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E73010 NtOpenDirectoryObject,	3_2_02E73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E739B0 NtGetContextThread,	3_2_02E739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E73D70 NtOpenThread,	3_2_02E73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E73D10 NtOpenProcessToken,	3_2_02E73D10

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_009CA1EF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009B8310

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_009C51BD
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_008651BD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0096E6A0	0_2_0096E6A0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098D975	0_2_0098D975
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0096FCE0	0_2_0096FCE0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009821C5	0_2_009821C5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009962D2	0_2_009962D2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009E03DA	0_2_009E03DA
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0099242E	0_2_0099242E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009825FA	0_2_009825FA
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009766E1	0_2_009766E1
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009BE616	0_2_009BE616
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0099878F	0_2_0099878F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C8889	0_2_009C8889
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00978808	0_2_00978808
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009E0857	0_2_009E0857
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00996844	0_2_00996844
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098CB21	0_2_0098CB21
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00996DB6	0_2_00996DB6
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00976F9E	0_2_00976F9E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00973030	0_2_00973030
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00983187	0_2_00983187
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098F1D9	0_2_0098F1D9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00961287	0_2_00961287
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00981484	0_2_00981484
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00975520	0_2_00975520
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00987696	0_2_00987696
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00975760	0_2_00975760
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00981978	0_2_00981978
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00999AB5	0_2_00999AB5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00981D90	0_2_00981D90
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098BDA6	0_2_0098BDA6
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009E7DDB	0_2_009E7DDB
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00973FE0	0_2_00973FE0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0096DF00	0_2_0096DF00
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01803680	0_2_01803680
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0080E6A0	2_2_0080E6A0
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082D975	2_2_0082D975
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0080FCE0	2_2_0080FCE0
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008221C5	2_2_008221C5
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008362D2	2_2_008362D2
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008803DA	2_2_008803DA
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0083242E	2_2_0083242E
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008225FA	2_2_008225FA
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008166E1	2_2_008166E1
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0085E616	2_2_0085E616
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0083878F	2_2_0083878F
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00868889	2_2_00868889
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00818808	2_2_00818808
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00836844	2_2_00836844
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00880857	2_2_00880857
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082CB21	2_2_0082CB21
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00836DB6	2_2_00836DB6
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00816F9E	2_2_00816F9E
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00813030	2_2_00813030
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00823187	2_2_00823187
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082F1D9	2_2_0082F1D9
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00801287	2_2_00801287
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00821484	2_2_00821484
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00815520	2_2_00815520
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00827696	2_2_00827696
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00815760	2_2_00815760
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00821978	2_2_00821978
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00839AB5	2_2_00839AB5
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00821D90	2_2_00821D90
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082BDA6	2_2_0082BDA6
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00887DDB	2_2_00887DDB
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00813FE0	2_2_00813FE0
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0080DF00	2_2_0080DF00
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_010E3680	2_2_010E3680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00220033	3_2_00220033
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021E0B3	3_2_0021E0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021290C	3_2_0021290C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00212910	3_2_00212910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002111D0	3_2_002111D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00213240	3_2_00213240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021E28B	3_2_0021E28B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0023EC33	3_2_0023EC33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00211CE0	3_2_00211CE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00212DA0	3_2_00212DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002125A0	3_2_002125A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021259B	3_2_0021259B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00212D9D	3_2_00212D9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002145E4	3_2_002145E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021FE0A	3_2_0021FE0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021FE13	3_2_0021FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00211E73	3_2_00211E73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002267BF	3_2_002267BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002267C3	3_2_002267C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC02C0	3_2_02EC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E3F0	3_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F003E6	3_2_02F003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFA352	3_2_02EFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF81CC	3_2_02EF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF41A2	3_2_02EF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F001AA	3_2_02F001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC8158	3_2_02EC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30100	3_2_02E30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDA118	3_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5C6E0	3_2_02E5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3C7C0	3_2_02E3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E64750	3_2_02E64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEE4F6	3_2_02EEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF2446	3_2_02EF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE4420	3_2_02EE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F00591	3_2_02F00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF6BD7	3_2_02EF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFAB40	3_2_02EFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E8F0	3_2_02E6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E268B8	3_2_02E268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4A840	3_2_02E4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E42840	3_2_02E42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F0A9A6	3_2_02F0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E56962	3_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFEEDB	3_2_02EFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52E90	3_2_02E52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFCE93	3_2_02EFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40E59	3_2_02E40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFEE26	3_2_02EFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4CFE0	3_2_02E4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E32FC8	3_2_02E32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBEFA0	3_2_02EBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB4F40	3_2_02EB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E82F28	3_2_02E82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E60F30	3_2_02E60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE2F30	3_2_02EE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30CF2	3_2_02E30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0CB5	3_2_02EE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40C00	3_2_02E40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3ADE0	3_2_02E3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E58DBF	3_2_02E58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4AD00	3_2_02E4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDCD1F	3_2_02EDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE12ED	3_2_02EE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5B2C0	3_2_02E5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E452A0	3_2_02E452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E8739A	3_2_02E8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2D34C	3_2_02E2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF132D	3_2_02EF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF70E9	3_2_02EF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFF0E0	3_2_02EFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEF0CC	3_2_02EEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E470C0	3_2_02E470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4B1B0	3_2_02E4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E7516C	3_2_02E7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2F172	3_2_02E2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F0B16B	3_2_02F0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF16CC	3_2_02EF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E85630	3_2_02E85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFF7B0	3_2_02EFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E31460	3_2_02E31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFF43F	3_2_02EFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F095C3	3_2_02F095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDD5B0	3_2_02EDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF7571	3_2_02EF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEDAC6	3_2_02EEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDDAAC	3_2_02EDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E85AA0	3_2_02E85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE1AA3	3_2_02EE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB3A6C	3_2_02EB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFFA49	3_2_02EFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF7A46	3_2_02EF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB5BF0	3_2_02EB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E7DBF9	3_2_02E7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5FB80	3_2_02E5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFFB76	3_2_02EFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E438E0	3_2_02E438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAD800	3_2_02EAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E49950	3_2_02E49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5B950	3_2_02E5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED5910	3_2_02ED5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E49EB0	3_2_02E49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFFFB1	3_2_02EFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E41F92	3_2_02E41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFFF09	3_2_02EFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFFCF2	3_2_02EFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB9C32	3_2_02EB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5FDC0	3_2_02E5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF7D73	3_2_02EF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E43D40	3_2_02E43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF1D5A	3_2_02EF1D5A

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02EAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02EBF290 appears 105 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 00980AE3 appears 70 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 00967DE1 appears 35 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 00988900 appears 42 times
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: String function: 00828900 appears 42 times
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: String function: 00807DE1 appears 35 times
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: String function: 00820AE3 appears 70 times

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@10/10@0/0

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009CA06A GetLastError,FormatMessageW,

0_2_009CA06A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009B81CB AdjustTokenPrivileges,CloseHandle,	0_2_009B81CB
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_009B87E1
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008581CB AdjustTokenPrivileges,CloseHandle,	2_2_008581CB
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_008587E1

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009CB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009CB3FB

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009DEE0D

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009CC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009CC397

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00964E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00964E89

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\hypopygidium

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\aut21E2.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs"

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 40%
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static file information: File size 1181184 > 1048576

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: retrofit.exe, 00000002.00000003.1388938901.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000002.00000003.1392040286.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1871088725.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1868567699.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1522898313.0000000003590000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1523441831.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1973709193.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1975653817.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.0000000003800000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: retrofit.exe, 00000002.00000003.1388938901.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000002.00000003.1392040286.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1908330271.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1908330271.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1871088725.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1868567699.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1522898313.0000000003590000.00000004.00001000.00020000.00000000.sdmp, retrofit.exe, 00000005.00000003.1523441831.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1973709193.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1975653817.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2008159261.0000000003800000.00000040.00001000.00020000.00000000.sdmp

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00964B37 LoadLibraryA,GetProcAddress,

0_2_00964B37

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_00988945 push ecx; ret	0_2_00988958
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00828945 push ecx; ret	2_2_00828958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00233946 push 0000002Ch; retf	3_2_00233948
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0022E9A4 push ecx; retf	3_2_0022E9A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00221B63 push es; iretd	3_2_00221B64
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00217C3D pushad ; retf	3_2_00217C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0022EC7E push cs; iretd	3_2_0022EC7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0022F4C2 push ecx; iretd	3_2_0022F4C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002134C0 push eax; ret	3_2_002134C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00228EE6 push es; iretd	3_2_00228EE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021879B push 00000062h; retf	3_2_002187A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0021D7D7 push eax; ret	3_2_0021D7DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E309AD push ecx; mov dword ptr [esp], ecx	3_2_02E309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E01368 push eax; iretd	3_2_02E01369

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_009648D7
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_009E5376
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_008048D7
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00885376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00885376

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00983187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00983187

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	API/Special instruction interceptor: Address: 10E32A4
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	API/Special instruction interceptor: Address: C432A4

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02E7096E rdtsc

3_2_02E7096E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7728	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7924	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009C445A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CC6D1 FindFirstFileW,FindClose,	0_2_009CC6D1
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009CC75C
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CEF95
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF0F2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CF3F3
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C37EF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3B12
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CBCBC
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0086445A
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086C6D1 FindFirstFileW,FindClose,	2_2_0086C6D1
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0086C75C
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0086EF95
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0086F0F2
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0086F3F3
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_008637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_008637EF
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00863B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00863B12
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0086BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0086BCBC

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009649A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API call chain: ExitProcess graph end node	graph_0-104554
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API call chain: ExitProcess graph end node	graph_0-104653
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02E7096E rdtsc

3_2_02E7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00227713 LdrLoadDll,

3_2_00227713

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009D3F09 BlockInput,

0_2_009D3F09

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00963B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00963B3A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00995A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00995A7C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00964B37 LoadLibraryA,GetProcAddress,

0_2_00964B37

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01803510 mov eax, dword ptr fs:[00000030h]	0_2_01803510
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01803570 mov eax, dword ptr fs:[00000030h]	0_2_01803570
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01801EB0 mov eax, dword ptr fs:[00000030h]	0_2_01801EB0
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_010E3510 mov eax, dword ptr fs:[00000030h]	2_2_010E3510
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_010E3570 mov eax, dword ptr fs:[00000030h]	2_2_010E3570
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_010E1EB0 mov eax, dword ptr fs:[00000030h]	2_2_010E1EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E402E1 mov eax, dword ptr fs:[00000030h]	3_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E402E1 mov eax, dword ptr fs:[00000030h]	3_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E402E1 mov eax, dword ptr fs:[00000030h]	3_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F062D6 mov eax, dword ptr fs:[00000030h]	3_2_02F062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E402A0 mov eax, dword ptr fs:[00000030h]	3_2_02E402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E402A0 mov eax, dword ptr fs:[00000030h]	3_2_02E402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov ecx, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E284 mov eax, dword ptr fs:[00000030h]	3_2_02E6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E284 mov eax, dword ptr fs:[00000030h]	3_2_02E6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB0283 mov eax, dword ptr fs:[00000030h]	3_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB0283 mov eax, dword ptr fs:[00000030h]	3_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB0283 mov eax, dword ptr fs:[00000030h]	3_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34260 mov eax, dword ptr fs:[00000030h]	3_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34260 mov eax, dword ptr fs:[00000030h]	3_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34260 mov eax, dword ptr fs:[00000030h]	3_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2826B mov eax, dword ptr fs:[00000030h]	3_2_02E2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE0274 mov eax, dword ptr fs:[00000030h]	3_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB8243 mov eax, dword ptr fs:[00000030h]	3_2_02EB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB8243 mov ecx, dword ptr fs:[00000030h]	3_2_02EB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F0625D mov eax, dword ptr fs:[00000030h]	3_2_02F0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A250 mov eax, dword ptr fs:[00000030h]	3_2_02E2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36259 mov eax, dword ptr fs:[00000030h]	3_2_02E36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEA250 mov eax, dword ptr fs:[00000030h]	3_2_02EEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEA250 mov eax, dword ptr fs:[00000030h]	3_2_02EEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2823B mov eax, dword ptr fs:[00000030h]	3_2_02E2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E403E9 mov eax, dword ptr fs:[00000030h]	3_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E663FF mov eax, dword ptr fs:[00000030h]	3_2_02E663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEC3CD mov eax, dword ptr fs:[00000030h]	3_2_02EEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E383C0 mov eax, dword ptr fs:[00000030h]	3_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E383C0 mov eax, dword ptr fs:[00000030h]	3_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E383C0 mov eax, dword ptr fs:[00000030h]	3_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E383C0 mov eax, dword ptr fs:[00000030h]	3_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB63C0 mov eax, dword ptr fs:[00000030h]	3_2_02EB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE3DB mov ecx, dword ptr fs:[00000030h]	3_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED43D4 mov eax, dword ptr fs:[00000030h]	3_2_02ED43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED43D4 mov eax, dword ptr fs:[00000030h]	3_2_02ED43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E388 mov eax, dword ptr fs:[00000030h]	3_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E388 mov eax, dword ptr fs:[00000030h]	3_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E388 mov eax, dword ptr fs:[00000030h]	3_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5438F mov eax, dword ptr fs:[00000030h]	3_2_02E5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5438F mov eax, dword ptr fs:[00000030h]	3_2_02E5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E28397 mov eax, dword ptr fs:[00000030h]	3_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E28397 mov eax, dword ptr fs:[00000030h]	3_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E28397 mov eax, dword ptr fs:[00000030h]	3_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED437C mov eax, dword ptr fs:[00000030h]	3_2_02ED437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB2349 mov eax, dword ptr fs:[00000030h]	3_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov eax, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov eax, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov eax, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov ecx, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov eax, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB035C mov eax, dword ptr fs:[00000030h]	3_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFA352 mov eax, dword ptr fs:[00000030h]	3_2_02EFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED8350 mov ecx, dword ptr fs:[00000030h]	3_2_02ED8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F0634F mov eax, dword ptr fs:[00000030h]	3_2_02F0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F08324 mov eax, dword ptr fs:[00000030h]	3_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F08324 mov ecx, dword ptr fs:[00000030h]	3_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F08324 mov eax, dword ptr fs:[00000030h]	3_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F08324 mov eax, dword ptr fs:[00000030h]	3_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A30B mov eax, dword ptr fs:[00000030h]	3_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A30B mov eax, dword ptr fs:[00000030h]	3_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A30B mov eax, dword ptr fs:[00000030h]	3_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2C310 mov ecx, dword ptr fs:[00000030h]	3_2_02E2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E50310 mov ecx, dword ptr fs:[00000030h]	3_2_02E50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_02E2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E380E9 mov eax, dword ptr fs:[00000030h]	3_2_02E380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB60E0 mov eax, dword ptr fs:[00000030h]	3_2_02EB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2C0F0 mov eax, dword ptr fs:[00000030h]	3_2_02E2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E720F0 mov ecx, dword ptr fs:[00000030h]	3_2_02E720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB20DE mov eax, dword ptr fs:[00000030h]	3_2_02EB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E280A0 mov eax, dword ptr fs:[00000030h]	3_2_02E280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC80A8 mov eax, dword ptr fs:[00000030h]	3_2_02EC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF60B8 mov eax, dword ptr fs:[00000030h]	3_2_02EF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF60B8 mov ecx, dword ptr fs:[00000030h]	3_2_02EF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3208A mov eax, dword ptr fs:[00000030h]	3_2_02E3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5C073 mov eax, dword ptr fs:[00000030h]	3_2_02E5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E32050 mov eax, dword ptr fs:[00000030h]	3_2_02E32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6050 mov eax, dword ptr fs:[00000030h]	3_2_02EB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A020 mov eax, dword ptr fs:[00000030h]	3_2_02E2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2C020 mov eax, dword ptr fs:[00000030h]	3_2_02E2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6030 mov eax, dword ptr fs:[00000030h]	3_2_02EC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB4000 mov ecx, dword ptr fs:[00000030h]	3_2_02EB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED2000 mov eax, dword ptr fs:[00000030h]	3_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E016 mov eax, dword ptr fs:[00000030h]	3_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E016 mov eax, dword ptr fs:[00000030h]	3_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E016 mov eax, dword ptr fs:[00000030h]	3_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E016 mov eax, dword ptr fs:[00000030h]	3_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F061E5 mov eax, dword ptr fs:[00000030h]	3_2_02F061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E601F8 mov eax, dword ptr fs:[00000030h]	3_2_02E601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF61C3 mov eax, dword ptr fs:[00000030h]	3_2_02EF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF61C3 mov eax, dword ptr fs:[00000030h]	3_2_02EF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E70185 mov eax, dword ptr fs:[00000030h]	3_2_02E70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEC188 mov eax, dword ptr fs:[00000030h]	3_2_02EEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEC188 mov eax, dword ptr fs:[00000030h]	3_2_02EEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED4180 mov eax, dword ptr fs:[00000030h]	3_2_02ED4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED4180 mov eax, dword ptr fs:[00000030h]	3_2_02ED4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB019F mov eax, dword ptr fs:[00000030h]	3_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB019F mov eax, dword ptr fs:[00000030h]	3_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB019F mov eax, dword ptr fs:[00000030h]	3_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB019F mov eax, dword ptr fs:[00000030h]	3_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A197 mov eax, dword ptr fs:[00000030h]	3_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A197 mov eax, dword ptr fs:[00000030h]	3_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2A197 mov eax, dword ptr fs:[00000030h]	3_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04164 mov eax, dword ptr fs:[00000030h]	3_2_02F04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04164 mov eax, dword ptr fs:[00000030h]	3_2_02F04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC4144 mov eax, dword ptr fs:[00000030h]	3_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC4144 mov eax, dword ptr fs:[00000030h]	3_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC4144 mov ecx, dword ptr fs:[00000030h]	3_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC4144 mov eax, dword ptr fs:[00000030h]	3_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC4144 mov eax, dword ptr fs:[00000030h]	3_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2C156 mov eax, dword ptr fs:[00000030h]	3_2_02E2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC8158 mov eax, dword ptr fs:[00000030h]	3_2_02EC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36154 mov eax, dword ptr fs:[00000030h]	3_2_02E36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36154 mov eax, dword ptr fs:[00000030h]	3_2_02E36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E60124 mov eax, dword ptr fs:[00000030h]	3_2_02E60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov eax, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDA118 mov ecx, dword ptr fs:[00000030h]	3_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDA118 mov eax, dword ptr fs:[00000030h]	3_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDA118 mov eax, dword ptr fs:[00000030h]	3_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDA118 mov eax, dword ptr fs:[00000030h]	3_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF0115 mov eax, dword ptr fs:[00000030h]	3_2_02EF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB06F1 mov eax, dword ptr fs:[00000030h]	3_2_02EB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB06F1 mov eax, dword ptr fs:[00000030h]	3_2_02EB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_02E6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A6C7 mov eax, dword ptr fs:[00000030h]	3_2_02E6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C6A6 mov eax, dword ptr fs:[00000030h]	3_2_02E6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E666B0 mov eax, dword ptr fs:[00000030h]	3_2_02E666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34690 mov eax, dword ptr fs:[00000030h]	3_2_02E34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34690 mov eax, dword ptr fs:[00000030h]	3_2_02E34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF866E mov eax, dword ptr fs:[00000030h]	3_2_02EF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF866E mov eax, dword ptr fs:[00000030h]	3_2_02EF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A660 mov eax, dword ptr fs:[00000030h]	3_2_02E6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A660 mov eax, dword ptr fs:[00000030h]	3_2_02E6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E62674 mov eax, dword ptr fs:[00000030h]	3_2_02E62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4C640 mov eax, dword ptr fs:[00000030h]	3_2_02E4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E4E627 mov eax, dword ptr fs:[00000030h]	3_2_02E4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E66620 mov eax, dword ptr fs:[00000030h]	3_2_02E66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E68620 mov eax, dword ptr fs:[00000030h]	3_2_02E68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3262C mov eax, dword ptr fs:[00000030h]	3_2_02E3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAE609 mov eax, dword ptr fs:[00000030h]	3_2_02EAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72619 mov eax, dword ptr fs:[00000030h]	3_2_02E72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E527ED mov eax, dword ptr fs:[00000030h]	3_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E527ED mov eax, dword ptr fs:[00000030h]	3_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E527ED mov eax, dword ptr fs:[00000030h]	3_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBE7E1 mov eax, dword ptr fs:[00000030h]	3_2_02EBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E347FB mov eax, dword ptr fs:[00000030h]	3_2_02E347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E347FB mov eax, dword ptr fs:[00000030h]	3_2_02E347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3C7C0 mov eax, dword ptr fs:[00000030h]	3_2_02E3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB07C3 mov eax, dword ptr fs:[00000030h]	3_2_02EB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E307AF mov eax, dword ptr fs:[00000030h]	3_2_02E307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE47A0 mov eax, dword ptr fs:[00000030h]	3_2_02EE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED678E mov eax, dword ptr fs:[00000030h]	3_2_02ED678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38770 mov eax, dword ptr fs:[00000030h]	3_2_02E38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40770 mov eax, dword ptr fs:[00000030h]	3_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6674D mov esi, dword ptr fs:[00000030h]	3_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6674D mov eax, dword ptr fs:[00000030h]	3_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6674D mov eax, dword ptr fs:[00000030h]	3_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30750 mov eax, dword ptr fs:[00000030h]	3_2_02E30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBE75D mov eax, dword ptr fs:[00000030h]	3_2_02EBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72750 mov eax, dword ptr fs:[00000030h]	3_2_02E72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E72750 mov eax, dword ptr fs:[00000030h]	3_2_02E72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB4755 mov eax, dword ptr fs:[00000030h]	3_2_02EB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C720 mov eax, dword ptr fs:[00000030h]	3_2_02E6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C720 mov eax, dword ptr fs:[00000030h]	3_2_02E6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6273C mov eax, dword ptr fs:[00000030h]	3_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6273C mov ecx, dword ptr fs:[00000030h]	3_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6273C mov eax, dword ptr fs:[00000030h]	3_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAC730 mov eax, dword ptr fs:[00000030h]	3_2_02EAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C700 mov eax, dword ptr fs:[00000030h]	3_2_02E6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30710 mov eax, dword ptr fs:[00000030h]	3_2_02E30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E60710 mov eax, dword ptr fs:[00000030h]	3_2_02E60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E304E5 mov ecx, dword ptr fs:[00000030h]	3_2_02E304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E364AB mov eax, dword ptr fs:[00000030h]	3_2_02E364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E644B0 mov ecx, dword ptr fs:[00000030h]	3_2_02E644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBA4B0 mov eax, dword ptr fs:[00000030h]	3_2_02EBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEA49A mov eax, dword ptr fs:[00000030h]	3_2_02EEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBC460 mov ecx, dword ptr fs:[00000030h]	3_2_02EBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5A470 mov eax, dword ptr fs:[00000030h]	3_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5A470 mov eax, dword ptr fs:[00000030h]	3_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5A470 mov eax, dword ptr fs:[00000030h]	3_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E443 mov eax, dword ptr fs:[00000030h]	3_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EEA456 mov eax, dword ptr fs:[00000030h]	3_2_02EEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2645D mov eax, dword ptr fs:[00000030h]	3_2_02E2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5245A mov eax, dword ptr fs:[00000030h]	3_2_02E5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E420 mov eax, dword ptr fs:[00000030h]	3_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E420 mov eax, dword ptr fs:[00000030h]	3_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2E420 mov eax, dword ptr fs:[00000030h]	3_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2C427 mov eax, dword ptr fs:[00000030h]	3_2_02E2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB6420 mov eax, dword ptr fs:[00000030h]	3_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A430 mov eax, dword ptr fs:[00000030h]	3_2_02E6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E68402 mov eax, dword ptr fs:[00000030h]	3_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E68402 mov eax, dword ptr fs:[00000030h]	3_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E68402 mov eax, dword ptr fs:[00000030h]	3_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E325E0 mov eax, dword ptr fs:[00000030h]	3_2_02E325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C5ED mov eax, dword ptr fs:[00000030h]	3_2_02E6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C5ED mov eax, dword ptr fs:[00000030h]	3_2_02E6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E5CF mov eax, dword ptr fs:[00000030h]	3_2_02E6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E5CF mov eax, dword ptr fs:[00000030h]	3_2_02E6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E365D0 mov eax, dword ptr fs:[00000030h]	3_2_02E365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_02E6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_02E6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E545B1 mov eax, dword ptr fs:[00000030h]	3_2_02E545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E545B1 mov eax, dword ptr fs:[00000030h]	3_2_02E545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E32582 mov eax, dword ptr fs:[00000030h]	3_2_02E32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E32582 mov ecx, dword ptr fs:[00000030h]	3_2_02E32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E64588 mov eax, dword ptr fs:[00000030h]	3_2_02E64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6E59C mov eax, dword ptr fs:[00000030h]	3_2_02E6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6656A mov eax, dword ptr fs:[00000030h]	3_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6656A mov eax, dword ptr fs:[00000030h]	3_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6656A mov eax, dword ptr fs:[00000030h]	3_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38550 mov eax, dword ptr fs:[00000030h]	3_2_02E38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38550 mov eax, dword ptr fs:[00000030h]	3_2_02E38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40535 mov eax, dword ptr fs:[00000030h]	3_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E53E mov eax, dword ptr fs:[00000030h]	3_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E53E mov eax, dword ptr fs:[00000030h]	3_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E53E mov eax, dword ptr fs:[00000030h]	3_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E53E mov eax, dword ptr fs:[00000030h]	3_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E53E mov eax, dword ptr fs:[00000030h]	3_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6500 mov eax, dword ptr fs:[00000030h]	3_2_02EC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04500 mov eax, dword ptr fs:[00000030h]	3_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6AAEE mov eax, dword ptr fs:[00000030h]	3_2_02E6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6AAEE mov eax, dword ptr fs:[00000030h]	3_2_02E6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E86ACC mov eax, dword ptr fs:[00000030h]	3_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E86ACC mov eax, dword ptr fs:[00000030h]	3_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E86ACC mov eax, dword ptr fs:[00000030h]	3_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30AD0 mov eax, dword ptr fs:[00000030h]	3_2_02E30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E64AD0 mov eax, dword ptr fs:[00000030h]	3_2_02E64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E64AD0 mov eax, dword ptr fs:[00000030h]	3_2_02E64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38AA0 mov eax, dword ptr fs:[00000030h]	3_2_02E38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38AA0 mov eax, dword ptr fs:[00000030h]	3_2_02E38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E86AA4 mov eax, dword ptr fs:[00000030h]	3_2_02E86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04A80 mov eax, dword ptr fs:[00000030h]	3_2_02F04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E68A90 mov edx, dword ptr fs:[00000030h]	3_2_02E68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDEA60 mov eax, dword ptr fs:[00000030h]	3_2_02EDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EACA72 mov eax, dword ptr fs:[00000030h]	3_2_02EACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EACA72 mov eax, dword ptr fs:[00000030h]	3_2_02EACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E36A50 mov eax, dword ptr fs:[00000030h]	3_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40A5B mov eax, dword ptr fs:[00000030h]	3_2_02E40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40A5B mov eax, dword ptr fs:[00000030h]	3_2_02E40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6CA24 mov eax, dword ptr fs:[00000030h]	3_2_02E6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5EA2E mov eax, dword ptr fs:[00000030h]	3_2_02E5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E54A35 mov eax, dword ptr fs:[00000030h]	3_2_02E54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E54A35 mov eax, dword ptr fs:[00000030h]	3_2_02E54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6CA38 mov eax, dword ptr fs:[00000030h]	3_2_02E6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBCA11 mov eax, dword ptr fs:[00000030h]	3_2_02EBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5EBFC mov eax, dword ptr fs:[00000030h]	3_2_02E5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBCBF0 mov eax, dword ptr fs:[00000030h]	3_2_02EBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E50BCB mov eax, dword ptr fs:[00000030h]	3_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E50BCB mov eax, dword ptr fs:[00000030h]	3_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E50BCB mov eax, dword ptr fs:[00000030h]	3_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30BCD mov eax, dword ptr fs:[00000030h]	3_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30BCD mov eax, dword ptr fs:[00000030h]	3_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30BCD mov eax, dword ptr fs:[00000030h]	3_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDEBD0 mov eax, dword ptr fs:[00000030h]	3_2_02EDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40BBE mov eax, dword ptr fs:[00000030h]	3_2_02E40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E40BBE mov eax, dword ptr fs:[00000030h]	3_2_02E40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_02EE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_02EE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E2CB7E mov eax, dword ptr fs:[00000030h]	3_2_02E2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE4B4B mov eax, dword ptr fs:[00000030h]	3_2_02EE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EE4B4B mov eax, dword ptr fs:[00000030h]	3_2_02EE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F02B57 mov eax, dword ptr fs:[00000030h]	3_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F02B57 mov eax, dword ptr fs:[00000030h]	3_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F02B57 mov eax, dword ptr fs:[00000030h]	3_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F02B57 mov eax, dword ptr fs:[00000030h]	3_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6B40 mov eax, dword ptr fs:[00000030h]	3_2_02EC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6B40 mov eax, dword ptr fs:[00000030h]	3_2_02EC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFAB40 mov eax, dword ptr fs:[00000030h]	3_2_02EFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED8B42 mov eax, dword ptr fs:[00000030h]	3_2_02ED8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E28B50 mov eax, dword ptr fs:[00000030h]	3_2_02E28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EDEB50 mov eax, dword ptr fs:[00000030h]	3_2_02EDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5EB20 mov eax, dword ptr fs:[00000030h]	3_2_02E5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5EB20 mov eax, dword ptr fs:[00000030h]	3_2_02E5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF8B28 mov eax, dword ptr fs:[00000030h]	3_2_02EF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EF8B28 mov eax, dword ptr fs:[00000030h]	3_2_02EF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F04B00 mov eax, dword ptr fs:[00000030h]	3_2_02F04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFA8E4 mov eax, dword ptr fs:[00000030h]	3_2_02EFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_02E6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_02E6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E5E8C0 mov eax, dword ptr fs:[00000030h]	3_2_02E5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F008C0 mov eax, dword ptr fs:[00000030h]	3_2_02F008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E30887 mov eax, dword ptr fs:[00000030h]	3_2_02E30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBC89D mov eax, dword ptr fs:[00000030h]	3_2_02EBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBE872 mov eax, dword ptr fs:[00000030h]	3_2_02EBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBE872 mov eax, dword ptr fs:[00000030h]	3_2_02EBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6870 mov eax, dword ptr fs:[00000030h]	3_2_02EC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC6870 mov eax, dword ptr fs:[00000030h]	3_2_02EC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E42840 mov ecx, dword ptr fs:[00000030h]	3_2_02E42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E60854 mov eax, dword ptr fs:[00000030h]	3_2_02E60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34859 mov eax, dword ptr fs:[00000030h]	3_2_02E34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E34859 mov eax, dword ptr fs:[00000030h]	3_2_02E34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov eax, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov eax, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov eax, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov ecx, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov eax, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E52835 mov eax, dword ptr fs:[00000030h]	3_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E6A830 mov eax, dword ptr fs:[00000030h]	3_2_02E6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED483A mov eax, dword ptr fs:[00000030h]	3_2_02ED483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED483A mov eax, dword ptr fs:[00000030h]	3_2_02ED483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBC810 mov eax, dword ptr fs:[00000030h]	3_2_02EBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EBE9E0 mov eax, dword ptr fs:[00000030h]	3_2_02EBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E629F9 mov eax, dword ptr fs:[00000030h]	3_2_02E629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E629F9 mov eax, dword ptr fs:[00000030h]	3_2_02E629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EC69C0 mov eax, dword ptr fs:[00000030h]	3_2_02EC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E649D0 mov eax, dword ptr fs:[00000030h]	3_2_02E649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EFA9D3 mov eax, dword ptr fs:[00000030h]	3_2_02EFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E429A0 mov eax, dword ptr fs:[00000030h]	3_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E309AD mov eax, dword ptr fs:[00000030h]	3_2_02E309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E309AD mov eax, dword ptr fs:[00000030h]	3_2_02E309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB89B3 mov esi, dword ptr fs:[00000030h]	3_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB89B3 mov eax, dword ptr fs:[00000030h]	3_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02EB89B3 mov eax, dword ptr fs:[00000030h]	3_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E56962 mov eax, dword ptr fs:[00000030h]	3_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E56962 mov eax, dword ptr fs:[00000030h]	3_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E56962 mov eax, dword ptr fs:[00000030h]	3_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E7096E mov eax, dword ptr fs:[00000030h]	3_2_02E7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E7096E mov edx, dword ptr fs:[00000030h]	3_2_02E7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02E7096E mov eax, dword ptr fs:[00000030h]	3_2_02E7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED4978 mov eax, dword ptr fs:[00000030h]	3_2_02ED4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02ED4978 mov eax, dword ptr fs:[00000030h]	3_2_02ED4978

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_009B80A9

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098A124 SetUnhandledExceptionFilter,	0_2_0098A124
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0098A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0098A155
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082A124 SetUnhandledExceptionFilter,	2_2_0082A124
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_0082A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0082A155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2503008			Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D8B008			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009B87B1 LogonUserW,

0_2_009B87B1

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00963B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00963B3A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_009648D7

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009C4C27 mouse_event,

0_2_009C4C27

Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009B7CAF

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009B874B

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, retrofit.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, retrofit.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0098862B cpuid

0_2_0098862B

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00994E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00994E87

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009A1E06 GetUserNameW,

0_2_009A1E06

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_00993F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00993F3A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_009649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009649A0

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: retrofit.exe	Binary or memory string: WIN_81
Source: retrofit.exe	Binary or memory string: WIN_XP
Source: retrofit.exe	Binary or memory string: WIN_XPe
Source: retrofit.exe	Binary or memory string: WIN_VISTA
Source: retrofit.exe	Binary or memory string: WIN_7
Source: retrofit.exe	Binary or memory string: WIN_8
Source: retrofit.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_009D6283
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_009D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_009D6747
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00876283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00876283
Source: C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	Code function: 2_2_00876747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00876747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	116 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	25 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	40%	Virustotal		Browse
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	39%	ReversingLabs	Win32.Trojan.AZORult
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	39%	ReversingLabs	Win32.Trojan.AZORult
C:\Users\user\AppData\Local\hypopygidium\retrofit.exe	40%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582689
Start date and time:	2024-12-31 09:27:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@10/10@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:29:15	API Interceptor	6x Sleep call for process: svchost.exe modified
09:28:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	13.107.246.45
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	13.107.246.45
	xyxmml.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	valyzt.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	13.107.246.45
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	13.107.246.45
	sdlvrr.msi	Get hash	malicious	LodaRAT	Browse	13.107.246.45
	docx.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	hoaiuy.msi	Get hash	malicious	XRed	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994352869632329
Encrypted:	true
SSDEEP:	6144:YCcwbxnSX3QGCP/u1YkEeiNCGXq2n8CpBw3Id/16OMiuY6cEh:YCconSXcCYLeiNCWq28HLprJZ
MD5:	7FC249620EE1537B7D43E1043056F99B
SHA1:	2DD22FA84E6BE94010C8CC64E1B3E1EE797FC9D3
SHA-256:	3942E22734719E1672C5784F2FC36D13C8A00650964CF5187D6EF854D896B28C
SHA-512:	02ACFBC0E9041F6CC812E7D92884B873545729030D249C6F7890B6C364E01AED0CA643D0B1F3E012A7FD8C2830AD43B16854C97A071AB76932062317794243E4
Malicious:	false
Reputation:	low
Preview:	\|.u..LL8A...>......92...rOD..8H7JY7FC091W0LZLL8AU8H7JY7FC09.W0LTS.6A.1...X{.bdQX$.<(#+J 8.+V$7X2cR\.%E"z%"...khZ%=RhN=3.W0LZLL88T1..>.{#W..7W.@...{5_.-...z#W.+.f,+..<[ .>.FC091W0L..L8.T9Hs..mFC091W0L.LN9JT3H7.]7FC091W0L.XL8AE8H7:]7FCp91G0LZNL8GU8H7JY7@C091W0LZ<H8AW8H7JY7DCp.1W LZ\L8AU(H7ZY7FC09!W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H.><O2C09..4LZ\L8A.<H7ZY7FC091W0LZLL8aU8(7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC09

C:\Users\user\AppData\Local\Temp\aut2241.tmp

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	11002
Entropy (8bit):	7.4723302149488635
Encrypted:	false
SSDEEP:	192:ybF9L2UTOTIWoL0D7rNQf6aGhVa1nmZDJ/kIXkilOJcx4EL:ybF9568WownB06Ja0bOJvEL
MD5:	5A59791358579B54D112A3FF895BE36E
SHA1:	FEB2B38FB4152314B18F4F0AA21365825F69E278
SHA-256:	21CADC92BC54820EEAAE9119E065BF25791814CAC9CEEDAFA16292D099928A56
SHA-512:	FAC6B93A6FBB60313F36C613825B70F04C12A7BB87CC97C65A8520F19E99F4AA08213132E46CC4ED36B0DC50A302158E56B627A6E481128065DE1A42149EC133
Malicious:	false
Reputation:	low
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\aut2722.tmp

Download File

Process:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994352869632329
Encrypted:	true
SSDEEP:	6144:YCcwbxnSX3QGCP/u1YkEeiNCGXq2n8CpBw3Id/16OMiuY6cEh:YCconSXcCYLeiNCWq28HLprJZ
MD5:	7FC249620EE1537B7D43E1043056F99B
SHA1:	2DD22FA84E6BE94010C8CC64E1B3E1EE797FC9D3
SHA-256:	3942E22734719E1672C5784F2FC36D13C8A00650964CF5187D6EF854D896B28C
SHA-512:	02ACFBC0E9041F6CC812E7D92884B873545729030D249C6F7890B6C364E01AED0CA643D0B1F3E012A7FD8C2830AD43B16854C97A071AB76932062317794243E4
Malicious:	false
Reputation:	low
Preview:	\|.u..LL8A...>......92...rOD..8H7JY7FC091W0LZLL8AU8H7JY7FC09.W0LTS.6A.1...X{.bdQX$.<(#+J 8.+V$7X2cR\.%E"z%"...khZ%=RhN=3.W0LZLL88T1..>.{#W..7W.@...{5_.-...z#W.+.f,+..<[ .>.FC091W0L..L8.T9Hs..mFC091W0L.LN9JT3H7.]7FC091W0L.XL8AE8H7:]7FCp91G0LZNL8GU8H7JY7@C091W0LZ<H8AW8H7JY7DCp.1W LZ\L8AU(H7ZY7FC09!W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H.><O2C09..4LZ\L8A.<H7ZY7FC091W0LZLL8aU8(7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC09

C:\Users\user\AppData\Local\Temp\aut282C.tmp

Download File

Process:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
File Type:	data
Category:	dropped
Size (bytes):	11002
Entropy (8bit):	7.4723302149488635
Encrypted:	false
SSDEEP:	192:ybF9L2UTOTIWoL0D7rNQf6aGhVa1nmZDJ/kIXkilOJcx4EL:ybF9568WownB06Ja0bOJvEL
MD5:	5A59791358579B54D112A3FF895BE36E
SHA1:	FEB2B38FB4152314B18F4F0AA21365825F69E278
SHA-256:	21CADC92BC54820EEAAE9119E065BF25791814CAC9CEEDAFA16292D099928A56
SHA-512:	FAC6B93A6FBB60313F36C613825B70F04C12A7BB87CC97C65A8520F19E99F4AA08213132E46CC4ED36B0DC50A302158E56B627A6E481128065DE1A42149EC133
Malicious:	false
Reputation:	low
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\aut59BB.tmp

Download File

Process:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994352869632329
Encrypted:	true
SSDEEP:	6144:YCcwbxnSX3QGCP/u1YkEeiNCGXq2n8CpBw3Id/16OMiuY6cEh:YCconSXcCYLeiNCWq28HLprJZ
MD5:	7FC249620EE1537B7D43E1043056F99B
SHA1:	2DD22FA84E6BE94010C8CC64E1B3E1EE797FC9D3
SHA-256:	3942E22734719E1672C5784F2FC36D13C8A00650964CF5187D6EF854D896B28C
SHA-512:	02ACFBC0E9041F6CC812E7D92884B873545729030D249C6F7890B6C364E01AED0CA643D0B1F3E012A7FD8C2830AD43B16854C97A071AB76932062317794243E4
Malicious:	false
Reputation:	low
Preview:	\|.u..LL8A...>......92...rOD..8H7JY7FC091W0LZLL8AU8H7JY7FC09.W0LTS.6A.1...X{.bdQX$.<(#+J 8.+V$7X2cR\.%E"z%"...khZ%=RhN=3.W0LZLL88T1..>.{#W..7W.@...{5_.-...z#W.+.f,+..<[ .>.FC091W0L..L8.T9Hs..mFC091W0L.LN9JT3H7.]7FC091W0L.XL8AE8H7:]7FCp91G0LZNL8GU8H7JY7@C091W0LZ<H8AW8H7JY7DCp.1W LZ\L8AU(H7ZY7FC09!W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H.><O2C09..4LZ\L8A.<H7ZY7FC091W0LZLL8aU8(7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC09

C:\Users\user\AppData\Local\Temp\aut5A0A.tmp

Download File

Process:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
File Type:	data
Category:	dropped
Size (bytes):	11002
Entropy (8bit):	7.4723302149488635
Encrypted:	false
SSDEEP:	192:ybF9L2UTOTIWoL0D7rNQf6aGhVa1nmZDJ/kIXkilOJcx4EL:ybF9568WownB06Ja0bOJvEL
MD5:	5A59791358579B54D112A3FF895BE36E
SHA1:	FEB2B38FB4152314B18F4F0AA21365825F69E278
SHA-256:	21CADC92BC54820EEAAE9119E065BF25791814CAC9CEEDAFA16292D099928A56
SHA-512:	FAC6B93A6FBB60313F36C613825B70F04C12A7BB87CC97C65A8520F19E99F4AA08213132E46CC4ED36B0DC50A302158E56B627A6E481128065DE1A42149EC133
Malicious:	false
Reputation:	low
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\kinematical

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	ASCII text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29698
Entropy (8bit):	3.5397273526009285
Encrypted:	false
SSDEEP:	384:cdhx4G/5WDn32nQ2uNXeDbbF8GNf4dvT/gcvI2U486yRv6Itdps8MbVIZF1aFNjN:ZG/AD32adq7wdvzgcA76ItdphguF8/1H
MD5:	DE01FCC9EF560F6D3D83B46D583A0D7A
SHA1:	ED628FBAD828CFB461BC8F8735F39F92D356DCF4
SHA-256:	9D4C80FA92F505DBD747B3950251AE8C8AC96D48AC699F72F79694AF074A7AAD
SHA-512:	B3904F4E0F2AD81378B2DAA57F23B20766B5CA433F6D2F628128CA221630608CC93069341F9D497066E664B97E058BB6605319A3E21896AD80EDA5F0FFA9561B
Malicious:	false
Preview:	000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc5e8c30ef480000f4c0ef48f4807c800089ff65f482700008b80e8e85ccccccccc00c555af124812781278555ccccccccccc00cf74408025802480258cccccccccc00c5e8dff48fff5ef480c8f48f48d430ecf48d48c3f521fc1ecf58c3d421fc1ecf48c3d521fc1ecf58c3d421fc1ecf48c3e521fc1ecf58c3e421fc1ecf48c3e521fc1ecf58e421fc1ecf48f48f43f480009800f78f581b0f40048fffff4c0000f4ce48edf430ecf48e58f530ecf58e480ecf48e480ecf48d580ecf58d480ecf48d48edf48eb82f4c3e8e85cccccc00c5e8c3be0e800048e5850b0e48f58170430002e5e48e48800048e58f4837143f48f58f480c8f480e0000f4ce48240048

C:\Users\user\AppData\Local\Temp\nonsubmerged

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994352869632329
Encrypted:	true
SSDEEP:	6144:YCcwbxnSX3QGCP/u1YkEeiNCGXq2n8CpBw3Id/16OMiuY6cEh:YCconSXcCYLeiNCWq28HLprJZ
MD5:	7FC249620EE1537B7D43E1043056F99B
SHA1:	2DD22FA84E6BE94010C8CC64E1B3E1EE797FC9D3
SHA-256:	3942E22734719E1672C5784F2FC36D13C8A00650964CF5187D6EF854D896B28C
SHA-512:	02ACFBC0E9041F6CC812E7D92884B873545729030D249C6F7890B6C364E01AED0CA643D0B1F3E012A7FD8C2830AD43B16854C97A071AB76932062317794243E4
Malicious:	false
Preview:	\|.u..LL8A...>......92...rOD..8H7JY7FC091W0LZLL8AU8H7JY7FC09.W0LTS.6A.1...X{.bdQX$.<(#+J 8.+V$7X2cR\.%E"z%"...khZ%=RhN=3.W0LZLL88T1..>.{#W..7W.@...{5_.-...z#W.+.f,+..<[ .>.FC091W0L..L8.T9Hs..mFC091W0L.LN9JT3H7.]7FC091W0L.XL8AE8H7:]7FCp91G0LZNL8GU8H7JY7@C091W0LZ<H8AW8H7JY7DCp.1W LZ\L8AU(H7ZY7FC09!W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H.><O2C09..4LZ\L8A.<H7ZY7FC091W0LZLL8aU8(7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC091W0LZLL8AU8H7JY7FC09

C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

Download File

Process:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1181184
Entropy (8bit):	7.160958739761823
Encrypted:	false
SSDEEP:	24576:au6J33O0c+JY5UZ+XC0kGso6FafRjensI8BABQJ1WY:su0c++OCvkGs9FafRUMAFY
MD5:	2C832DC5F84A0437CC5C4869FFC21648
SHA1:	CA494CDE7576E0EB7035B2368971FB151E652B12
SHA-256:	D9CFE4C08B2F71B517BA47FE43F8825085B0F4CF9B8E8627EE40E54EC9F6BB05
SHA-512:	53E0E97B0F4CAD8E549757B83FC3F20520A93C8E5523B4AA131CF4764C08F3813B706CF15D4C006A847AEE9715E8B41591B9AE98FAA1E3CE83DBEB18DB42A4DC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 40%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...1Dsg.........."..........$.......}............@..........................p.......t....@...@.......@.....................L...\|....p..D\|.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...D\|...p...~..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Download File

Process:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.4365906576258367
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclmVzUEZ+lX10e66g/XAAnriIM8lfQVn:DsO+vNlGQ1B66g9mA2n
MD5:	C4E9A1EB0FEB7C305278BCDAB397ECDE
SHA1:	2DF681EC0051CA0F54067572E197DCC7FDF9C2A8
SHA-256:	8528204B1D23541A93AB121A0823EA9FF10AB93909CFCBE20DC66291672C08B9
SHA-512:	CE2D68835E7EE81157F5D9CC0D2B4D32057CAB01A5707A5D8955B0E6C48C231177796B64AC630AEF5A7722F701D8CCAB694119AA7406A43B07E8312DC4353B3D
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.h.y.p.o.p.y.g.i.d.i.u.m.\.r.e.t.r.o.f.i.t...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.160958739761823
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
File size:	1'181'184 bytes
MD5:	2c832dc5f84a0437cc5c4869ffc21648
SHA1:	ca494cde7576e0eb7035b2368971fb151e652b12
SHA256:	d9cfe4c08b2f71b517ba47fe43f8825085b0f4cf9b8e8627ee40e54ec9f6bb05
SHA512:	53e0e97b0f4cad8e549757b83fc3f20520a93c8e5523b4aa131cf4764c08f3813b706cf15d4c006a847aee9715e8b41591b9ae98faa1e3ce83dbeb18db42a4dc
SSDEEP:	24576:au6J33O0c+JY5UZ+XC0kGso6FafRjensI8BABQJ1WY:su0c++OCvkGs9FafRUMAFY
TLSH:	A545CF2273DDC360CB669173BF69B7016EBF7C610630B85B2F880D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67734431 [Tue Dec 31 01:09:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F0F7CD6CCBAh
jmp 00007F0F7CD5FA84h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F0F7CD5FC0Ah
cmp edi, eax
jc 00007F0F7CD5FF6Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F0F7CD5FC09h
rep movsb
jmp 00007F0F7CD5FF1Ch
cmp ecx, 00000080h
jc 00007F0F7CD5FDD4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F0F7CD5FC10h
bt dword ptr [004BE324h], 01h
jc 00007F0F7CD600E0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F0F7CD5FDADh
test edi, 00000003h
jne 00007F0F7CD5FDBEh
test esi, 00000003h
jne 00007F0F7CD5FD9Dh
bt edi, 02h
jnc 00007F0F7CD5FC0Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F0F7CD5FC13h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F0F7CD5FC65h
bt esi, 03h
jnc 00007F0F7CD5FCB8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x57c44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11f000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x57c44	0x57e00	84cdd2eb5fc11df8a72beba416aa1271	False	0.9244754623044097	data	7.888902015004479	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11f000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4ef0c	data			1.0003278282922001
RT_GROUP_ICON	0x11e6c4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11e73c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11e750	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11e764	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11e778	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11e854	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:28:18.207600117 CET	1.1.1.1	192.168.2.11	0xc2a	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:28:18.207600117 CET	1.1.1.1	192.168.2.11	0xc2a	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:28:22
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x960000
File size:	1'181'184 bytes
MD5 hash:	2C832DC5F84A0437CC5C4869FFC21648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:28:23
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x800000
File size:	1'181'184 bytes
MD5 hash:	2C832DC5F84A0437CC5C4869FFC21648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 40%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:28:25
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Imagebase:	0x270000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1908281730.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1908052139.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:28:36
Start date:	31/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs"
Imagebase:	0x7ff784240000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:28:36
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\hypopygidium\retrofit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"
Imagebase:	0x800000
File size:	1'181'184 bytes
MD5 hash:	2C832DC5F84A0437CC5C4869FFC21648
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:28:38
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\hypopygidium\retrofit.exe"
Imagebase:	0x270000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2008452617.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2007834256.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 00963B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B68
IsDebuggerPresent.KERNEL32 ref: 00963B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A252F8,00A252E0,?,?), ref: 00963BEB

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

Part of subcall function 0097092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00963C14,00A252F8,?,?,?), ref: 0097096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00963C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A17770,00000010), ref: 0099D281
SetCurrentDirectoryW.KERNEL32(?,00A252F8,?,?,?), ref: 0099D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A14260,00A252F8,?,?,?), ref: 0099D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0099D346

Part of subcall function 00963A46: GetSysColorBrush.USER32(0000000F), ref: 00963A50
Part of subcall function 00963A46: LoadCursorW.USER32(00000000,00007F00), ref: 00963A5F
Part of subcall function 00963A46: LoadIconW.USER32(00000063), ref: 00963A76
Part of subcall function 00963A46: LoadIconW.USER32(000000A4), ref: 00963A88
Part of subcall function 00963A46: LoadIconW.USER32(000000A2), ref: 00963A9A
Part of subcall function 00963A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AC0
Part of subcall function 00963A46: RegisterClassExW.USER32(?), ref: 00963B16

Part of subcall function 009639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A03
Part of subcall function 009639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A24
Part of subcall function 009639D5: ShowWindow.USER32(00000000,?,?), ref: 00963A38
Part of subcall function 009639D5: ShowWindow.USER32(00000000,?,?), ref: 00963A41

Part of subcall function 0096434A: _memset.LIBCMT ref: 00964370
Part of subcall function 0096434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00964415

Strings

runas, xrefs: 0099D33A
This is a third-party compiled AutoIt script., xrefs: 0099D279

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 7fe1f417653b3db3ca09ed2710f2c64261d8670beb7549d816cc2b2777805fe4
Instruction ID: 883b1139bdc20610e8d6432e5c6d58d0d637783d53133c1973a24851578bdc1d
Opcode Fuzzy Hash: 7fe1f417653b3db3ca09ed2710f2c64261d8670beb7549d816cc2b2777805fe4
Instruction Fuzzy Hash: F9512330D09148EADF11EBF8EC56EFDBB78BF85344F008075F861A61A2CA745A46DB21

Function 009649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009649CD

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

GetCurrentProcess.KERNEL32(?,009EFAEC,00000000,00000000,?), ref: 00964A9A
IsWow64Process.KERNEL32(00000000), ref: 00964AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00964AE7
FreeLibrary.KERNEL32(00000000), ref: 00964AF2
GetSystemInfo.KERNEL32(00000000), ref: 00964B23
GetSystemInfo.KERNEL32(00000000), ref: 00964B2F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 24f07de53d08728eec3bfe1d14305b42973699894b03641c816a3bb506f10f7a
Instruction ID: b0169c0c056c705f658db61828a0401a619f24a7f9df5a6287d5c461b33e682d
Opcode Fuzzy Hash: 24f07de53d08728eec3bfe1d14305b42973699894b03641c816a3bb506f10f7a
Instruction Fuzzy Hash: FC91C83198E7C0DECB31DBF885901AAFFF9AF29300B444D6ED0CB97A41D224A948D759

Function 00964E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00964D8E,?,?,00000000,00000000), ref: 00964E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00964D8E,?,?,00000000,00000000), ref: 00964EB0
LoadResource.KERNEL32(?,00000000,?,?,00964D8E,?,?,00000000,00000000,?,?,?,?,?,?,00964E2F), ref: 0099D937
SizeofResource.KERNEL32(?,00000000,?,?,00964D8E,?,?,00000000,00000000,?,?,?,?,?,?,00964E2F), ref: 0099D94C
LockResource.KERNEL32(00964D8E,?,?,00964D8E,?,?,00000000,00000000,?,?,?,?,?,?,00964E2F,00000000), ref: 0099D95F

Strings

SCRIPT, xrefs: 00964EA6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c61a33ce041a692d1a1f6c92876a7a51bbfade402c87f7c58f0571dca6e09cdf
Instruction ID: 54ea64278d9ae344657863f414bdfcbb8e4a1e0a11b9dd94c85b8799924ffaf1
Opcode Fuzzy Hash: c61a33ce041a692d1a1f6c92876a7a51bbfade402c87f7c58f0571dca6e09cdf
Instruction Fuzzy Hash: 11115EB5240741BFD7218BA5EC98F677BBEFBC5B11F104269F5268A250DB62EC009660

Function 0096FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: b025543cbb911b407d141ae84c3af21e25f8d9e4924f24f7dc0ede2743a13728
Instruction ID: 7d7a62b675aec69bcc68d85bc9a0c2d9fc9be656ceabcbf08b255df7cb352d53
Opcode Fuzzy Hash: b025543cbb911b407d141ae84c3af21e25f8d9e4924f24f7dc0ede2743a13728
Instruction Fuzzy Hash: 13923571608341CFD724DF28C490B2ABBE5BBC9304F14896DE89A9B362D775EC45CB92

Function 009C445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0099E398), ref: 009C446A
FindFirstFileW.KERNELBASE(?,?), ref: 009C447B
FindClose.KERNEL32(00000000), ref: 009C448B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
Instruction ID: 122b27881caf166a9f7474bec16c30ee7e541c9239ef1e1e35dd2cb6b9f61aec
Opcode Fuzzy Hash: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
Instruction Fuzzy Hash: A0E0D833D24540A746146B38EC5D9E9779C9E05375F20471AF935C51E0E7745D00A597

Function 0096E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009A3E62

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3d41da4aee1658e4849e908dc37802e5059f47aa3aa7747b7d0df9213c83965b
Instruction ID: 920798f22fb692af2cc5e6da5b555eb87e5a70a2c8038c699c2450fc211770ad
Opcode Fuzzy Hash: 3d41da4aee1658e4849e908dc37802e5059f47aa3aa7747b7d0df9213c83965b
Instruction Fuzzy Hash: FDA2AD78A00219CFCB24CF98C490ABEB7B6FF59314F248469E806AB351D775ED42CB91

Function 009709D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970A5B
timeGetTime.WINMM ref: 00970D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970E53
Sleep.KERNEL32(0000000A), ref: 00970E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00970EFA
DestroyWindow.USER32 ref: 00970F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00970F20
Sleep.KERNEL32(0000000A,?,?), ref: 009A4E83
TranslateMessage.USER32(?), ref: 009A5C60
DispatchMessageW.USER32(?), ref: 009A5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009A5C82

Strings

@GUI_CTRLHANDLE, xrefs: 009A4FE4
@GUI_CTRLID, xrefs: 009A4F3A
@GUI_WINHANDLE, xrefs: 009A4F8F
@COM_EVENTOBJ, xrefs: 009A54F0
@TRAY_ID, xrefs: 009A578F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 37b278aa49f6d0d200ff8715071ad34a4b6f7dc3d8d747c4032aa7037aa808dc
Instruction ID: a13ba1451cbf2fc4be9213b46fd97cec3433b35f6f3564b4b336e7b34bedc6a3
Opcode Fuzzy Hash: 37b278aa49f6d0d200ff8715071ad34a4b6f7dc3d8d747c4032aa7037aa808dc
Instruction Fuzzy Hash: 61B2E171608741DFD728DF24C884BAAB7E8BFC5304F15891DF4999B2A1CB75E885CB82

Function 009C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009C8F5F: __time64.LIBCMT ref: 009C8F69

Part of subcall function 00964EE5: _fseek.LIBCMT ref: 00964EFD

__wsplitpath.LIBCMT ref: 009C9234

Part of subcall function 009840FB: __wsplitpath_helper.LIBCMT ref: 0098413B

_wcscpy.LIBCMT ref: 009C9247
_wcscat.LIBCMT ref: 009C925A
__wsplitpath.LIBCMT ref: 009C927F
_wcscat.LIBCMT ref: 009C9295
_wcscat.LIBCMT ref: 009C92A8

Part of subcall function 009C8FA5: _memmove.LIBCMT ref: 009C8FDE
Part of subcall function 009C8FA5: _memmove.LIBCMT ref: 009C8FED

_wcscmp.LIBCMT ref: 009C91EF

Part of subcall function 009C9734: _wcscmp.LIBCMT ref: 009C9824
Part of subcall function 009C9734: _wcscmp.LIBCMT ref: 009C9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009C9452
_wcsncpy.LIBCMT ref: 009C94C5
DeleteFileW.KERNEL32(?,?), ref: 009C94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C9534

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a7ad0d754b868e26fd4f1577ce86de0195a670b45d882ec6c2b197f18685dfb6
Instruction ID: 44844f7c29539d864b5881f9b333e63de40816f3fc6e2075b87051778551c82b
Opcode Fuzzy Hash: a7ad0d754b868e26fd4f1577ce86de0195a670b45d882ec6c2b197f18685dfb6
Instruction Fuzzy Hash: 9BC11BB1D00219AADF21DF95CC85FDEBBBDEF85350F0044AAF609E6251DB309A448F65

Function 00963015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963074
RegisterClassExW.USER32(00000030), ref: 0096309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
InitCommonControlsEx.COMCTL32(?), ref: 009630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
LoadIconW.USER32(000000A9), ref: 009630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

TaskbarCreated, xrefs: 009630A4
+, xrefs: 0096305D
0, xrefs: 00963056
AutoIt v3 GUI, xrefs: 00963090

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f11c5a2e3241ffb98beec77dd8895a9344aefb173ef2c9346fb0d37c8f8f3339
Instruction ID: 3442580eb4a6923815f2a10fec1017ea39287f597f124d5df216fdabe651c6d2
Opcode Fuzzy Hash: f11c5a2e3241ffb98beec77dd8895a9344aefb173ef2c9346fb0d37c8f8f3339
Instruction Fuzzy Hash: D43129B1855385AFDB20CFE8D895A9DBBF4FB09310F14452EE580AA2A0D3B50586DF51

Function 00963041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963074
RegisterClassExW.USER32(00000030), ref: 0096309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
InitCommonControlsEx.COMCTL32(?), ref: 009630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
LoadIconW.USER32(000000A9), ref: 009630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

TaskbarCreated, xrefs: 009630A4
+, xrefs: 0096305D
0, xrefs: 00963056
AutoIt v3 GUI, xrefs: 00963090

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 18627e67938791e47649a01ceb43762741c10c387b3e4a9063ec6853636d1d04
Instruction ID: 46fe278a76d471f4faab30522bd58eeebc8a2a7ff5a86ffb63df218e078a22a5
Opcode Fuzzy Hash: 18627e67938791e47649a01ceb43762741c10c387b3e4a9063ec6853636d1d04
Instruction Fuzzy Hash: BB21E8B1D15248AFDB10DFE8E888BEDBBF4FB08710F00412AF510AA2A0D7B149459F91

Function 0096708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00964706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A252F8,?,009637AE,?), ref: 00964724

Part of subcall function 0098050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00967165), ref: 0098052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0099E909
RegCloseKey.ADVAPI32(?), ref: 0099E947
_wcscat.LIBCMT ref: 0099E9A0

Strings

Include, xrefs: 0099E8BF, 0099E900
\, xrefs: 0099E9C3
Software\AutoIt v3\AutoIt, xrefs: 0096719E
\Include\, xrefs: 00967165

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: fa4c4bb7ac60e120abe78a8ffccdbe7c6343435986a1cd74f2775a6999836a7d
Instruction ID: 93b50929e61b56e975ff8d50183049889e17637075b589064845624316a67328
Opcode Fuzzy Hash: fa4c4bb7ac60e120abe78a8ffccdbe7c6343435986a1cd74f2775a6999836a7d
Instruction Fuzzy Hash: BD71937190A301DEC714EFA9EC41AABBBE8FF95350F40093EF445872A1DB71994ACB52

Function 00963A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963A50
LoadCursorW.USER32(00000000,00007F00), ref: 00963A5F
LoadIconW.USER32(00000063), ref: 00963A76
LoadIconW.USER32(000000A4), ref: 00963A88
LoadIconW.USER32(000000A2), ref: 00963A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AC0
RegisterClassExW.USER32(?), ref: 00963B16

Part of subcall function 00963041: GetSysColorBrush.USER32(0000000F), ref: 00963074
Part of subcall function 00963041: RegisterClassExW.USER32(00000030), ref: 0096309E
Part of subcall function 00963041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
Part of subcall function 00963041: InitCommonControlsEx.COMCTL32(?), ref: 009630CC
Part of subcall function 00963041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
Part of subcall function 00963041: LoadIconW.USER32(000000A9), ref: 009630F2
Part of subcall function 00963041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

AutoIt v3, xrefs: 00963B05
0, xrefs: 00963AF4
#, xrefs: 00963AFB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d44f8b541b15f0b067f8869aa0b5e4b204d48bf3d69c0d640b38e53121995f0b
Instruction ID: 7c9455c44c643878ee478bbb08a69d86c537edf72edd0baa0d6f8b2d24750360
Opcode Fuzzy Hash: d44f8b541b15f0b067f8869aa0b5e4b204d48bf3d69c0d640b38e53121995f0b
Instruction Fuzzy Hash: 86212CB0D11304EFEB20DFB8EC45BAD7BB4FB08711F00412AE500AA2E1D3B55A529F84

Function 00963633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009636D2
KillTimer.USER32(?,00000001), ref: 009636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0096371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0096372A
CreatePopupMenu.USER32 ref: 0096373E
PostQuitMessage.USER32(00000000), ref: 0096374D

Strings

TaskbarCreated, xrefs: 00963725

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ecd059b237e9055dc10ab4c162ef50e7b49174dd6a5a3ee7c414fa7a58daa3a7
Instruction ID: b1c9a5ea6a58d46526f2a9a9656de8c79f6a15e61e78ffb206c09d53c24ddd8f
Opcode Fuzzy Hash: ecd059b237e9055dc10ab4c162ef50e7b49174dd6a5a3ee7c414fa7a58daa3a7
Instruction Fuzzy Hash: C64179B2604545FBDF249FBCEC4ABB93798FB40300F148535F502962E2CAB69E42A761

Function 00963766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 009637FB
/AutoIt3ExecuteScript, xrefs: 009638BC
/AutoIt3ExecuteLine, xrefs: 009638A7
/ErrorStdOut, xrefs: 0096387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009637AE
CMDLINE, xrefs: 00963822
/AutoIt3OutputDebug, xrefs: 00963892

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: df0dfca288b76111207c20c6cea7c3b4e78129999c2d4aa7c952f486c8e82653
Instruction ID: 0e62cea1b431b82c7683f9ea5f5964df340a78958d5471707d7827bac8b68acf
Opcode Fuzzy Hash: df0dfca288b76111207c20c6cea7c3b4e78129999c2d4aa7c952f486c8e82653
Instruction Fuzzy Hash: 83A14A72D0022D9ACF15EBE4DC95AFEB778BF94310F40452AF416A7191EF746A09CBA0

Function 01800920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01800965

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 74d512d84fc77b1bc9c0292d0d7b24a5b19f61f09bedb05371a7c7f4ec12f17c
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 4351E675A5020CBBEB60DFA4CC49FDE7778AF48741F108654F60AEA1C0DA7496858B60

Function 009639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A24
ShowWindow.USER32(00000000,?,?), ref: 00963A38
ShowWindow.USER32(00000000,?,?), ref: 00963A41

Strings

AutoIt v3, xrefs: 009639FB, 00963A00, 00963A01
edit, xrefs: 00963A1E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0eac5c199177d46f9446a36364d31d9f068293b9383ce19093a9efd825770b7a
Instruction ID: 3bc30864956c32183d35374847b91e30ba7856669707ec1c99231b33b340b06a
Opcode Fuzzy Hash: 0eac5c199177d46f9446a36364d31d9f068293b9383ce19093a9efd825770b7a
Instruction Fuzzy Hash: 52F03A70901690BEEA3197AB6C58EBB2E7DE7C6F60B00003AB900A61B0C2714C43DBB0

Function 0096407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0099D3D7

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

_memset.LIBCMT ref: 009640FC
_wcscpy.LIBCMT ref: 00964150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00964160

Strings

Line: , xrefs: 0099D400

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ccede2f21473d956e11e5fd8de192aebc945f4042824e21f7ab19fd6340777cd
Instruction ID: 2c572476e75312a80a57fa65dc0582bf7575b6d7018488a601eee2a4e1a5c4d4
Opcode Fuzzy Hash: ccede2f21473d956e11e5fd8de192aebc945f4042824e21f7ab19fd6340777cd
Instruction Fuzzy Hash: 4C31EF71408304ABD330EBA4DC46FEBB7DCAF94314F10492AF585821E1EB749A49CB92

Function 0098541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0098547B
_memcpy_s.LIBCMT ref: 009854ED
__read_nolock.LIBCMT ref: 0098554B
__filbuf.LIBCMT ref: 0098556E
_memset.LIBCMT ref: 009855B2

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 00b16c241bbaff3adc0eebe8df9e9eb10b306bab820e75f65c976a413f318bd6
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: F651B570A00B05DBDB24BFB9D88066E77AAAF81321F258729F835963D0D774DD988B41

Function 0096686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00964DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964E0F

_free.LIBCMT ref: 0099E263
_free.LIBCMT ref: 0099E2AA

Part of subcall function 00966A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966BAD

Strings

Bad directive syntax error, xrefs: 0099E292
>>>AUTOIT SCRIPT<<<, xrefs: 0099E039

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e1a3b0fdde126aaf8f69878a44bab63e7dace4f3c84b861fc44fa02f40a1aa7a
Instruction ID: 7519de5183923f2ffeb4f3d6b44f60991ccfd182d559491af8db0d761791ae8f
Opcode Fuzzy Hash: e1a3b0fdde126aaf8f69878a44bab63e7dace4f3c84b861fc44fa02f40a1aa7a
Instruction Fuzzy Hash: 67918C71904219AFCF14EFA8CC91AEDB7B8FF48314F14442AF816AB2A1DB75A905CB50

Function 018023F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160fileCOMMON

Download Yara Rule

APIs

Part of subcall function 018022E0: Sleep.KERNELBASE(000001F4), ref: 018022F1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0180253C

Strings

1W0LZLL8AU8H7JY7FC09, xrefs: 018025BC, 018025BF

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFileSleep
String ID: 1W0LZLL8AU8H7JY7FC09
API String ID: 2694422964-499595293
Opcode ID: 6bc6349a89d9b5e324ebb4033deb6cc38bb774dc769e814a336999ea192e3101
Instruction ID: 1bf80f4ec33b72334d44cba2e227797a9a22c3f07206d69be0dd46a3df6d693b
Opcode Fuzzy Hash: 6bc6349a89d9b5e324ebb4033deb6cc38bb774dc769e814a336999ea192e3101
Instruction Fuzzy Hash: 34618170D1424CDAEF12DBE4C858BEEBBB5AF15304F004199E609BB2C1D6BA1B45CB66

Function 009635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009635A1,SwapMouseButtons,00000004,?), ref: 009635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 009635F5
RegCloseKey.KERNELBASE(00000000,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 00963617

Strings

Control Panel\Mouse, xrefs: 009635D2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
Instruction ID: fe7845f7c904b7a3d0e58f5cc8fc9912dbb13a34b3e6d26e6abbbe35e7273f25
Opcode Fuzzy Hash: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
Instruction Fuzzy Hash: D2115771614218BFDB20CF69DC81EAEBBBCEF05740F00846AF805DB210E2719F40ABA0

Function 009C955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00964EE5: _fseek.LIBCMT ref: 00964EFD

Part of subcall function 009C9734: _wcscmp.LIBCMT ref: 009C9824
Part of subcall function 009C9734: _wcscmp.LIBCMT ref: 009C9837

_free.LIBCMT ref: 009C96A2
_free.LIBCMT ref: 009C96A9
_free.LIBCMT ref: 009C9714

Part of subcall function 00982D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00989A24), ref: 00982D69
Part of subcall function 00982D55: GetLastError.KERNEL32(00000000,?,00989A24), ref: 00982D7B

_free.LIBCMT ref: 009C971C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: 508fd4340363c004060c12b08c4c2f0e720c8b13544e5ea221cb0b58b7ec3209
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: D9513EB1D04258ABDF259FA4CC85B9EBBB9EF88300F10449EF609A3251DB715A80CF59

Function 0098470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009847A0
__flush.LIBCMT ref: 009847C0
__write.LIBCMT ref: 009847F3
__flsbuf.LIBCMT ref: 00984821

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 8abd806f5f26f2176bb71b8901b2a3842ca773663aa137b8ec233f61fa2668fe
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: F041C575B007479BDB18EF69C8809AE7BBAEF86364B24853DE815C7780EB74DD408B50

Function 00967285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0099EA39
GetOpenFileNameW.COMDLG32(?), ref: 0099EA83

Part of subcall function 00964750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00964743,?,?,009637AE,?), ref: 00964770

Part of subcall function 00980791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009807B0

Strings

X, xrefs: 0099EA51

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 820e0cb8b5e1ca432f1df319b42bee4d9a687595a8bf74ebeb1f1405ccada551
Instruction ID: 0255a8a7b8ac9fa1883f03780fade659e05629fbc7dcff7c1e558c23ab51435f
Opcode Fuzzy Hash: 820e0cb8b5e1ca432f1df319b42bee4d9a687595a8bf74ebeb1f1405ccada551
Instruction Fuzzy Hash: 1421C630A002589BCF41DFD8C845BEEBBF8AF49714F00401AE408AB241DBB859898FA1

Function 009C8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009C8DAC
__fread_nolock.LIBCMT ref: 009C8DC1

Strings

EA06, xrefs: 009C8DF3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: b09d20df8714266d4e1bd831e9915c3d4e9db7e64f5acbc76ee9e1362aacf51f
Instruction ID: 3197d5cc36efcbf2db624e1ce1cf4528c68edf0dc31810f9d528b914d99467e0
Opcode Fuzzy Hash: b09d20df8714266d4e1bd831e9915c3d4e9db7e64f5acbc76ee9e1362aacf51f
Instruction Fuzzy Hash: 7201D671C042187EDB18DAA8C816FEA7BF89B11301F00459EF552D22C1E878A6088760

Function 01801000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01801045
ExitProcess.KERNEL32(00000000), ref: 01801064

Strings

D, xrefs: 01801011

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction ID: 34097c7851a2c112d7e3e9b965ad52d47397180b9aa68c4ab9adb6cbce09fc3a
Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction Fuzzy Hash: 50F0FFB2A4024CABDB61DFE4CC49FEE777CBF04705F008508FB5ADA180DA7896088B61

Function 009C98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009C98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009C990F

Strings

aut, xrefs: 009C9909

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d2fa203af8901b02265df7b3d4788611d08de86ea42c1366c8e685cf133d63e4
Instruction ID: 4819b7a62da04a4e3f9509ca2f756ae8b4a0514855262d445f2b4bf6aa8606f6
Opcode Fuzzy Hash: d2fa203af8901b02265df7b3d4788611d08de86ea42c1366c8e685cf133d63e4
Instruction Fuzzy Hash: 84D05E7954430DBBDB509BA4DC8EFDA773CE704700F0006B2BBA4991A1EAB099989B91

Function 009DCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57df3e1dea5bad9edcb627be748eaa055a27f7a579cd58e46361c220220c8087
Instruction ID: 2e470ce58795e57e5e05a031a997c60158b4699da274946f4c1a2331c7c9523b
Opcode Fuzzy Hash: 57df3e1dea5bad9edcb627be748eaa055a27f7a579cd58e46361c220220c8087
Instruction Fuzzy Hash: 64F116B16083019FCB14DF28C480A6ABBE5FF88314F54892EF8999B351D734E945CF82

Function 0096F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00980162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00980193
Part of subcall function 00980162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0098019B
Part of subcall function 00980162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009801A6
Part of subcall function 00980162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009801B1
Part of subcall function 00980162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009801B9
Part of subcall function 00980162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009801C1

Part of subcall function 009760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0096F930), ref: 00976154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0096F9CD
OleInitialize.OLE32(00000000), ref: 0096FA4A
CloseHandle.KERNEL32(00000000), ref: 009A45C8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: baa37ddde1b7866f2739fb64c8f85233a37f83d72388f3a2138d91fe5ad1ad67
Instruction ID: 92f519c16737fd8f8db88eb30a7815c65c7d0e4f6f6069ffc3497a6ed3483cf9
Opcode Fuzzy Hash: baa37ddde1b7866f2739fb64c8f85233a37f83d72388f3a2138d91fe5ad1ad67
Instruction Fuzzy Hash: 0B81BAB0D15A40CFC3A4EFBDE964639BBE6FB98316790853AD019CB261EB7045878F11

Function 0096434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00964370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00964415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00964432

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 352492462721a1648abb3b2eebb6b1e2874df59cb26792e065e99d6b8dd31192
Instruction ID: 415c3a29741e1f29786d40778aad4d79be055de4ac3f31cf2f3eed5861f4e183
Opcode Fuzzy Hash: 352492462721a1648abb3b2eebb6b1e2874df59cb26792e065e99d6b8dd31192
Instruction Fuzzy Hash: 4B318170904701CFC721DFB4D885AABBBF8FB59309F00093EE59A86291E771A945CB52

Function 0098571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00985733

Part of subcall function 0098A16B: __NMSG_WRITE.LIBCMT ref: 0098A192
Part of subcall function 0098A16B: __NMSG_WRITE.LIBCMT ref: 0098A19C

__NMSG_WRITE.LIBCMT ref: 0098573A

Part of subcall function 0098A1C8: GetModuleFileNameW.KERNEL32(00000000,00A233BA,00000104,?,00000001,00000000), ref: 0098A25A
Part of subcall function 0098A1C8: ___crtMessageBoxW.LIBCMT ref: 0098A308

Part of subcall function 0098309F: ___crtCorExitProcess.LIBCMT ref: 009830A5
Part of subcall function 0098309F: ExitProcess.KERNEL32 ref: 009830AE

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,?,?,00980DD3,?), ref: 0098575F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3a686d4c6e8ecb1c891af771827a1b9b9a6df924b3da553c4f13168515d49143
Instruction ID: 544459f8fc159c0027a350c21315cc07b601f8377a30bff5e35e5c1d34839685
Opcode Fuzzy Hash: 3a686d4c6e8ecb1c891af771827a1b9b9a6df924b3da553c4f13168515d49143
Instruction Fuzzy Hash: 9801D272304A01DAE6217B78EC82B2A734C8BD2761F524436F5059B381DF788C054760

Function 009C98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009C9548,?,?,?,?,?,00000004), ref: 009C98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009C9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009C98D1
CloseHandle.KERNEL32(00000000,?,009C9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009C98D8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ac5e5df9270e2d262af0cf73bca9bde53f41d7bbe1b0528dc257b142c9df9b01
Instruction ID: 143b910a5b79dc46315caef4a8c03e5128359710b9752a4dc81870e53c93935d
Opcode Fuzzy Hash: ac5e5df9270e2d262af0cf73bca9bde53f41d7bbe1b0528dc257b142c9df9b01
Instruction Fuzzy Hash: 85E08632144218BBE7211B54EC49FCA7B19AB06761F108121FB146D0E087B16911A799

Function 009C8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009C8D1B

Part of subcall function 00982D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00989A24), ref: 00982D69
Part of subcall function 00982D55: GetLastError.KERNEL32(00000000,?,00989A24), ref: 00982D7B

_free.LIBCMT ref: 009C8D2C
_free.LIBCMT ref: 009C8D3E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: 620ce6f2f17a5371a01916e4fb6e6f18b16c6a82a1423a6f600555d8fd160925
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: E6E017B1A01A0146CB24B6B8AA40F9327EC4FDC352B14091EB40ED72C6CE64FC828338

Function 0096A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0099FC01

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 6aac4e46a9f78931c265da3cd583afe104b1171a5cc963631b7f40c22755d902
Instruction ID: 79013fae1a0d738368fbae861147dda60f67a6cf0ccec0c1c5f533cc16662240
Opcode Fuzzy Hash: 6aac4e46a9f78931c265da3cd583afe104b1171a5cc963631b7f40c22755d902
Instruction Fuzzy Hash: 5B223770508201DFCB24DF28C494B6ABBE5BF85314F15896DE89A9B362D735EC85CF82

Function 00964C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00964CBA

Strings

EA06, xrefs: 0099D8CC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: c63bf5deeb99ff5b710a983feb132320914a972302d5ba829f3829e3f659c16b
Instruction ID: 00949bed9c2130a7e2d0fb0e5f67527cadfbc3e85023011bfb9fd840ef041c12
Opcode Fuzzy Hash: c63bf5deeb99ff5b710a983feb132320914a972302d5ba829f3829e3f659c16b
Instruction Fuzzy Hash: F8416F31E041585BDF229BE4CC717BF7FA6DB86300F684875ED869B2C2D6246D4493A1

Function 009647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00964834

Part of subcall function 0098336C: __lock.LIBCMT ref: 00983372
Part of subcall function 0098336C: DecodePointer.KERNEL32(00000001,?,00964849,009B7C74), ref: 0098337E
Part of subcall function 0098336C: EncodePointer.KERNEL32(?,?,00964849,009B7C74), ref: 00983389

Part of subcall function 009648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00964915
Part of subcall function 009648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0096492A

Part of subcall function 00963B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B68
Part of subcall function 00963B3A: IsDebuggerPresent.KERNEL32 ref: 00963B7A
Part of subcall function 00963B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A252F8,00A252E0,?,?), ref: 00963BEB
Part of subcall function 00963B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00963C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00964874

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: f6f254b695bf4a60d4be06069ccadb0843297063b17253822eb5952ffdf0e327
Instruction ID: b1a26e5a7d9a8bf20f0e58775761837c91b783751e8d24357c668c309a46cb6b
Opcode Fuzzy Hash: f6f254b695bf4a60d4be06069ccadb0843297063b17253822eb5952ffdf0e327
Instruction Fuzzy Hash: B8118EB1908341DBD710EFB8DC45A6ABBE8FBC4750F10852EF080872B1DB709A46CB91

Function 00965C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00965821,?,?,?,?), ref: 00965CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00965821,?,?,?,?), ref: 0099DD73

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d83beaf9a73a02e8fbd09a210165671639620fd846c2c86808566d4cded74719
Instruction ID: 98a4cb28f8e5f45a547ac07733fbcdda50c7090c3c22762d33ff64da5952c5bd
Opcode Fuzzy Hash: d83beaf9a73a02e8fbd09a210165671639620fd846c2c86808566d4cded74719
Instruction Fuzzy Hash: 93019270244748BEF7200E28CC8AF763BDCAB01769F10C319BAE59A1E0C6B91C44DB50

Function 00980DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0098571C: __FF_MSGBANNER.LIBCMT ref: 00985733
Part of subcall function 0098571C: __NMSG_WRITE.LIBCMT ref: 0098573A
Part of subcall function 0098571C: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,?,?,00980DD3,?), ref: 0098575F

std::exception::exception.LIBCMT ref: 00980DEC
__CxxThrowException@8.LIBCMT ref: 00980E01

Part of subcall function 0098859B: RaiseException.KERNEL32(?,?,?,00A19E78,00000000,?,?,?,?,00980E06,?,00A19E78,?,00000001), ref: 009885F0

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 246d669ae50da9c91a7de9eceb3069ceab9c6659239910b28734fe51d23029bb
Instruction ID: cef6e89062cc2cc883b4a0f4742d9b5cdeed78b9a41cdeedf599c965721b8c22
Opcode Fuzzy Hash: 246d669ae50da9c91a7de9eceb3069ceab9c6659239910b28734fe51d23029bb
Instruction Fuzzy Hash: 4FF0813150431E66CB20BBA4EC11BEF7BAC9F81351F504866FD08963D1DF719A8483E1

Function 009855FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098562C
__lock_file.LIBCMT ref: 0098564D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 21609f1f6f389df9c2010ed2d2b7aaa9660fd3fc507ebb08ec3e7aa0b6bd64de
Instruction ID: 9210eb6c7bb133db0b7a17a1a8866f6359375efb038821c95ba02e1428d3a5f3
Opcode Fuzzy Hash: 21609f1f6f389df9c2010ed2d2b7aaa9660fd3fc507ebb08ec3e7aa0b6bd64de
Instruction Fuzzy Hash: B701F771800608EBCF12BF649C0269F7B61AFD0321F814115F8245B391EB318A55DF91

Function 009853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

__lock_file.LIBCMT ref: 009853EB

Part of subcall function 00986C11: __lock.LIBCMT ref: 00986C34

__fclose_nolock.LIBCMT ref: 009853F6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 9690b4467aa6f7dbc9915920f4456ce31a9f9f8739b4977f83207eb98d3add86
Instruction ID: cec21e1b4925c30db59120ca4d5fd7f1f2471b9ac44994f3f47f40140f1ec6f1
Opcode Fuzzy Hash: 9690b4467aa6f7dbc9915920f4456ce31a9f9f8739b4977f83207eb98d3add86
Instruction Fuzzy Hash: 67F0BB31801A04DAD7117F7598017AE77E06F81375F628509E464AB3C1CFFC8A455B61

Function 0096F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bfc86c9c4b453cdcd2285e7452ca91641e00c529f68f6b58046da1f2c7c0b4
Instruction ID: 9bd930887fa4b29963195530ade48babcd2ad45ebfaf14e1d410225a8fb57d7b
Opcode Fuzzy Hash: 31bfc86c9c4b453cdcd2285e7452ca91641e00c529f68f6b58046da1f2c7c0b4
Instruction Fuzzy Hash: D6619B7060020A9FCB10EF64D9A1BABB7F9EF85340F14847DE9169B291DB75ED44CB90

Function 01801070 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 018008E0: GetFileAttributesW.KERNELBASE(?), ref: 018008EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 018011DE

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: fdc172b7f2353eff0a180f9b1400030cf71dba8faf78fa42dae36c9dc093908f
Instruction ID: 14bc36a1156c64392f548716e1c32cf26db336084a1ab93974132e28aa709324
Opcode Fuzzy Hash: fdc172b7f2353eff0a180f9b1400030cf71dba8faf78fa42dae36c9dc093908f
Instruction Fuzzy Hash: 2F617E31A1020D97EF14EFA4DD44BEE737AEF58300F004569A60DE72D0EA799B44CBA6

Function 00971FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3c1de13d204271c607f75d8f96ccfaf72ef4c0fa3f2641c89e24a7d60b6a3
Instruction ID: 8ac34ec43530b426db20ae904fa59f97a60d9515f26579c06c147e2d6a40ad50
Opcode Fuzzy Hash: d6b3c1de13d204271c607f75d8f96ccfaf72ef4c0fa3f2641c89e24a7d60b6a3
Instruction Fuzzy Hash: F7518131700604AFCF14EF68C995FAE77AAAF85310F158568F80AAB392DB34ED04CB51

Function 00965AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00965B96

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 000719a8f83bc86decf476ce4b327eb8173f90f86cc43f0a5e937732c03d89db
Instruction ID: 8ebf6dd2142a0f78113c4e97d4e70467e0e7b36c3e2602bb5f96375bfb784caa
Opcode Fuzzy Hash: 000719a8f83bc86decf476ce4b327eb8173f90f86cc43f0a5e937732c03d89db
Instruction Fuzzy Hash: D7315E31A00A0AAFCB18DF6CC880AADF7B5FF84310F168629E81597750D770BD90CB90

Function 0099FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0099FCB7

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 23c6d622076d51a8e173dbc6e59dbe0f335ed64730bd4e5e865e58675901b951
Instruction ID: 4ba0f5d0b57382c691f7ce2ee038ca6eab7e696d5db19734ae16bd7d35043e38
Opcode Fuzzy Hash: 23c6d622076d51a8e173dbc6e59dbe0f335ed64730bd4e5e865e58675901b951
Instruction Fuzzy Hash: FB4107745043519FDB24DF18C454B1ABBE4BF85318F0988ACE89A9B362D736EC45CF52

Function 00963F74 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00963FFE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b223278cb97d8cb36e693666b4a86f388a5e7ad69bd04d37c3f04951bea9b181
Instruction ID: 82d42c90acd6abbc0ef2f70113eba16d01841f55f88d3ad09bd735864cb6d835
Opcode Fuzzy Hash: b223278cb97d8cb36e693666b4a86f388a5e7ad69bd04d37c3f04951bea9b181
Instruction Fuzzy Hash: EF116A71A047019FE728EF55D451E22B7F5EB89320B14C86EE95A8B7A1EB30E840CB40

Function 00964DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00964BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00964BEF

Part of subcall function 0098525B: __wfsopen.LIBCMT ref: 00985266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964E0F

Part of subcall function 00964B6A: FreeLibrary.KERNEL32(00000000), ref: 00964BA4

Part of subcall function 00964C70: _memmove.LIBCMT ref: 00964CBA

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c57b936740d0e0425f3658416c05c00e758247d8c8f239bf39efea46b18df25c
Instruction ID: d94c004ee58e19bfd29b8e973b7bb27931e4d8eda9e114d12bff0e95ddbf049a
Opcode Fuzzy Hash: c57b936740d0e0425f3658416c05c00e758247d8c8f239bf39efea46b18df25c
Instruction Fuzzy Hash: 0611E331640205ABCF11BFB4C856FAD77A8AFC4750F108829F555AB181DE769A009B91

Function 00967F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00967FA9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fdb0e0314ed337e6590991c5702af19e072fe914db7a2e7f9c3fd495e1dacd79
Instruction ID: a99f427d132502ebd81158f3a712ad8ce204858223ec174d78dae88e37ebfe45
Opcode Fuzzy Hash: fdb0e0314ed337e6590991c5702af19e072fe914db7a2e7f9c3fd495e1dacd79
Instruction Fuzzy Hash: 01111C75604605DFC764DF68D481A16F7E9FF89314B20882EE88ECB761DB32E841CB50

Function 0099FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0099FD91

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 69527fac61a5b7edfbb208ac599d8cde26d355bb55471ea5f605f0730ca26028
Instruction ID: 894204b4195101cd490ae61e8b67370a99ac281e495eabd2f9e0b827bc303694
Opcode Fuzzy Hash: 69527fac61a5b7edfbb208ac599d8cde26d355bb55471ea5f605f0730ca26028
Instruction Fuzzy Hash: 4A21F374908341DFCB14DF64C454B1ABBE5BF89314F058968F88A97762D735E809CF92

Function 0096774D Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00967789

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
Instruction ID: c5ce293d19102085e36cbbcdbe61626ee55c078c952d5c8ceeca6b3607f04fdd
Opcode Fuzzy Hash: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
Instruction Fuzzy Hash: DE11C2322096156FD714ABACD881E7AF39DEF893247144A2AFD19C72D1DB31A8108B90

Function 00965BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,009656A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00965C16

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 73acd3944016cc696b98ba7a06e62de10e6618e23365f2174757c45863b5e15d
Instruction ID: 4180c312161ceae15c51e916b34af8d12fbdd046a81e0490a1b0a2cf3f7a5fde
Opcode Fuzzy Hash: 73acd3944016cc696b98ba7a06e62de10e6618e23365f2174757c45863b5e15d
Instruction Fuzzy Hash: FE113A31204B059FE320CF19C880B66B7E8EF44760F11C92EE99A86A51D7B5E844CB60

Function 00984863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 009848A6

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: ad22e2368fac8aa2015e7593ccbacdf3c07e4c54a4a4051ad3c8a0546878e980
Instruction ID: fd10b0f4031f18a70766c1ad70cfa23d711934ff38e7beac3faba4f0d973f409
Opcode Fuzzy Hash: ad22e2368fac8aa2015e7593ccbacdf3c07e4c54a4a4051ad3c8a0546878e980
Instruction Fuzzy Hash: B5F0AF3190060AABDF11BFA4CC067AF3AA5AF80325F558414F5249A392CB788951DF61

Function 00964E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964E7E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d96dafa1d7273522f14e950b38731e0855dfb64321e58e13ab37e7e95b431be9
Instruction ID: 0c5fb38a60d339d5182d1065ecc8ea757d186b54d57213abe4b9170e9945163b
Opcode Fuzzy Hash: d96dafa1d7273522f14e950b38731e0855dfb64321e58e13ab37e7e95b431be9
Instruction Fuzzy Hash: BEF03971505B11CFCB369FA4E494812BBF5BF543293208A3EE1D686620C7339844DF40

Function 00980791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009807B0

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1581357a0b2a46dc3bc7e7f6d7d98e3c9a5e73a039a812880b8ac3e0ddb377eb
Instruction ID: 9d28f68a675e7efb2f10ff1d62d68a0ce91bcb65a551ebac3adcde79e7043f6b
Opcode Fuzzy Hash: 1581357a0b2a46dc3bc7e7f6d7d98e3c9a5e73a039a812880b8ac3e0ddb377eb
Instruction Fuzzy Hash: 8EE0863690412857C72096A89C05FEAB79DDBC87A0F0441B6FD08D7244D9609C808690

Function 009C8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009C8EC1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 22d1954c34438d7a1b5b5d741992c668db1a0dfdc4f7e3f2ac58925d33f6c25c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 0FE092B0504B005BDB389A24D800BA373E5AB05304F00081DF2AA83241EB62B845C759

Function 018008E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 018008EB

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 1aa0027ac70b4b5dd6bd2c36e2f46a65b931c122fdc5882c8a71844248ce0ab4
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 73E08C71A0520CEFEBA1CBBCCC08BB977A8EB04360F204754F91AC32C0D6308B409654

Function 00965C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0099DD42,?,?,00000000), ref: 00965C5F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e333a1ea0bae96ba64603e5e0a7563877942f91c1d1cdc1937c3ca309299fe3e
Instruction ID: 9aef84ee6088187db43c86a62f22e7c0db4218694dfc6b35c37266d4273bd1b0
Opcode Fuzzy Hash: e333a1ea0bae96ba64603e5e0a7563877942f91c1d1cdc1937c3ca309299fe3e
Instruction Fuzzy Hash: 2AD0C77465420CBFE710DB80DC46FA9777CD745711F100195FD0456690D6B27E509795

Function 018008B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 018008BB

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 6cfedd33831eb21f11e6eeb7171b884f77159d24a19427bfb54f51c7057bf2b9
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 5DD0A93090620CEBCB60CFB89C08BDA73A8EB08360F008765FD15D32C1D6329B409BA0

Function 0098525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00985266

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: b57d00a8094c5e9e351b25ee02b9992408a9af52284231acb531b92142820eb4
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E2B0927644020C77CE012A82EC02B493B199B81764F408020FB1C18272AA73A6689A89

Function 009A1DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009A1DF0

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 9a5c156c45d8b799924ba1558faec9e4638453b395b2aeb7ecd9f9fa5c738f4a
Instruction ID: 7fbe1593b9545e4ae367a75ae264940726956f12d3adda4c64bd937fc7a94145
Opcode Fuzzy Hash: 9a5c156c45d8b799924ba1558faec9e4638453b395b2aeb7ecd9f9fa5c738f4a
Instruction Fuzzy Hash: 8EC0487186401A9BDB2AAB58CDE5BA8727CAB41701F0040A6B206962949AB01B88DF21

Function 009CD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 009CD1FF

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 78e0e68dacba34a3a5f3d2c00dc2679bd20b85ac45d3bb1e4ad4255928269fda
Instruction ID: 1d9fa4046c18930feca9fc9af9dda7c631da39fc2e6f8af218aa3e52d8bc38dd
Opcode Fuzzy Hash: 78e0e68dacba34a3a5f3d2c00dc2679bd20b85ac45d3bb1e4ad4255928269fda
Instruction Fuzzy Hash: 90715C306093018FCB04EF64C4A1F6AB7E4AFD9354F44492DF8969B3A2DB30E909CB52

Function 00980C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00980CB7

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 632604e290e5abbc67e78baae8b2c8d22ae3cff7421c2066c5c850bde74c9a53
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EF31D370A001059FC798EF58C494A69FBAAFF99300B6487A5E88ACB351D735EDC5DBC0

Function 018022DC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018022F1

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 78593d625e77280a5ef81a079895bf5e1c856c417b984310080d87451594c4ed
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: A1E09A7494010DAFDB00EFA4DA4969E7BB4EF04311F1006A1FD05D6691DA709A549A62

Function 018022E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018022F1

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a3bf6124971e6cd3db27463999e37fed3d0409dd6fc8ce0b123f186db8757557
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 54E0BF7494010D9FDB00EFA4DA4969E7BB4EF04301F100661FD01D2281D6709A509A62

Non-executed Functions

Function 009ECABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009ECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECB95
GetWindowLongW.USER32(?,000000F0), ref: 009ECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ECC00
SendMessageW.USER32 ref: 009ECC29
_wcsncpy.LIBCMT ref: 009ECC95
GetKeyState.USER32(00000011), ref: 009ECCB6
GetKeyState.USER32(00000009), ref: 009ECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECCD9
GetKeyState.USER32(00000010), ref: 009ECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ECD0C
SendMessageW.USER32 ref: 009ECD33
SendMessageW.USER32(?,00001030,?,009EB348), ref: 009ECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009ECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009ECE60
SetCapture.USER32(?), ref: 009ECE69
ClientToScreen.USER32(?,?), ref: 009ECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009ECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009ECEF5
ReleaseCapture.USER32 ref: 009ECF00
GetCursorPos.USER32(?), ref: 009ECF3A
ScreenToClient.USER32(?,?), ref: 009ECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 009ECFA3
SendMessageW.USER32 ref: 009ECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED00E
SendMessageW.USER32 ref: 009ED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009ED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009ED06D
GetCursorPos.USER32(?), ref: 009ED08D
ScreenToClient.USER32(?,?), ref: 009ED09A
GetParent.USER32(?), ref: 009ED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 009ED123
SendMessageW.USER32 ref: 009ED154
ClientToScreen.USER32(?,?), ref: 009ED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009ED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED20C
SendMessageW.USER32 ref: 009ED22F
ClientToScreen.USER32(?,?), ref: 009ED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009ED2B5

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

GetWindowLongW.USER32(?,000000F0), ref: 009ED351

Strings

@GUI_DRAGID, xrefs: 009ECE9C
F, xrefs: 009ED235

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: f7385c1778b7234791d501ad81667ed204e80dca751d78cead429c2e690fd6a1
Instruction ID: f414afac9f3a10191a45f76cd0db1c9586298fcdda22b730cdd17e323c7fc01c
Opcode Fuzzy Hash: f7385c1778b7234791d501ad81667ed204e80dca751d78cead429c2e690fd6a1
Instruction Fuzzy Hash: 2C42BF745082C1AFD726CF29D884AAABBE9FF48710F180929F595CB2B0C731DD42EB51

Function 00976F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009771C3
_memset.LIBCMT ref: 00977539
_memmove.LIBCMT ref: 009776AC

Strings

DEFINE, xrefs: 009B2103
[:<:]], xrefs: 00977479
\b(?<=\w), xrefs: 009B3773
\b(?=\w), xrefs: 009B3769
Q\E, xrefs: 00977FCB
[:>:]], xrefs: 00977492

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 364c58ca8b61b82783e9850f60aa283a377299b7d5737b3ce274c673a2e4afec
Instruction ID: ee4f3265bb6d84d17f5888dc3cf02ba9ae56c0944530bc6ee5b3e784701bc060
Opcode Fuzzy Hash: 364c58ca8b61b82783e9850f60aa283a377299b7d5737b3ce274c673a2e4afec
Instruction Fuzzy Hash: 5493B371E04219DFDB24CF98C981BEDB7B5FF48320F24856AE959AB281E7749D81CB40

Function 009648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 009648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099D665
IsIconic.USER32(?), ref: 0099D66E
ShowWindow.USER32(?,00000009), ref: 0099D67B
SetForegroundWindow.USER32(?), ref: 0099D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099D69B
GetCurrentThreadId.KERNEL32 ref: 0099D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0099D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0099D6CF
SetForegroundWindow.USER32(?), ref: 0099D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099D6E7
keybd_event.USER32(00000012,00000000), ref: 0099D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099D6FC
keybd_event.USER32(00000012,00000000), ref: 0099D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099D70A
keybd_event.USER32(00000012,00000000), ref: 0099D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099D719
keybd_event.USER32(00000012,00000000), ref: 0099D71E
SetForegroundWindow.USER32(?), ref: 0099D721
AttachThreadInput.USER32(?,?,00000000), ref: 0099D748

Strings

Shell_TrayWnd, xrefs: 0099D660

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0c253af1810b28bfb22f998e649385bc58e65941fadf551c9acfba3bd9ab738d
Instruction ID: 910203fa5fd84ce8260be9631d2205d955ac5749ed7f2ed178a68a753b8c5408
Opcode Fuzzy Hash: 0c253af1810b28bfb22f998e649385bc58e65941fadf551c9acfba3bd9ab738d
Instruction Fuzzy Hash: 52317071A55358BBEF206BA59CC9F7F7E6CEB44B50F104026FA04EA1D1CAB15D40BAA0

Function 009B8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B882B
Part of subcall function 009B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8858
Part of subcall function 009B87E1: GetLastError.KERNEL32 ref: 009B8865

_memset.LIBCMT ref: 009B8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009B83A5
CloseHandle.KERNEL32(?), ref: 009B83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009B83CD
GetProcessWindowStation.USER32 ref: 009B83E6
SetProcessWindowStation.USER32(00000000), ref: 009B83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009B840A

Part of subcall function 009B81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B8309), ref: 009B81E0
Part of subcall function 009B81CB: CloseHandle.KERNEL32(?,?,009B8309), ref: 009B81F2

Strings

default, xrefs: 009B8405
winsta0, xrefs: 009B83C8
, xrefs: 009B8362

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a66978cc00e9d4201ca4bfabc487e0489ebc194aa6b489daa6a011e5f8617850
Instruction ID: a1d9a3aaa47fa9f427de1ce3f6c8bbc33c87ef9560127a659b0b64895f955003
Opcode Fuzzy Hash: a66978cc00e9d4201ca4bfabc487e0489ebc194aa6b489daa6a011e5f8617850
Instruction Fuzzy Hash: CA817C71904249AFDF219FA4CE85AEF7BBDFF08314F14416AF810A6261DB718E54DB20

Function 009CC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009CC78D
FindClose.KERNEL32(00000000), ref: 009CC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 009CC844
__swprintf.LIBCMT ref: 009CC890
__swprintf.LIBCMT ref: 009CC8D3

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

__swprintf.LIBCMT ref: 009CC927

Part of subcall function 00983698: __woutput_l.LIBCMT ref: 009836F1

__swprintf.LIBCMT ref: 009CC975

Part of subcall function 00983698: __flsbuf.LIBCMT ref: 00983713
Part of subcall function 00983698: __flsbuf.LIBCMT ref: 0098372B

__swprintf.LIBCMT ref: 009CC9C4
__swprintf.LIBCMT ref: 009CCA13
__swprintf.LIBCMT ref: 009CCA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009CC88A
%4d, xrefs: 009CC8CD
%02d, xrefs: 009CC91B, 009CC925, 009CC973, 009CC9C2, 009CCA11, 009CCA60

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: f6ed419d9f48ddf148d5d96946d0fb7cd6a5060f9f1e1eabf4a04926f61ba215
Instruction ID: ca9e779039e367b58ad20cb8ecdbf29b10364915c10be87d25cd379e9f7e8a0d
Opcode Fuzzy Hash: f6ed419d9f48ddf148d5d96946d0fb7cd6a5060f9f1e1eabf4a04926f61ba215
Instruction Fuzzy Hash: FFA10BB1408344ABC710EFA4C996EAFB7ECFFD4704F40491EF59586291EA35DA08CB62

Function 009CEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 009CEFB6
_wcscmp.LIBCMT ref: 009CEFCB
_wcscmp.LIBCMT ref: 009CEFE2
GetFileAttributesW.KERNEL32(?), ref: 009CEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 009CF00E
FindNextFileW.KERNEL32(00000000,?), ref: 009CF026
FindClose.KERNEL32(00000000), ref: 009CF031
FindFirstFileW.KERNEL32(*.*,?), ref: 009CF04D
_wcscmp.LIBCMT ref: 009CF074
_wcscmp.LIBCMT ref: 009CF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 009CF09D
SetCurrentDirectoryW.KERNEL32(00A18920), ref: 009CF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF0C5
FindClose.KERNEL32(00000000), ref: 009CF0D2
FindClose.KERNEL32(00000000), ref: 009CF0E4

Strings

*.*, xrefs: 009CF048

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b43205eabe9d38b8dcbc1a0cd50a4d81e61b8fd7f482f839839cebeb5c21ed00
Instruction ID: bcd967f90a5274b35b76e06bd48edb5642b29069c9a4667f365bb16e46ff4643
Opcode Fuzzy Hash: b43205eabe9d38b8dcbc1a0cd50a4d81e61b8fd7f482f839839cebeb5c21ed00
Instruction Fuzzy Hash: 9B31F4329042487ADB14EBA0DCA8FEE77ADAF48760F10417AE804D3191DB70DE84DA52

Function 009E0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,009EF910,00000000,?,00000000,?,?), ref: 009E09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009E0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009E0A92
RegCloseKey.ADVAPI32(?), ref: 009E0DB2
RegCloseKey.ADVAPI32(00000000), ref: 009E0DBF

Strings

REG_BINARY, xrefs: 009E0D4D
REG_MULTI_SZ, xrefs: 009E0B7A
REG_DWORD, xrefs: 009E0C83
REG_EXPAND_SZ, xrefs: 009E0A2F
REG_SZ, xrefs: 009E0AD0
REG_QWORD, xrefs: 009E0D00

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 78d7ea8835599fe2f24e015961dfc3942f7636b0cf22733dd90ad9e824732be0
Instruction ID: e9a9efcd747274aaffdfe7e6444048234a588151cf8c3851a35b33933720a6cc
Opcode Fuzzy Hash: 78d7ea8835599fe2f24e015961dfc3942f7636b0cf22733dd90ad9e824732be0
Instruction Fuzzy Hash: 810237756006419FCB15EF65C891E2AB7E9FF89324F04885DF8999B3A2CB70EC45CB81

Function 009CF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 009CF113
_wcscmp.LIBCMT ref: 009CF128
_wcscmp.LIBCMT ref: 009CF13F

Part of subcall function 009C4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009C43A0

FindNextFileW.KERNEL32(00000000,?), ref: 009CF16E
FindClose.KERNEL32(00000000), ref: 009CF179
FindFirstFileW.KERNEL32(*.*,?), ref: 009CF195
_wcscmp.LIBCMT ref: 009CF1BC
_wcscmp.LIBCMT ref: 009CF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 009CF1E5
SetCurrentDirectoryW.KERNEL32(00A18920), ref: 009CF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF20D
FindClose.KERNEL32(00000000), ref: 009CF21A
FindClose.KERNEL32(00000000), ref: 009CF22C

Strings

*.*, xrefs: 009CF190

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: aac32a2e85836cc6bdb85c9b2163da5a5beda4eb36d62007b387446658263541
Instruction ID: 84eb7fd161d45dcdf0fede1c1feca043a3b75bd5ce5855e97109c969207b1ab6
Opcode Fuzzy Hash: aac32a2e85836cc6bdb85c9b2163da5a5beda4eb36d62007b387446658263541
Instruction Fuzzy Hash: CE310736904259BACF10AB60EC68FEE77AE9F85360F14417AF814E3190DB30DE45DB55

Function 009CA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009CA20F
__swprintf.LIBCMT ref: 009CA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 009CA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009CA293
_memset.LIBCMT ref: 009CA2B2
_wcsncpy.LIBCMT ref: 009CA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009CA323
CloseHandle.KERNEL32(00000000), ref: 009CA32E
RemoveDirectoryW.KERNEL32(?), ref: 009CA337
CloseHandle.KERNEL32(00000000), ref: 009CA341

Strings

:, xrefs: 009CA252
\??\%s, xrefs: 009CA22B
\, xrefs: 009CA247

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8631eee3cfb01434e877fa1a70d3db051ce2519b9e2d67e4b164b6909bc64ea1
Instruction ID: 579c52ad56552b0a12c7c1c53f5950fd35835249ead1209230fee9bd9622a2df
Opcode Fuzzy Hash: 8631eee3cfb01434e877fa1a70d3db051ce2519b9e2d67e4b164b6909bc64ea1
Instruction Fuzzy Hash: BC31E67290415AABDB21DFA0DC99FEB37BCEF88744F1040BAF608D6160E7709A448B25

Function 009B7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B821E
Part of subcall function 009B8202: GetLastError.KERNEL32(?,009B7CE2,?,?,?), ref: 009B8228
Part of subcall function 009B8202: GetProcessHeap.KERNEL32(00000008,?,?,009B7CE2,?,?,?), ref: 009B8237
Part of subcall function 009B8202: HeapAlloc.KERNEL32(00000000,?,009B7CE2,?,?,?), ref: 009B823E
Part of subcall function 009B8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B8255

Part of subcall function 009B829F: GetProcessHeap.KERNEL32(00000008,009B7CF8,00000000,00000000,?,009B7CF8,?), ref: 009B82AB
Part of subcall function 009B829F: HeapAlloc.KERNEL32(00000000,?,009B7CF8,?), ref: 009B82B2
Part of subcall function 009B829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009B7CF8,?), ref: 009B82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B7D13
_memset.LIBCMT ref: 009B7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B7D47
GetLengthSid.ADVAPI32(?), ref: 009B7D58
GetAce.ADVAPI32(?,00000000,?), ref: 009B7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B7DB1
GetLengthSid.ADVAPI32(?), ref: 009B7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009B7DDD
HeapAlloc.KERNEL32(00000000), ref: 009B7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B7E05
CopySid.ADVAPI32(00000000), ref: 009B7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B7E77

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 79ed16644807b60a7153557d9c5f2b3c805290d25ec540105b12bb2b6dc690bf
Instruction ID: fac0dfa646b6615ea11a599642c7c1991f01b419e251a220946e912bd4f6d9d1
Opcode Fuzzy Hash: 79ed16644807b60a7153557d9c5f2b3c805290d25ec540105b12bb2b6dc690bf
Instruction Fuzzy Hash: CA614D71904109AFDF00DFA4DD85AEEBB79FF84310F04826AF915AA2A1DB31DE05DB60

Function 009766E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 009B1170
LIMIT_RECURSION=, xrefs: 009B11FC
BSR_UNICODE), xrefs: 009B1338
UTF16), xrefs: 009B10CF
UTF), xrefs: 009B10FA
ANY), xrefs: 009B12DE
NO_AUTO_POSSESS), xrefs: 009B112E
BSR_ANYCRLF), xrefs: 009B131E
NO_START_OPT), xrefs: 009B114F
LF), xrefs: 009B12A4
ANYCRLF), xrefs: 009B12FB
UCP), xrefs: 009B110D
CRLF), xrefs: 009B12C1
CR), xrefs: 009B1287

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 7805da71c9bbe7f7e2f6dc6adf6f95082aa0313269de1050d6f2ef856f70cf6e
Instruction ID: f4f314eb047d4857fa3240ad2c8a70a1803ff6bfb4c50530e1c8e6a9e9ae5987
Opcode Fuzzy Hash: 7805da71c9bbe7f7e2f6dc6adf6f95082aa0313269de1050d6f2ef856f70cf6e
Instruction Fuzzy Hash: 11729072E00619CBDB24CF59C9907EEB7B5FF44720F54816AE949EB290E7349E81CB90

Function 009C001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009C0097
SetKeyboardState.USER32(?), ref: 009C0102
GetAsyncKeyState.USER32(000000A0), ref: 009C0122
GetKeyState.USER32(000000A0), ref: 009C0139
GetAsyncKeyState.USER32(000000A1), ref: 009C0168
GetKeyState.USER32(000000A1), ref: 009C0179
GetAsyncKeyState.USER32(00000011), ref: 009C01A5
GetKeyState.USER32(00000011), ref: 009C01B3
GetAsyncKeyState.USER32(00000012), ref: 009C01DC
GetKeyState.USER32(00000012), ref: 009C01EA
GetAsyncKeyState.USER32(0000005B), ref: 009C0213
GetKeyState.USER32(0000005B), ref: 009C0221

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
Instruction ID: 8cb09840fa26d3088ab54ce0ddeef6840e96b2cff26143e1956502231dab896e
Opcode Fuzzy Hash: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
Instruction Fuzzy Hash: 7751DB20D087C899FB35DBA08855FAABFB89F81380F08459E95C1561C3DA649B8CC763

Function 009E03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFDAD,?,?), ref: 009E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E04AC

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009E054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009E05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009E0822
RegCloseKey.ADVAPI32(00000000), ref: 009E082F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1874a1c53f260cc6683d5033b28c4477f5c584b4e79e62f83df49120916574e7
Instruction ID: a076793afc7b50fa8977c9dac56318eb175867ccb432d1d59b7060c2b1a57228
Opcode Fuzzy Hash: 1874a1c53f260cc6683d5033b28c4477f5c584b4e79e62f83df49120916574e7
Instruction Fuzzy Hash: 17E16E71204240AFCB15DF65C891E2ABBE8EFC9714F04896DF449DB261DB71ED41CB92

Function 009D4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009D418B
EmptyClipboard.USER32 ref: 009D4191
GlobalAlloc.KERNEL32(00000002,?), ref: 009D41A6
CloseClipboard.USER32 ref: 009D4245

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f65847da79136fd9e7dcfd1a5733c86e9b9fa069e3e5a7a0f2c9ce6f7b83feab
Instruction ID: a9ac1efed8d373c182fbbabcf5b2a764f964353013c2f4eca971dadf5cae9135
Opcode Fuzzy Hash: f65847da79136fd9e7dcfd1a5733c86e9b9fa069e3e5a7a0f2c9ce6f7b83feab
Instruction Fuzzy Hash: 8D21BF752442149FDB10AF64DC59B697BA8FF54710F00802BF9469B3A1CB34AD01DB84

Function 009C37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00964750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00964743,?,?,009637AE,?), ref: 00964770

Part of subcall function 009C4A31: GetFileAttributesW.KERNEL32(?,009C370B), ref: 009C4A32

FindFirstFileW.KERNEL32(?,?), ref: 009C38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009C394B
MoveFileW.KERNEL32(?,?), ref: 009C395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009C397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 009C39B9

Strings

\*.*, xrefs: 009C384E, 009C3857, 009C386C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 52c20f495b9012af46b2ee7ad9346cdd452999cd7245b2eb382bc6f56c0c90a8
Instruction ID: 34bb6d67b01277ebf1bcd9b4fa929323559c9e684ccd1b9d8025a7c75787fc24
Opcode Fuzzy Hash: 52c20f495b9012af46b2ee7ad9346cdd452999cd7245b2eb382bc6f56c0c90a8
Instruction Fuzzy Hash: 41517C31C0514CAACF05EBA0DAA2EEDB778AF55304F60816DE44676191EF316F09CB62

Function 009CF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009CF440
Sleep.KERNEL32(0000000A), ref: 009CF470
_wcscmp.LIBCMT ref: 009CF484
_wcscmp.LIBCMT ref: 009CF49F
FindNextFileW.KERNEL32(?,?), ref: 009CF53D
FindClose.KERNEL32(00000000), ref: 009CF553

Strings

*.*, xrefs: 009CF425

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b3f03322a96e94924ea7d675befd62b4c4833b10eabd89a41c4bc89d66278742
Instruction ID: 8dfbf02edc9230486ebb025845c5dcd49ada6484afc1a901bd915f5ebd72d27c
Opcode Fuzzy Hash: b3f03322a96e94924ea7d675befd62b4c4833b10eabd89a41c4bc89d66278742
Instruction Fuzzy Hash: C7417C71C04249ABCF14DF64CC69BEEBBB9FF44310F10446AF815A6290DB309E48CB51

Function 00975760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009758A5
_memmove.LIBCMT ref: 009758F5
_memmove.LIBCMT ref: 0097595B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 599d8c492512fddd1101f288c771a2f4497290e798dbe9f0fd4f9a4723370a2d
Instruction ID: 827796a1267c8bbe9e68c12e405d5d1ed49438d9285326bc56ed593b03b0d2a5
Opcode Fuzzy Hash: 599d8c492512fddd1101f288c771a2f4497290e798dbe9f0fd4f9a4723370a2d
Instruction Fuzzy Hash: 4712AB71A00609DFDF04DFA5DA81AEEB3F5FF88310F108629E44AA7290EB75A915CB51

Function 009C3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00964750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00964743,?,?,009637AE,?), ref: 00964770

Part of subcall function 009C4A31: GetFileAttributesW.KERNEL32(?,009C370B), ref: 009C4A32

FindFirstFileW.KERNEL32(?,?), ref: 009C3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 009C3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C3BEA
FindClose.KERNEL32(00000000), ref: 009C3C01
FindClose.KERNEL32(00000000), ref: 009C3C0A

Strings

\*.*, xrefs: 009C3B5B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f74d4ba54bc99ec9cf8d224f4a918aec24cac375d9439ed3bc757452e44c909f
Instruction ID: b5176537f1c7fa85769d8297a72319ed8382618d4adc4f25f92522271fed37b8
Opcode Fuzzy Hash: f74d4ba54bc99ec9cf8d224f4a918aec24cac375d9439ed3bc757452e44c909f
Instruction Fuzzy Hash: 9E31703140C385ABC301EF64D891EAFB7A8AE95304F408D2EF4E596191EB25DE08DB53

Function 009C51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B882B
Part of subcall function 009B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8858
Part of subcall function 009B87E1: GetLastError.KERNEL32 ref: 009B8865

ExitWindowsEx.USER32(?,00000000), ref: 009C51F9

Strings

@, xrefs: 009C51EC
SeShutdownPrivilege, xrefs: 009C51C9
, xrefs: 009C51E7

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 90eef85bf7d84ed6d0d0fc9ebeec2c1fa6bc760ee70db4ba947549d14a001bd6
Instruction ID: a3be207e308d7f4768ef577bbd796d6e1fbd9dbeaacfe37fc4768d88266cc0af
Opcode Fuzzy Hash: 90eef85bf7d84ed6d0d0fc9ebeec2c1fa6bc760ee70db4ba947549d14a001bd6
Instruction Fuzzy Hash: 92014C31EA56012BF72812689C9AFB772DC9748360F110829F923D60C2D9503C808592

Function 009D6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D62DC
WSAGetLastError.WSOCK32(00000000), ref: 009D62EB
bind.WSOCK32(00000000,?,00000010), ref: 009D6307
listen.WSOCK32(00000000,00000005), ref: 009D6316
WSAGetLastError.WSOCK32(00000000), ref: 009D6330
closesocket.WSOCK32(00000000,00000000), ref: 009D6344

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0a478a6f52f591460209817d191642910f3d356fa2c07f3c07969ae598fac26c
Instruction ID: c935a730f906385321a8428429b26929a31c388e93a370fdf4d406f385304baa
Opcode Fuzzy Hash: 0a478a6f52f591460209817d191642910f3d356fa2c07f3c07969ae598fac26c
Instruction Fuzzy Hash: AC21BF716002049FCB10EF64C985B6EB7ADEF88720F14816AF916AB3D1CB70AD01DB51

Function 00975520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00980DB6: std::exception::exception.LIBCMT ref: 00980DEC
Part of subcall function 00980DB6: __CxxThrowException@8.LIBCMT ref: 00980E01

_memmove.LIBCMT ref: 009B0258
_memmove.LIBCMT ref: 009B036D
_memmove.LIBCMT ref: 009B0414

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: d0e834f5bfccc1e2261e5761a5370d0d641c65368db693037277594689305c44
Instruction ID: 885973d349b2e81d137d086b5b2a715d4bccce1e0a36dfb922c3207252083efd
Opcode Fuzzy Hash: d0e834f5bfccc1e2261e5761a5370d0d641c65368db693037277594689305c44
Instruction Fuzzy Hash: 0902CFB1A00209DBCF04DFA4D981AAEBBF5EF84310F15C469E80ADB395EB35D954CB91

Function 00961287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009619FA
GetSysColor.USER32(0000000F), ref: 00961A4E
SetBkColor.GDI32(?,00000000), ref: 00961A61

Part of subcall function 00961290: DefDlgProcW.USER32(?,00000020,?), ref: 009612D8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 69f77bbf4bfd672bbeff6ae6a28fc64a57831de9b49f0399f99d01accce738f3
Instruction ID: 8b5d8cd23c0030d0234eb8bf9d4124fa7f818755510cf536ac2d699b8c212105
Opcode Fuzzy Hash: 69f77bbf4bfd672bbeff6ae6a28fc64a57831de9b49f0399f99d01accce738f3
Instruction Fuzzy Hash: E2A17E71116584BEEB38AB7DAD44F7F359CEF8238AB1C091AF402D51A2CB2D9D02D271

Function 009CBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009CBCE6
_wcscmp.LIBCMT ref: 009CBD16
_wcscmp.LIBCMT ref: 009CBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 009CBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 009CBD6C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 9ac80ea7c13bffc0985e1889292a381b23c9462344c35d6534cfa91a288ba6f2
Instruction ID: 9ba9e8dad40a1fcddbae78c6469ec78e0b477aab9b9d8449735ad114bdbbba3f
Opcode Fuzzy Hash: 9ac80ea7c13bffc0985e1889292a381b23c9462344c35d6534cfa91a288ba6f2
Instruction Fuzzy Hash: 8D518EB5A046029FC714DF68D4A1F9AB3E8EF89324F10451DF95A8B3A1DB34ED04CB92

Function 009D6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D679E
WSAGetLastError.WSOCK32(00000000), ref: 009D67C7
bind.WSOCK32(00000000,?,00000010), ref: 009D6800
WSAGetLastError.WSOCK32(00000000), ref: 009D680D
closesocket.WSOCK32(00000000,00000000), ref: 009D6821

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 62e9293782ec33e1c13408d0e5de6a8c73f36ed558b93b9ddfbf0502a20b30c4
Instruction ID: 6c5f9cd16dfbc2c044a3ffdd20c275cd786049ed04be3475567a76f889570c4b
Opcode Fuzzy Hash: 62e9293782ec33e1c13408d0e5de6a8c73f36ed558b93b9ddfbf0502a20b30c4
Instruction Fuzzy Hash: 0741F475A40210AFEB10BF648C96F7E77E8DF89714F048559F91AAB3C2CA70AD008791

Function 009E5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009E53C5
IsWindowEnabled.USER32 ref: 009E53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 009E53E0
IsIconic.USER32 ref: 009E53EE
IsZoomed.USER32 ref: 009E53FC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a21d6f2ed90829f6d1748f0a63ad04514c46b691547e43311868960c76577d00
Instruction ID: cc44a3a7a9d58e6cabcc1d77044d7b2c1055a975d319048d6a32d8395eb30542
Opcode Fuzzy Hash: a21d6f2ed90829f6d1748f0a63ad04514c46b691547e43311868960c76577d00
Instruction Fuzzy Hash: C5110431300990AFDB226F279C84B6E7B9CFF847A5B028429F805D7241DBB0DC018AA0

Function 009B80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B80F6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
Instruction ID: 6a20acabee1a2bee3b744a1fcb1c36d76aa4300b1dbd5b79a37008256ecc1f23
Opcode Fuzzy Hash: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
Instruction Fuzzy Hash: 2BF0683126D244AFDB104F65DCDDEA73BACEF89B65B000026F545C6150CB619D41EA60

Function 009CC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009CC432
CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CC44A

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

CoUninitialize.OLE32 ref: 009CC6B7

Strings

.lnk, xrefs: 009CC3C6, 009CC3EE, 009CC3F8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2775dc21808afa8d698652ee956294440029c1ef9a2c621962107571f015e104
Instruction ID: b3332bb04d7348a9898531fbf80f9d943ca9a4363598ea0224b7e7713fe7f928
Opcode Fuzzy Hash: 2775dc21808afa8d698652ee956294440029c1ef9a2c621962107571f015e104
Instruction Fuzzy Hash: A8A13AB1108205AFD700EF54C891EABB7ECEFD5358F40491DF1959B1A2DB71EA09CB52

Function 00964B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964AD0), ref: 00964B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00964B57

Strings

GetNativeSystemInfo, xrefs: 00964B51
kernel32.dll, xrefs: 00964B40

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
Instruction ID: 03b21938de429e2f6443bfa2427ca3e248eadc6550f52b9eb9553a0effd5e1ac
Opcode Fuzzy Hash: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
Instruction Fuzzy Hash: A8D0C730A24717CFC7208F72E878B0A72E8AF82380B14C83F948ACA150E670EC80CA14

Function 00973030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 0bab5afceae0aca938b556ca34dd7cf952f21a9a4bf5c44641ae0fab634a367e
Instruction ID: 846245b12cb720bcc4e310f454b65dabbcf8c8a4fc40df9079adef209651187f
Opcode Fuzzy Hash: 0bab5afceae0aca938b556ca34dd7cf952f21a9a4bf5c44641ae0fab634a367e
Instruction Fuzzy Hash: 5922AE726083019FC724DF24C891BAFB7E8AFC5714F14891DF89A97291DB75E904CB92

Function 009DEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009DEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 009DEE4B

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Process32NextW.KERNEL32(00000000,?), ref: 009DEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 009DEF1A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 302db2929fbcbe0aee2eb9369a7f71978cb0e0deae4105595fd4825ec21cd4d5
Instruction ID: c33bbfb2d2d5f33c3d2875abd1e9f169ef06024df4044f243f8dbe7248876cce
Opcode Fuzzy Hash: 302db2929fbcbe0aee2eb9369a7f71978cb0e0deae4105595fd4825ec21cd4d5
Instruction Fuzzy Hash: D4516C71508311AFD310EF24D892F6BB7E8EFD4750F50492DF5959B2A1EB70A908CB92

Function 009BE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009BE628

Strings

(, xrefs: 009BE66E
|, xrefs: 009BE658

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 2b4e9ee12298787d55892580f872c1a231737d83511355d7a3833f7876b0fc45
Instruction ID: 5975ab97caf0dd8df0d3617a7903f0a760a38cd94474e66fae81b3cf3ec44007
Opcode Fuzzy Hash: 2b4e9ee12298787d55892580f872c1a231737d83511355d7a3833f7876b0fc45
Instruction Fuzzy Hash: 3B322575A00705DFDB28CF19C581AAAB7F4FF48320B15C56EE89ADB3A1DB70A941CB44

Function 009D22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009D180A,00000000), ref: 009D23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009D2418

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 60c6cad7bd034652ada7da3cb4093708c6403516033f3e90c4802f5d68846a6e
Instruction ID: 8d1655d27d732ed635af443ba640fbf30f4a9871dba95fe9fe571a532dc96d80
Opcode Fuzzy Hash: 60c6cad7bd034652ada7da3cb4093708c6403516033f3e90c4802f5d68846a6e
Instruction Fuzzy Hash: 2341F371944209BFEB20DF95DC81FBBB7ACEB90714F10802BFA01A7350EA759E419660

Function 009CB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009CB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009CB4B2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 361f2cc15dfad8d862d644103965cebac9d54ba64c90059f295352a9c2af2a0b
Instruction ID: abf47ea9834a89bed2686f0bb7f6cf4b5155e82bdbff0b8c48a7e4a0d6e0a515
Opcode Fuzzy Hash: 361f2cc15dfad8d862d644103965cebac9d54ba64c90059f295352a9c2af2a0b
Instruction Fuzzy Hash: 76216075A00508EFCB00EFA5D891FEDBBB8FF89310F1480AAE905AB361CB319915CB51

Function 009B87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00980DB6: std::exception::exception.LIBCMT ref: 00980DEC
Part of subcall function 00980DB6: __CxxThrowException@8.LIBCMT ref: 00980E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8858
GetLastError.KERNEL32 ref: 009B8865

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 77dfbac67134577594ace04cabb18d4730db6bbdb1bebbdf301588a7f79bfc15
Instruction ID: 4a47612dde8fa559179f42138c2ceb9f78a1a0ded80b40fc7983fe7561e58efb
Opcode Fuzzy Hash: 77dfbac67134577594ace04cabb18d4730db6bbdb1bebbdf301588a7f79bfc15
Instruction Fuzzy Hash: D3116DB2414305AFE718EFA4DD85D6BB7BDEB88721B20852EF45597251EA30AC44CB60

Function 009B874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009B8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009B878B
FreeSid.ADVAPI32(?), ref: 009B879B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
Instruction ID: 463b8008b29d6da2dfeb2c9ad26e791eeec7a1c5b110870cbf7d64f96e6ca534
Opcode Fuzzy Hash: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
Instruction Fuzzy Hash: B5F04975A1130CBFDF00DFF4DD99AAEBBBCEF08311F1044A9A901E6181E671AA049B50

Function 009CC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009CC6FB
FindClose.KERNEL32(00000000), ref: 009CC72B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 951f0617845691b1af3a14b8baa51960b1bbf90f5635a1f757a7de13af779ea6
Instruction ID: 5ba39780672e5f551b8e470344e520f717c4deb0c6a3b09e97a2b13c39d7bd89
Opcode Fuzzy Hash: 951f0617845691b1af3a14b8baa51960b1bbf90f5635a1f757a7de13af779ea6
Instruction Fuzzy Hash: 4A11A1726002009FDB10DF29C885A2AF7E8FF85320F00851EF9A9CB291DB30AC05CF81

Function 009CA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009D9468,?,009EFB84,?), ref: 009CA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009D9468,?,009EFB84,?), ref: 009CA0A9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1d790724a1b081afa9af005ad12a600967cfe33f992e802f18ccbb7ba5991365
Instruction ID: 8999d895bde3c381e4bf40dc73a87dd61f640589b4e47145912011d03abef939
Opcode Fuzzy Hash: 1d790724a1b081afa9af005ad12a600967cfe33f992e802f18ccbb7ba5991365
Instruction Fuzzy Hash: 77F0823551522DBBDB219FA4DC88FEA776CFF093A1F00416AF919D6181D6309E40CBA2

Function 009B81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B8309), ref: 009B81E0
CloseHandle.KERNEL32(?,?,009B8309), ref: 009B81F2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fe0427997c77265396512d9351acd608c15ff3ff8fe424490d87cdc90796c981
Instruction ID: 585546979474b9113dcebf5cd30f0c9422aff3aa719944ccd5d7d35bb46cf127
Opcode Fuzzy Hash: fe0427997c77265396512d9351acd608c15ff3ff8fe424490d87cdc90796c981
Instruction Fuzzy Hash: 59E08631015510AFE7212B20EC04E7377EDEF44311710882DF45584471CB219C90DB10

Function 0098A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00988D57,?,?,?,00000001), ref: 0098A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0098A163

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
Instruction ID: b375820613e388b1bcc7d30d6db36706ca7af97ae1e3b1b473cd6f834c42af6a
Opcode Fuzzy Hash: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
Instruction Fuzzy Hash: F3B09231068248ABCA002B91EC59B883F68EB44BE2F405022F60D88464CB625950AA91

Function 0098F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
Instruction ID: 8732306235d6e6b990b99cbdd5f560f6a63ecd3d902021a4f934ddf9d51815a2
Opcode Fuzzy Hash: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
Instruction Fuzzy Hash: 4D32F521D2DF414DD723A634D832336A24DAFB73D5F15D737E82AB5AA5EB29C4839200

Function 0099242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
Instruction ID: 1087722769ee1dbc5827054adaf9802f2570ea1a0a1f2bf8e3b1e8f595be62b6
Opcode Fuzzy Hash: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
Instruction Fuzzy Hash: 3DB1EE60E3AF414DD72396398831336BA5CAFBB2D5F52D71BFC2A74D22EB2185839141

Function 009C8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 009C889B

Part of subcall function 0098520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009C8F6E,00000000,?,?,?,?,009C911F,00000000,?), ref: 00985213
Part of subcall function 0098520A: __aulldiv.LIBCMT ref: 00985233

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 4fccfb693fd42fd2519dd788156bb5884c57997bba49fa890bae4a5ddead6627
Instruction ID: 79c8c6d7a03384d67b408e0adc19d509482309cc5704211e6e6b453c13bfb59f
Opcode Fuzzy Hash: 4fccfb693fd42fd2519dd788156bb5884c57997bba49fa890bae4a5ddead6627
Instruction Fuzzy Hash: A921B432A355108BC729CF69D841B62B3E5EFA5311B698E6CD0F5CB2C0CA34B906CB54

Function 009C4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009C4C4A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 7a8a77d971e716c8abc13280a074e5a14ec2f66556efee71f22b5aa63427c780
Instruction ID: 4405ff118a1c6c1a4e24345cafd4a308af2a15edd6ae0791029d3566748088fb
Opcode Fuzzy Hash: 7a8a77d971e716c8abc13280a074e5a14ec2f66556efee71f22b5aa63427c780
Instruction Fuzzy Hash: 49D05E91BE520938ED1C07209E3FFFA010CE344782FD0A54D71818A0E1EC84DC406433

Function 009B87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009B8389), ref: 009B87D1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
Instruction ID: 99532635f30f66b7f70e186f5228f6bb9e0f91bbfdd4c2a6d441914d6dcd0281
Opcode Fuzzy Hash: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
Instruction Fuzzy Hash: F9D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 0098A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0098A12A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
Instruction ID: c8dd1e3677460e740a3d9b70be39f0783b1f066ef2bea4c5bbbfc2e740a5aa7c
Opcode Fuzzy Hash: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
Instruction Fuzzy Hash: 9FA0123001410CA78A001B41EC044447F5CD6002D07004021F40C44021873258105580

Function 00978808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabb77a40139383482d3485bef9704303fae93aae2628087eeb9a86ccd69e692
Instruction ID: 3ced09198fdbc6ace9e22b2e4fb344552fcc3516f1c933980b6e5b9ef74cbb71
Opcode Fuzzy Hash: fabb77a40139383482d3485bef9704303fae93aae2628087eeb9a86ccd69e692
Instruction Fuzzy Hash: 57227832948506CBDF3CCA68C1983BE77A9FF41354F29C82AD65A87592DB74DC81CB41

Function 009821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 20cdaf9448c49f7d9f5c999a0164c55e9f9892b47a11dfe270cfbce117d1dbc7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: CDC1A8322051930ADF2D6739C43413EFBA95EA27B131A4B6ED4B3DB2D4EE24C965D720

Function 009825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 5cbf1bb85e6821cfbb1cb99fa07bdad11d83f8b9dcce962887489910f00f97fa
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: EBC196322051930ADF2D673AC43413EBBA95FA27B131A476ED4B3DB2D4EE24D925D720

Function 00981978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 41ce7c2f093c309678a24e26bd1c796b8c3466b7be0bdd67d103372e883df8b9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E3C1833220519309DF6D6739C47413EBBAD5EA27B131A4B6ED4B3CB2D4EE20C966D720

Function 01803680 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 599b99bd34e2fdc5e7e236d48089856461c9b9c5db5cd9f3a4d5c64a175d94a8
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9741C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01803510 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 845c86230d8a8b6908d7f653632d9aa9472302f4770419cdddffee5bd35a3792
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: A8018078A00109EFCB85DF98C5909AEF7B5FB48310F208599EC19A7351D731AE41DB80

Function 01803570 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 31cec55cf89f988e8efbe8ebeaceaa0faf6fa45a2347d9e0d104f66db5363cb8
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E7019278A11109EFCB85DF98C5909AEF7B5FB48310F208599ED09E7341D731AE41DB80

Function 01801EB0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377894723.0000000001800000.00000040.00001000.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 009D7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D785B
DeleteObject.GDI32(00000000), ref: 009D786D
DestroyWindow.USER32 ref: 009D787B
GetDesktopWindow.USER32 ref: 009D7895
GetWindowRect.USER32(00000000), ref: 009D789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009D79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009D79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7A35
GetClientRect.USER32(00000000,?), ref: 009D7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009D7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7ABB
GlobalLock.KERNEL32(00000000), ref: 009D7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7AD3
GlobalUnlock.KERNEL32(00000000), ref: 009D7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7AE3
GlobalFree.KERNEL32(00000000), ref: 009D7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009F2CAC,00000000), ref: 009D7B16
GlobalFree.KERNEL32(00000000), ref: 009D7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009D7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009D7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7D7A

Strings

AutoIt v3, xrefs: 009D7A2D
static, xrefs: 009D7A75, 009D7BCC
, xrefs: 009D7D00
DISPLAY, xrefs: 009D7BDD

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bf8869526528cc97b1e43bb58d8edf9f5fa8ed48f2ffedfc67ab8d6ba11fb441
Instruction ID: 1c333a832a3f146b75bbe21b22d4e9ac8ea0a0ac2f3911ed4b7528f6a4ab2601
Opcode Fuzzy Hash: bf8869526528cc97b1e43bb58d8edf9f5fa8ed48f2ffedfc67ab8d6ba11fb441
Instruction Fuzzy Hash: E0026C71914119EFDB14DFA8CC99EAEBBB9FB48310F10816AF915AB3A1D7309D01DB60

Function 009E356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,009EF910), ref: 009E3627
IsWindowVisible.USER32(?), ref: 009E364B

Strings

SHOWDROPDOWN, xrefs: 009E36E0
ADDSTRING, xrefs: 009E3716
DELSTRING, xrefs: 009E3749
GETSELECTED, xrefs: 009E38A3
ISVISIBLE, xrefs: 009E3637
HIDEDROPDOWN, xrefs: 009E3700
SETCURRENTSELECTION, xrefs: 009E37B6
GETCURRENTCOL, xrefs: 009E3928
ISCHECKED, xrefs: 009E3839
CHECK, xrefs: 009E386D
ISENABLED, xrefs: 009E366B
SENDCOMMANDID, xrefs: 009E39DA
GETLINECOUNT, xrefs: 009E38C6
EDITPASTE, xrefs: 009E395F
TABRIGHT, xrefs: 009E369D
FINDSTRING, xrefs: 009E3776
UNCHECK, xrefs: 009E3883
GETCURRENTLINE, xrefs: 009E38ED
GETLINE, xrefs: 009E399B
SELECTSTRING, xrefs: 009E3806
TABLEFT, xrefs: 009E3687
GETCURRENTSELECTION, xrefs: 009E37E3
CURRENTTAB, xrefs: 009E36BD

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: ac288130402cfa31cfee3b05a3dd1336466d33016b7430b26924764579cb4923
Instruction ID: 497c357d21de5b72126d2c8158155506d0757404dadf01c0acdbd9418da472b9
Opcode Fuzzy Hash: ac288130402cfa31cfee3b05a3dd1336466d33016b7430b26924764579cb4923
Instruction Fuzzy Hash: DBD1A4742043419BCB05EF11C55ABAE7BE9AFD4354F158868F8855B3A3CB31EE4ACB41

Function 009EA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009EA630
GetSysColorBrush.USER32(0000000F), ref: 009EA661
GetSysColor.USER32(0000000F), ref: 009EA66D
SetBkColor.GDI32(?,000000FF), ref: 009EA687
SelectObject.GDI32(?,00000000), ref: 009EA696
InflateRect.USER32(?,000000FF,000000FF), ref: 009EA6C1
GetSysColor.USER32(00000010), ref: 009EA6C9
CreateSolidBrush.GDI32(00000000), ref: 009EA6D0
FrameRect.USER32(?,?,00000000), ref: 009EA6DF
DeleteObject.GDI32(00000000), ref: 009EA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 009EA731
FillRect.USER32(?,?,00000000), ref: 009EA763
GetWindowLongW.USER32(?,000000F0), ref: 009EA78E

Part of subcall function 009EA8CA: GetSysColor.USER32(00000012), ref: 009EA903
Part of subcall function 009EA8CA: SetTextColor.GDI32(?,?), ref: 009EA907
Part of subcall function 009EA8CA: GetSysColorBrush.USER32(0000000F), ref: 009EA91D
Part of subcall function 009EA8CA: GetSysColor.USER32(0000000F), ref: 009EA928
Part of subcall function 009EA8CA: GetSysColor.USER32(00000011), ref: 009EA945
Part of subcall function 009EA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EA953
Part of subcall function 009EA8CA: SelectObject.GDI32(?,00000000), ref: 009EA964
Part of subcall function 009EA8CA: SetBkColor.GDI32(?,00000000), ref: 009EA96D
Part of subcall function 009EA8CA: SelectObject.GDI32(?,?), ref: 009EA97A
Part of subcall function 009EA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 009EA999
Part of subcall function 009EA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EA9B0
Part of subcall function 009EA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 009EA9C5
Part of subcall function 009EA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009EA9ED

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: d030b07bc4be3276776186f70021ec886d85d41c66204c2305f7b616e519f765
Instruction ID: 04779fb725a552987adb5f55a6c5385b85e93fe0f4f34e1daf533ca6df8de546
Opcode Fuzzy Hash: d030b07bc4be3276776186f70021ec886d85d41c66204c2305f7b616e519f765
Instruction Fuzzy Hash: 0B919F71408385FFDB119F64DC48A6B7BB9FF89321F100A2AF5629A1A1CB31ED44DB52

Function 00962C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00962CA2
DeleteObject.GDI32(00000000), ref: 00962CE8
DeleteObject.GDI32(00000000), ref: 00962CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00962CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00962D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0099C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0099C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0099C89D

Part of subcall function 00961B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00962036,?,00000000,?,?,?,?,009616CB,00000000,?), ref: 00961B9A

SendMessageW.USER32(?,00001053), ref: 0099C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0099C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0099C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0099C912

Strings

0, xrefs: 0099C731

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 1d4935ee6357d4246be280cc970954db742d73e726d0ea3c653298ff8497e983
Instruction ID: 0b3d473a2097aa458a57202e599f9f2ea94c607d770a61bb19e72d7729b92f7a
Opcode Fuzzy Hash: 1d4935ee6357d4246be280cc970954db742d73e726d0ea3c653298ff8497e983
Instruction Fuzzy Hash: 6312AD70604641EFDF11CF28C894BA9B7E9BF49300F5445AAF899DB262CB35EC42DB91

Function 009D74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009D74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009D75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009D75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009D7633
GetClientRect.USER32(00000000,?), ref: 009D763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009D7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D7692
GetStockObject.GDI32(00000011), ref: 009D76A2
SelectObject.GDI32(00000000,00000000), ref: 009D76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009D76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D76BF
DeleteDC.GDI32(00000000), ref: 009D76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 009D770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009D7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 009D776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009D779B
GetStockObject.GDI32(00000011), ref: 009D77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009D77BB

Strings

AutoIt v3, xrefs: 009D762B
msctls_progress32, xrefs: 009D773C
static, xrefs: 009D767D, 009D7795
DISPLAY, xrefs: 009D7688

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 339dafbb998c4c53dd4bd431346466cc1185f632ddafe0369ba945e2ac691838
Instruction ID: 3ed6eb455ddc23368b0bf7c0e9a04fc9073746920ee6af968f96f55c4709fb92
Opcode Fuzzy Hash: 339dafbb998c4c53dd4bd431346466cc1185f632ddafe0369ba945e2ac691838
Instruction Fuzzy Hash: D9A17271A50619BFEB14DBA8DD4AFBEBB79EB44710F108115FA14AB2E0D770AD01CB60

Function 009CAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CAD1E
GetDriveTypeW.KERNEL32(?,009EFAC0,?,\\.\,009EF910), ref: 009CADFB
SetErrorMode.KERNEL32(00000000,009EFAC0,?,\\.\,009EF910), ref: 009CAF59

Strings

ATA, xrefs: 009CAED4
SSA, xrefs: 009CAEE2
PhysicalDrive, xrefs: 009CADA7
SAS, xrefs: 009CAF05
RAMDisk, xrefs: 009CAE25
Fixed, xrefs: 009CAE43
SSD, xrefs: 009CAE86
Fibre, xrefs: 009CAEE9
Removable, xrefs: 009CAE4D
iSCSI, xrefs: 009CAEFE
Virtual, xrefs: 009CAF21
CDROM, xrefs: 009CAE2F
ATAPI, xrefs: 009CAECD
1394, xrefs: 009CAEDB
\\.\, xrefs: 009CAD70
MMC, xrefs: 009CAF1A
SCSI, xrefs: 009CAEC6
Unknown, xrefs: 009CAE1B, 009CAEBF
Network, xrefs: 009CAE39
RAID, xrefs: 009CAEF7
SATA, xrefs: 009CAF0C
FileBackedVirtual, xrefs: 009CAF28
USB, xrefs: 009CAEF0

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4ff84f443d10d67524b4fab3f5dd116d83151efe65996817d882cc5da183cf45
Instruction ID: d85bdc30ed2008950dd37224c9e2f9a8eda7b0809ca979d000286a2c31d7ada6
Opcode Fuzzy Hash: 4ff84f443d10d67524b4fab3f5dd116d83151efe65996817d882cc5da183cf45
Instruction Fuzzy Hash: 565194B0E4820DEB8B10DB50C992FFD73A5FF48748760895EE407A7292DA399D41EB53

Function 009668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00966931
__wcsnicmp.LIBCMT ref: 00966949
__wcsnicmp.LIBCMT ref: 00966961
__wcsnicmp.LIBCMT ref: 00966979
__wcsnicmp.LIBCMT ref: 00966991
__wcsnicmp.LIBCMT ref: 009669A9
__wcsnicmp.LIBCMT ref: 009669C1
__wcsnicmp.LIBCMT ref: 009669D5
__wcsnicmp.LIBCMT ref: 00966A16
__wcsnicmp.LIBCMT ref: 00966A2A
__wcsnicmp.LIBCMT ref: 00966A3E
__wcsnicmp.LIBCMT ref: 00966A52

Strings

#comments-start, xrefs: 009669BB, 00966A10
Bad directive syntax error, xrefs: 0099E31A
#OnAutoItStartRegister, xrefs: 00966973
#notrayicon, xrefs: 00966943
Unterminated group of comments, xrefs: 0099E403
#requireadmin, xrefs: 0096695B
#include-once, xrefs: 0096698B
#ce, xrefs: 00966A4C
#include, xrefs: 009669A3
#cs, xrefs: 009669CF, 00966A24
Cannot parse #include, xrefs: 0099E3F0
#comments-end, xrefs: 00966A38
#pragma compile, xrefs: 0096692B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 60fc70abaf42fc9051f80ecdcacb7ecf0db3a9e2a3b9fb30992db07783ebde40
Instruction ID: 2a0a7f8e95682d7b75825f2c04d5ed975664be0ad478c4f281e4c49318d7d0a0
Opcode Fuzzy Hash: 60fc70abaf42fc9051f80ecdcacb7ecf0db3a9e2a3b9fb30992db07783ebde40
Instruction Fuzzy Hash: 6F81E2B0600205AADF21BF64EC53FBA776CAF95744F044025FD05AA296EB60DE45C7A1

Function 009E9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 009E9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 009E9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 009E9BA7

Strings

0, xrefs: 009E9BE4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 0622ed78eb7dd1515aaa13d517eec21a47c9d144d72c9505157b3ff9685b6174
Instruction ID: cc69867635b54071328c356f735b15ce794483ed40e025def9f84fb862030be1
Opcode Fuzzy Hash: 0622ed78eb7dd1515aaa13d517eec21a47c9d144d72c9505157b3ff9685b6174
Instruction Fuzzy Hash: CD020230108381AFD726CF26C899BAABBE9FF49304F04892DF599D62A1C774DD44DB52

Function 009EA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009EA903
SetTextColor.GDI32(?,?), ref: 009EA907
GetSysColorBrush.USER32(0000000F), ref: 009EA91D
GetSysColor.USER32(0000000F), ref: 009EA928
CreateSolidBrush.GDI32(?), ref: 009EA92D
GetSysColor.USER32(00000011), ref: 009EA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EA953
SelectObject.GDI32(?,00000000), ref: 009EA964
SetBkColor.GDI32(?,00000000), ref: 009EA96D
SelectObject.GDI32(?,?), ref: 009EA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 009EA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 009EA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009EA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009EAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 009EAA32
DrawFocusRect.USER32(?,?), ref: 009EAA3D
GetSysColor.USER32(00000011), ref: 009EAA4B
SetTextColor.GDI32(?,00000000), ref: 009EAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009EAA67
SelectObject.GDI32(?,009EA5FA), ref: 009EAA7E
DeleteObject.GDI32(?), ref: 009EAA89
SelectObject.GDI32(?,?), ref: 009EAA8F
DeleteObject.GDI32(?), ref: 009EAA94
SetTextColor.GDI32(?,?), ref: 009EAA9A
SetBkColor.GDI32(?,?), ref: 009EAAA4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6c2ec8602e8488b75f58c7ac5b11beacb33c4f48788edc291bc2b4f7e5eb2dbb
Instruction ID: 4c1446a509558955889b9dcb88e29691456ef18072c9548afc5a5c317f08398b
Opcode Fuzzy Hash: 6c2ec8602e8488b75f58c7ac5b11beacb33c4f48788edc291bc2b4f7e5eb2dbb
Instruction Fuzzy Hash: BC515D71904248FFDF119FA4DC88EAE7B79EB48320F114526F911AB2A2D7759D40DF50

Function 009E89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8AD2
CharNextW.USER32(0000014E), ref: 009E8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009E8B86
SetWindowTextW.USER32(?,0000014E), ref: 009E8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009E8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E8C1F
_memset.LIBCMT ref: 009E8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009E8C8D
_memset.LIBCMT ref: 009E8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 009E8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 009E8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 009E8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E8EB4
DrawMenuBar.USER32(?), ref: 009E8EC3
SetWindowTextW.USER32(?,0000014E), ref: 009E8EEB

Strings

0, xrefs: 009E8E55

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 91000083ce96c4b5cb60159dd25d89e28a79667ff79f145037942cc6ab8263dd
Instruction ID: 367ae8a2fc5b3c0ad9a2a59177768fc285e46ba82a0c9fbb64ec8f48f49732e0
Opcode Fuzzy Hash: 91000083ce96c4b5cb60159dd25d89e28a79667ff79f145037942cc6ab8263dd
Instruction Fuzzy Hash: C6E18070904288AFDF219FA5CC84EEF7B79EF45710F108566F919AA290DB748E81DF60

Function 009E488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E49CA
GetDesktopWindow.USER32 ref: 009E49DF
GetWindowRect.USER32(00000000), ref: 009E49E6
GetWindowLongW.USER32(?,000000F0), ref: 009E4A48
DestroyWindow.USER32(?), ref: 009E4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009E4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 009E4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009E4B09
IsWindowVisible.USER32(?), ref: 009E4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009E4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009E4B58
GetWindowRect.USER32(?,?), ref: 009E4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 009E4B96
GetMonitorInfoW.USER32(00000000,?), ref: 009E4BB0
CopyRect.USER32(?,?), ref: 009E4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 009E4C32

Strings

tooltips_class32, xrefs: 009E4A96
0, xrefs: 009E4975
(, xrefs: 009E4BA3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1db7b92a804d8dc2c92b6a0cb72908c2ba4a90c4768f0c962d7e9ea3492eed19
Instruction ID: b5fd6e97ce7b20403b6c4e97ad8e40c90f7f5a4e9188fa91f45757d772ca14d7
Opcode Fuzzy Hash: 1db7b92a804d8dc2c92b6a0cb72908c2ba4a90c4768f0c962d7e9ea3492eed19
Instruction Fuzzy Hash: 6CB18E71608380AFDB05DF65C888B6ABBE8FF88710F00892DF5999B2A1D775EC05CB55

Function 009C449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009C44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009C44D2
_wcscpy.LIBCMT ref: 009C4500
_wcscmp.LIBCMT ref: 009C450B
_wcscat.LIBCMT ref: 009C4521
_wcsstr.LIBCMT ref: 009C452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009C4548
_wcscat.LIBCMT ref: 009C4591
_wcscat.LIBCMT ref: 009C4598
_wcsncpy.LIBCMT ref: 009C45C3

Strings

%u.%u.%u.%u, xrefs: 009C4626
\VarFileInfo\Translation, xrefs: 009C4540
StringFileInfo\, xrefs: 009C451B
DefaultLangCodepage, xrefs: 009C45AB
04090000, xrefs: 009C457E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 94ed5823006c4b1a20f3d21a3c56ee73c9ea89acb1ebb169660a037a7b6a22cc
Instruction ID: f6f098c6d7f474804640a96b49243fff5fa6e502248d9e1a202432c23463ebb5
Opcode Fuzzy Hash: 94ed5823006c4b1a20f3d21a3c56ee73c9ea89acb1ebb169660a037a7b6a22cc
Instruction Fuzzy Hash: 6541D632A002407BDB11BB748C57FBF77ACDFC1710F04446AF905E62C2EA399A0197A6

Function 009627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628BC
GetSystemMetrics.USER32(00000007), ref: 009628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628EF
GetSystemMetrics.USER32(00000008), ref: 009628F7
GetSystemMetrics.USER32(00000004), ref: 0096291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00962939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00962949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0096297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00962990
GetClientRect.USER32(00000000,000000FF), ref: 009629AE
GetStockObject.GDI32(00000011), ref: 009629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009629D5

Part of subcall function 00962344: GetCursorPos.USER32(?), ref: 00962357
Part of subcall function 00962344: ScreenToClient.USER32(00A257B0,?), ref: 00962374
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000001), ref: 00962399
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000002), ref: 009623A7

SetTimer.USER32(00000000,00000000,00000028,00961256), ref: 009629FC

Strings

AutoIt v3 GUI, xrefs: 00962974

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 87a380ff61e8a505ad5d6ffb108ff496d91474969a7955e2273749252b1f9910
Instruction ID: 5822fe4c54870c0234c7cad5dfa57ec1e22555fe55da05992c88e25c0d8bc91f
Opcode Fuzzy Hash: 87a380ff61e8a505ad5d6ffb108ff496d91474969a7955e2273749252b1f9910
Instruction Fuzzy Hash: 9DB16E71A0064AEFDF24DFA8DC95BAD7BB4FB48310F104129FA15AB2A0DB74D841DB50

Function 009BA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009BA47A
__swprintf.LIBCMT ref: 009BA51B
_wcscmp.LIBCMT ref: 009BA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009BA583
_wcscmp.LIBCMT ref: 009BA5BF
GetClassNameW.USER32(?,?,00000400), ref: 009BA5F6
GetDlgCtrlID.USER32(?), ref: 009BA648
GetWindowRect.USER32(?,?), ref: 009BA67E
GetParent.USER32(?), ref: 009BA69C
ScreenToClient.USER32(00000000), ref: 009BA6A3
GetClassNameW.USER32(?,?,00000100), ref: 009BA71D
_wcscmp.LIBCMT ref: 009BA731
GetWindowTextW.USER32(?,?,00000400), ref: 009BA757
_wcscmp.LIBCMT ref: 009BA76B

Part of subcall function 0098362C: _iswctype.LIBCMT ref: 00983634

Strings

%s%u, xrefs: 009BA515

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 655878a394cb2b1b3585e7691fbf3ded21b890151719aba55e87b4f9db358acd
Instruction ID: 0ec7519df05c147ea87bf116702deb12f46274f4fefa2a361c441f8cc00239bb
Opcode Fuzzy Hash: 655878a394cb2b1b3585e7691fbf3ded21b890151719aba55e87b4f9db358acd
Instruction Fuzzy Hash: FCA1B171608206AFD714DF64C984FEAB7ECFF44764F008529F999C61A0DB30EA55CB92

Function 009BAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 009BAF18
_wcscmp.LIBCMT ref: 009BAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 009BAF51
CharUpperBuffW.USER32(?,00000000), ref: 009BAF6E
_wcscmp.LIBCMT ref: 009BAF8C
_wcsstr.LIBCMT ref: 009BAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009BAFD5
_wcscmp.LIBCMT ref: 009BAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 009BB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 009BB055
_wcscmp.LIBCMT ref: 009BB065
GetClassNameW.USER32(00000010,?,00000400), ref: 009BB08D
GetWindowRect.USER32(00000004,?), ref: 009BB0F6

Strings

ThumbnailClass, xrefs: 009BAFE0, 009BB060
@, xrefs: 009BAEF9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 164f403ff6209a3f03a88b34168ce9c692551813e015c7c78351824e17e9432a
Instruction ID: 9d68c9000ba3039b5ad3fbd5605f92c48f15cfda0ac4ea21c45cbcfbd83977b5
Opcode Fuzzy Hash: 164f403ff6209a3f03a88b34168ce9c692551813e015c7c78351824e17e9432a
Instruction Fuzzy Hash: 3081BF711082099FDB00DF14CA95BFA7BECEF84724F04846AFD898A095DB74DD45CB61

Function 009BABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009BAC33

Strings

ALL, xrefs: 009BACC7
[ALL, xrefs: 009BACD9
ACTIVE, xrefs: 009BAC0E
[ACTIVE, xrefs: 009BAC20
HANDLE=, xrefs: 009BAC2C
REGEXP=, xrefs: 009BAC48
[LAST, xrefs: 009BACE0
[CLASS:, xrefs: 009BAC83
[REGEXPTITLE:, xrefs: 009BAC5B
[HANDLE:, xrefs: 009BAC3F
CLASSNAME=, xrefs: 009BAC70
LAST, xrefs: 009BABF8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ead1bf7abf55d698b5049ff78b2c1529c51141abbcfb6bc313c03a88e606e984
Instruction ID: f436e6e7adbbe79fcd1aea04279ae3ad0e6c6049add4ffc6d4b601aed1774183
Opcode Fuzzy Hash: ead1bf7abf55d698b5049ff78b2c1529c51141abbcfb6bc313c03a88e606e984
Instruction Fuzzy Hash: AE316231988209BBDA14FAA0DE43FEEBB78AF607A4F600919F481711D1EF616F44C652

Function 009D4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 009D5013
LoadCursorW.USER32(00000000,00007F00), ref: 009D501E
LoadCursorW.USER32(00000000,00007F03), ref: 009D5029
LoadCursorW.USER32(00000000,00007F8B), ref: 009D5034
LoadCursorW.USER32(00000000,00007F01), ref: 009D503F
LoadCursorW.USER32(00000000,00007F81), ref: 009D504A
LoadCursorW.USER32(00000000,00007F88), ref: 009D5055
LoadCursorW.USER32(00000000,00007F80), ref: 009D5060
LoadCursorW.USER32(00000000,00007F86), ref: 009D506B
LoadCursorW.USER32(00000000,00007F83), ref: 009D5076
LoadCursorW.USER32(00000000,00007F85), ref: 009D5081
LoadCursorW.USER32(00000000,00007F82), ref: 009D508C
LoadCursorW.USER32(00000000,00007F84), ref: 009D5097
LoadCursorW.USER32(00000000,00007F04), ref: 009D50A2
LoadCursorW.USER32(00000000,00007F02), ref: 009D50AD
LoadCursorW.USER32(00000000,00007F89), ref: 009D50B8
GetCursorInfo.USER32(?), ref: 009D50C8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: e9afc94422f806f69b4484ff2d685f6dfa5a6f06b7c2c5264fe090647f96ac4e
Instruction ID: 51ff6206e4695001c07a85769a8a815c5c57ac6461cbdbb9ec5d5c2d3249eb02
Opcode Fuzzy Hash: e9afc94422f806f69b4484ff2d685f6dfa5a6f06b7c2c5264fe090647f96ac4e
Instruction Fuzzy Hash: 7F31B2B1D48319AADF109FB68C8996EBFECFF04750F50452BE50DE7280DA79A5048F91

Function 009EA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009EA259
DestroyWindow.USER32(?,?), ref: 009EA2D3

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009EA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009EA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA382
DestroyWindow.USER32(00000000), ref: 009EA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00960000,00000000), ref: 009EA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA3F4
GetDesktopWindow.USER32 ref: 009EA40D
GetWindowRect.USER32(00000000), ref: 009EA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009EA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009EA444

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

Strings

tooltips_class32, xrefs: 009EA346, 009EA3D4
0, xrefs: 009EA26F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fff80f7242db7c14ae0dd895488fd9b65da234edccb939c5151afff3d009a126
Instruction ID: 85f75ae219a2c20e766637be575e73b14991b107372966f3a6c4d6941760dab1
Opcode Fuzzy Hash: fff80f7242db7c14ae0dd895488fd9b65da234edccb939c5151afff3d009a126
Instruction Fuzzy Hash: B7718A70544284AFD722CF29CC49F6A7BE9FB88704F04492DF9859B2B0D7B1AD06DB52

Function 009EC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DragQueryPoint.SHELL32(?,?), ref: 009EC627

Part of subcall function 009EAB37: ClientToScreen.USER32(?,?), ref: 009EAB60
Part of subcall function 009EAB37: GetWindowRect.USER32(?,?), ref: 009EABD6
Part of subcall function 009EAB37: PtInRect.USER32(?,?,009EC014), ref: 009EABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 009EC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009EC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009EC6BE
_wcscat.LIBCMT ref: 009EC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009EC705
SendMessageW.USER32(?,000000B0,?,?), ref: 009EC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 009EC735
SendMessageW.USER32(?,000000B1,?,?), ref: 009EC757
DragFinish.SHELL32(?), ref: 009EC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009EC851

Strings

@GUI_DRAGID, xrefs: 009EC7C9
@GUI_DRAGFILE, xrefs: 009EC800
@GUI_DROPID, xrefs: 009EC77E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 40af80e6d17f4f108f2af72571fff8ae0203db710a4b6b45d7bb2c5ffccea4b1
Instruction ID: b190bfe292dfe165c59c2b69e30f4cd80c131a0b57fcb9a1ed31546189ffa116
Opcode Fuzzy Hash: 40af80e6d17f4f108f2af72571fff8ae0203db710a4b6b45d7bb2c5ffccea4b1
Instruction Fuzzy Hash: 6F616971508381AFC701EFA4C895EAFBBE8FFC9750F00092EF591961A1DB709A49CB52

Function 009E4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E446F

Strings

GETITEMCOUNT, xrefs: 009E4551
EXPAND, xrefs: 009E4521
GETSELECTED, xrefs: 009E457F
COLLAPSE, xrefs: 009E44B5
UNCHECK, xrefs: 009E464B
EXISTS, xrefs: 009E44D8
GETTEXT, xrefs: 009E45C2
GETTOTALCOUNT, xrefs: 009E4456
SELECT, xrefs: 009E4620
ISCHECKED, xrefs: 009E45F2
CHECK, xrefs: 009E448F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a73246ba4fc6d6ed3613f5d955c98a072a6ddb318a4b93d19e40d7318b05dc17
Instruction ID: 62deb4f30f900508c8d8f09604fb1d6828a4857cfde2576ba76f95833db4cebf
Opcode Fuzzy Hash: a73246ba4fc6d6ed3613f5d955c98a072a6ddb318a4b93d19e40d7318b05dc17
Instruction Fuzzy Hash: DC9169742043419FCB05EF21C462BAEB7E5AFD5754F048868F8965B3A2DB34ED4ACB81

Function 009EB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009EB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009E91C2), ref: 009EB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009EB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EB9C3
FreeLibrary.KERNEL32(?), ref: 009EB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009EB9DF
DestroyIcon.USER32(?,?,?,?,?,009E91C2), ref: 009EB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009EBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009EBA17

Part of subcall function 00982EFD: __wcsicmp_l.LIBCMT ref: 00982F86

Strings

.dll, xrefs: 009EB86D
.exe, xrefs: 009EB84A
.icl, xrefs: 009EB82A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 22577f1f273b544c4aa4d4706ef8b1a6ff5169e88a6e123e71257ca07bf5b402
Instruction ID: 5843a43ef366aca90d32e605dd041b15cfe04d710563a4448e6652ada1d75a80
Opcode Fuzzy Hash: 22577f1f273b544c4aa4d4706ef8b1a6ff5169e88a6e123e71257ca07bf5b402
Instruction Fuzzy Hash: 9561CD71900259BAEB15DF65CC81BBF7BACFB08710F104516FA15DA2D1DB74AE80DBA0

Function 009CDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009CDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 009CDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009CDCF8
__wsplitpath.LIBCMT ref: 009CDD56
_wcscat.LIBCMT ref: 009CDD6E
_wcscat.LIBCMT ref: 009CDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009CDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDDFC
_wcscpy.LIBCMT ref: 009CDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009CDE47

Strings

*.*, xrefs: 009CDE02

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 7e72e0f1b9cb52123f92ccff3fd2f432b212e03af374a2dbbb3cb9701eb5541c
Instruction ID: e1d8dade63bc0a9a6a2219421fe0e0b8a1c281ed749c712e96ee90ba7981465d
Opcode Fuzzy Hash: 7e72e0f1b9cb52123f92ccff3fd2f432b212e03af374a2dbbb3cb9701eb5541c
Instruction Fuzzy Hash: 86613B729042459FCB10EF60C854EAEB3ECFF89314F04492EF99997251DB35EA45CB92

Function 009C9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 009C9C7F

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009C9CA0
__swprintf.LIBCMT ref: 009C9CF9
__swprintf.LIBCMT ref: 009C9D12
_wprintf.LIBCMT ref: 009C9DB9
_wprintf.LIBCMT ref: 009C9DD7

Strings

Error: , xrefs: 009C9D81
Incorrect parameters to object property !, xrefs: 009C9D5B
^ ERROR , xrefs: 009C9D4E
Line %d (File "%s"):, xrefs: 009C9CF3, 009C9D0C
"%s" (%d) : ==> %s:, xrefs: 009C9DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 009C9DB4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 51719ff1346bd50b2a6c555a73f94b70815d23868ef8ccee513c5561d2feb3a2
Instruction ID: 539ea742dbece936dffd0d31a599441d4668803235438d011e99de6196e84d46
Opcode Fuzzy Hash: 51719ff1346bd50b2a6c555a73f94b70815d23868ef8ccee513c5561d2feb3a2
Instruction Fuzzy Hash: 37517C32D00609BACF14EBE4DD46FEEB778AF54304F500469B509721A2EB352F99DB61

Function 009CA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

CharLowerBuffW.USER32(?,?), ref: 009CA3CB
GetDriveTypeW.KERNEL32 ref: 009CA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA4C5

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

Strings

close, xrefs: 009CA3D1
wait, xrefs: 009CA482
set cd door , xrefs: 009CA466
open , xrefs: 009CA427
close cd wait, xrefs: 009CA4B0
closed, xrefs: 009CA3DF, 009CA3E8
type cdaudio alias cd wait, xrefs: 009CA443
open, xrefs: 009CA3F2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 6b19f7bd1c692e08ac42d7082f4cb94ad9344aec428ac36e051fd392564a4e31
Instruction ID: 26b89ada1fb461fffae622b0c51105e460b1d4a3256cb9681b85d1c121fc94dd
Opcode Fuzzy Hash: 6b19f7bd1c692e08ac42d7082f4cb94ad9344aec428ac36e051fd392564a4e31
Instruction Fuzzy Hash: 75515D755083059FC704EF20C891E6AB7E8FF98758F10896DF89A572A1DB31ED0ACB52

Function 009BF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0099E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 009BF8DF
LoadStringW.USER32(00000000,?,0099E029,00000001), ref: 009BF8E8

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

GetModuleHandleW.KERNEL32(00000000,00A25310,?,00000FFF,?,?,0099E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 009BF90A
LoadStringW.USER32(00000000,?,0099E029,00000001), ref: 009BF90D
__swprintf.LIBCMT ref: 009BF95D
__swprintf.LIBCMT ref: 009BF96E
_wprintf.LIBCMT ref: 009BFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009BFA2E

Strings

Error: , xrefs: 009BF9E5
Line %d:, xrefs: 009BF968
Line %d (File "%s"):, xrefs: 009BF957
^ ERROR, xrefs: 009BF9C3
%s (%d) : ==> %s: %s %s, xrefs: 009BFA12

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 3b0173d57ceb96276413d20df698c51ff61f661e7c5b5f5e0f5caecee7bdaf3b
Instruction ID: 17ccf159458b1252ace43b0a2259bf01e6737aa9f35364723fc7633ec6f89310
Opcode Fuzzy Hash: 3b0173d57ceb96276413d20df698c51ff61f661e7c5b5f5e0f5caecee7bdaf3b
Instruction Fuzzy Hash: E6415E7280410DBBCF04FBE0DE96EEEB778AF98310F500465B505B6191EA356F49CB61

Function 009EBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,009E9207,?,?), ref: 009EBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBA85
GlobalLock.KERNEL32(00000000), ref: 009EBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBA9D
GlobalUnlock.KERNEL32(00000000), ref: 009EBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009E9207,?,?,00000000,?), ref: 009EBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,009F2CAC,?), ref: 009EBAD7
GlobalFree.KERNEL32(00000000), ref: 009EBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 009EBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 009EBB36
DeleteObject.GDI32(00000000), ref: 009EBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009EBB74

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bff41f5b94a895b688111dcb23f9dfc9b424ffc88435b82d5f1e72e108f33ddb
Instruction ID: b933d2165c562c26539fe3a347d191453a81308cded76edc295746cf030e10cb
Opcode Fuzzy Hash: bff41f5b94a895b688111dcb23f9dfc9b424ffc88435b82d5f1e72e108f33ddb
Instruction Fuzzy Hash: 7A414975604248EFDB129F66DC98EAB7BBCFB89711F108069F905DB260D7309E01DB60

Function 009CD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 009CDA10
_wcscat.LIBCMT ref: 009CDA28
_wcscat.LIBCMT ref: 009CDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009CDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDA63
GetFileAttributesW.KERNEL32(?), ref: 009CDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 009CDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDAA7

Strings

*.*, xrefs: 009CDAE6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 9af6ca7a1fbfb384578b12a19b82a2af9913609354f8f0956ac5f0bdcdbeb594
Instruction ID: 680c2039d8dbcc05f6b8bf77f64f4966a7fc988a00e2689619979aed1597454f
Opcode Fuzzy Hash: 9af6ca7a1fbfb384578b12a19b82a2af9913609354f8f0956ac5f0bdcdbeb594
Instruction Fuzzy Hash: 3C814D769062419FCB24EF64C885F6AB7E8AF89710F148C3EF889CB251E634DD45CB52

Function 009EC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009EC1FC
GetFocus.USER32 ref: 009EC20C
GetDlgCtrlID.USER32(00000000), ref: 009EC217
_memset.LIBCMT ref: 009EC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009EC36D
GetMenuItemCount.USER32(?), ref: 009EC38D
GetMenuItemID.USER32(?,00000000), ref: 009EC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009EC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009EC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009EC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009EC489

Strings

0, xrefs: 009EC33A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ca31756cc5c4caaa2a3d1d86bfeca9a6c1d42c676e7d2ea2dc6fd8ee987dcc57
Instruction ID: c4698098694fdd6661cb2dd86253c9e0b585510f54135455cad5eb8d3b280044
Opcode Fuzzy Hash: ca31756cc5c4caaa2a3d1d86bfeca9a6c1d42c676e7d2ea2dc6fd8ee987dcc57
Instruction Fuzzy Hash: 47819EB1608381AFD712DF25C894A7BBBE8FB88714F00492EF995972A1D730DD06CB52

Function 009D731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009D738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009D739B
CreateCompatibleDC.GDI32(?), ref: 009D73A7
SelectObject.GDI32(00000000,?), ref: 009D73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009D7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009D7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009D7468
SelectObject.GDI32(00000006,?), ref: 009D7470
DeleteObject.GDI32(?), ref: 009D7479
DeleteDC.GDI32(00000006), ref: 009D7480
ReleaseDC.USER32(00000000,?), ref: 009D748B

Strings

(, xrefs: 009D7410

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b15fb58a93117ac5e8a7f44106efb2a29b4e32a5560f45b08c32f24a79d8c86b
Instruction ID: 0b4692b10e3da986d8046587b1b96cb7175941687f5a4233457be1fec88128ad
Opcode Fuzzy Hash: b15fb58a93117ac5e8a7f44106efb2a29b4e32a5560f45b08c32f24a79d8c86b
Instruction Fuzzy Hash: E3513775944249EFCB15CFA8DC84EAEBBB9EF48310F14842EF95AAB311D731AD409B50

Function 00966A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00980957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00966B0C,?,00008000), ref: 00980973

Part of subcall function 00964750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00964743,?,?,009637AE,?), ref: 00964770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00966CFA

Part of subcall function 0096586D: _wcscpy.LIBCMT ref: 009658A5

Part of subcall function 0098363D: _iswctype.LIBCMT ref: 00983645

Strings

Error opening the file, xrefs: 0099E43D, 0099E4B8
AU3!, xrefs: 00966B61
Bad directive syntax error, xrefs: 0099E79D
Unterminated string, xrefs: 0099E7E4
EA06, xrefs: 0099E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0099E421
>>>AUTOIT SCRIPT<<<, xrefs: 0099E496

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: f017b34e8551e1523f7de3a0af335b7eb1ea2ecf86f0963b6790e770c58e781f
Instruction ID: ef42a9eb74349260d6f1d03b009babc5c9130019a2502c809d5200ae80a612a5
Opcode Fuzzy Hash: f017b34e8551e1523f7de3a0af335b7eb1ea2ecf86f0963b6790e770c58e781f
Instruction Fuzzy Hash: 250289301083419FCB24EF24C891AAFBBE5BFD9314F14492DF49A972A2DB35D949CB52

Function 009C2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 009C2DDD
GetMenuItemCount.USER32(00A25890), ref: 009C2E66
DeleteMenu.USER32(00A25890,00000005,00000000,000000F5,?,?), ref: 009C2EF6
DeleteMenu.USER32(00A25890,00000004,00000000), ref: 009C2EFE
DeleteMenu.USER32(00A25890,00000006,00000000), ref: 009C2F06
DeleteMenu.USER32(00A25890,00000003,00000000), ref: 009C2F0E
GetMenuItemCount.USER32(00A25890), ref: 009C2F16
SetMenuItemInfoW.USER32(00A25890,00000004,00000000,00000030), ref: 009C2F4C
GetCursorPos.USER32(?), ref: 009C2F56
SetForegroundWindow.USER32(00000000), ref: 009C2F5F
TrackPopupMenuEx.USER32(00A25890,00000000,?,00000000,00000000,00000000), ref: 009C2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009C2F7E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: e21f8d14454105f994fd90cd6a4fa0a6e8754dfea8bdf5f5561f6f206dce61e6
Instruction ID: 8a58e114b16cf6f0f3ccb68bbc97bf99bffae2cff8d58ee79ae2ea1e68c3e11d
Opcode Fuzzy Hash: e21f8d14454105f994fd90cd6a4fa0a6e8754dfea8bdf5f5561f6f206dce61e6
Instruction Fuzzy Hash: 7571D570A04209BFEB219F54DC85FAABF68FF44764F14022EF625AA1E1C7B15C10DB92

Function 009B77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

_memset.LIBCMT ref: 009B786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009B78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009B78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009B78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009B7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009B792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B793A

Strings

\CLSID, xrefs: 009B7822
SOFTWARE\Classes\, xrefs: 009B780C
\IPC$, xrefs: 009B7882

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: ac6b7ce53d9e2a0943e0db6622c6841be38860392a97bf39b02dce74c2e5a4ae
Instruction ID: a15832575a08f282ba7b1e5ffedd330358cdf166717c44c1a407bdd87c3c7c7c
Opcode Fuzzy Hash: ac6b7ce53d9e2a0943e0db6622c6841be38860392a97bf39b02dce74c2e5a4ae
Instruction Fuzzy Hash: 72410872C1422DABCF11EBE4DC95EEDB778BF54354F40456AF805A72A1EA305E04CB90

Function 009E0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFDAD,?,?), ref: 009E0E31

Strings

HKEY_CLASSES_ROOT, xrefs: 009E0EC4
HKLM, xrefs: 009E0EAF
HKCU, xrefs: 009E0F21
HKCC, xrefs: 009E0EFF
HKCR, xrefs: 009E0ED9
HKEY_CURRENT_USER, xrefs: 009E0F10
HKEY_USERS, xrefs: 009E0F32
HKEY_CURRENT_CONFIG, xrefs: 009E0EEE
HKEY_LOCAL_MACHINE, xrefs: 009E0E9A
HKU, xrefs: 009E0F43

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: f228b667103d78c3bd3aa66c7e4c95976671e2843b821db46ba040d8eaaca427
Instruction ID: 1af26ffc4ddd5cafd539c4f3e3a8554231146fb72f23c176a7ae3e17b64e358e
Opcode Fuzzy Hash: f228b667103d78c3bd3aa66c7e4c95976671e2843b821db46ba040d8eaaca427
Instruction Fuzzy Hash: 67419B3510038A9BCF16EF51E966AEF3764AFD1304F540824FC951B292DB74DDAACBA0

Function 009BF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0099E2A0,00000010,?,Bad directive syntax error,009EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009BF7C2
LoadStringW.USER32(00000000,?,0099E2A0,00000010), ref: 009BF7C9

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

_wprintf.LIBCMT ref: 009BF7FC
__swprintf.LIBCMT ref: 009BF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009BF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009BF7F7
Line %d:, xrefs: 009BF818
Line %d (File "%s"):, xrefs: 009BF833
Error: , xrefs: 009BF85B
., xrefs: 009BF873

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: bb4bf2e11663ae9e1c85af1cb0518d50862ad4642a80d8d778f0c776bbce47b4
Instruction ID: 8a8b78a7bcc76f5266d3105c43b08c4ef011c1bff1fbb8b084c8b322dcf7009a
Opcode Fuzzy Hash: bb4bf2e11663ae9e1c85af1cb0518d50862ad4642a80d8d778f0c776bbce47b4
Instruction Fuzzy Hash: 8F21A03280021EFBCF12EF90CC5AFEE7739BF18704F044866F515661A2EA359A58DB50

Function 009C52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

Part of subcall function 00967924: _memmove.LIBCMT ref: 009679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009C5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009C5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009C5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009C537A

Strings

status PlayMe mode, xrefs: 009C532B
close PlayMe, xrefs: 009C5341, 009C536E
open , xrefs: 009C52DF
play PlayMe, xrefs: 009C5375
alias PlayMe, xrefs: 009C5309
play PlayMe wait, xrefs: 009C5364

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5199566e299af5fc63325e2d9bb405028d0f5bebeb88a348f33faf331d2c53a7
Instruction ID: 637f8a2e7b503f0f86fde41d1c0b2df2cc2aefc94b837f8fea94e52ed160942f
Opcode Fuzzy Hash: 5199566e299af5fc63325e2d9bb405028d0f5bebeb88a348f33faf331d2c53a7
Instruction Fuzzy Hash: 46118621D50159B9D724B7A1CC59EFFBBBCFBD5B84F4008197411920E1EEA41D84C571

Function 009C46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009C46D2
gethostname.WSOCK32(?,00000100), ref: 009C46EC
gethostbyname.WSOCK32(?), ref: 009C46F9
_wcscpy.LIBCMT ref: 009C4721
_memmove.LIBCMT ref: 009C4734
inet_ntoa.WSOCK32(?), ref: 009C473F
_strcat.LIBCMT ref: 009C474D
_wcscpy.LIBCMT ref: 009C4764
WSACleanup.WSOCK32 ref: 009C4772
_wcscpy.LIBCMT ref: 009C4780

Strings

0.0.0.0, xrefs: 009C471B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 0840bf719ec70acdbcae8c0b86de5a036a01ddbc0dbfc0fef97b5e32901580e4
Instruction ID: 9d79c69f25595d29898da5742baecd8c33a8e0577d3bfab2cf859724be3d0eb2
Opcode Fuzzy Hash: 0840bf719ec70acdbcae8c0b86de5a036a01ddbc0dbfc0fef97b5e32901580e4
Instruction Fuzzy Hash: 6F112731A04114AFCB20BB309C96FDA77BCEF81311F0001BAF8499A191FF758E818751

Function 009C4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009C4F7A

Part of subcall function 0098049F: timeGetTime.WINMM(?,7608B400,00970E7B), ref: 009804A3

Sleep.KERNEL32(0000000A), ref: 009C4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 009C4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009C4FEC
SetActiveWindow.USER32 ref: 009C500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009C5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 009C5038
Sleep.KERNEL32(000000FA), ref: 009C5043
IsWindow.USER32 ref: 009C504F
EndDialog.USER32(00000000), ref: 009C5060

Strings

BUTTON, xrefs: 009C4FDE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: aac8c6e86c2d168448ff38b652e6a78cb21a3d506b3b30ccf806e09465dd28b7
Instruction ID: 46644b06c9e8133af6a10a2ae1673d43ec468fccb3b535ab336f0c4dc7e2b410
Opcode Fuzzy Hash: aac8c6e86c2d168448ff38b652e6a78cb21a3d506b3b30ccf806e09465dd28b7
Instruction Fuzzy Hash: 8021CF70A09644BFE720DFB4ECD9F363B6AEB44745B04103DF406851B1CB319E42AB62

Function 009CD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

CoInitialize.OLE32(00000000), ref: 009CD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009CD67D
SHGetDesktopFolder.SHELL32(?), ref: 009CD691
CoCreateInstance.OLE32(009F2D7C,00000000,00000001,00A18C1C,?), ref: 009CD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009CD74C
CoTaskMemFree.OLE32(?,?), ref: 009CD7A4
_memset.LIBCMT ref: 009CD7E1
SHBrowseForFolderW.SHELL32(?), ref: 009CD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009CD840
CoTaskMemFree.OLE32(00000000), ref: 009CD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009CD87E
CoUninitialize.OLE32(00000001,00000000), ref: 009CD880

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 9be4722dde08e4518881be61bb17014b08baa5a1645be5af7349b2460817dbf3
Instruction ID: e92c02386789f764aff9916aaaa4b4132bdd2140ed316c9532967015dea50f56
Opcode Fuzzy Hash: 9be4722dde08e4518881be61bb17014b08baa5a1645be5af7349b2460817dbf3
Instruction Fuzzy Hash: E5B1EC75A00109AFDB04DFA4C998EAEBBF9FF88314B148469F909DB261DB30ED45CB51

Function 009BC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009BC283
GetWindowRect.USER32(00000000,?), ref: 009BC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009BC2F3
GetDlgItem.USER32(?,00000002), ref: 009BC2FE
GetWindowRect.USER32(00000000,?), ref: 009BC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009BC364
GetDlgItem.USER32(?,000003E9), ref: 009BC372
GetWindowRect.USER32(00000000,?), ref: 009BC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009BC3C6
GetDlgItem.USER32(?,000003EA), ref: 009BC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009BC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 009BC3FE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
Instruction ID: e9d8d3d7b13c78e9fec535c5591f24ad009401cd744ab99937407b6c0cd4f455
Opcode Fuzzy Hash: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
Instruction Fuzzy Hash: 4B5140B1B10209AFDF18CFA9DD99AAEBBBAFB88711F14812DF515D7290D7709D008B10

Function 0096201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00961B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00962036,?,00000000,?,?,?,?,009616CB,00000000,?), ref: 00961B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009620D3
KillTimer.USER32(-00000001,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0096216E
DestroyAcceleratorTable.USER32(00000000), ref: 0099BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BD0A
DeleteObject.GDI32(00000000), ref: 0099BD1C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e23a670d666ae2a4aa562a8aea442ead4b646d725d931f6f763becaa6db99372
Instruction ID: 36f43a3c8c6e45d39fbdd50680744e2327161c6eac6ee49d02878cbf71c8ea32
Opcode Fuzzy Hash: e23a670d666ae2a4aa562a8aea442ead4b646d725d931f6f763becaa6db99372
Instruction Fuzzy Hash: B5618D31919A40DFCB35DF28DA58B3977F5FB40312F108839E5429A9B1C779AC92EB90

Function 009621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

GetSysColor.USER32(0000000F), ref: 009621D3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 49cd3d58836c99be494f45dda92583eedf5fcd81a58d3c3e804f22301ef3ea11
Instruction ID: e2f5581606f1d80e62234c2648d7a8b4d9ca26511a9052fdd09d0ed632e2416f
Opcode Fuzzy Hash: 49cd3d58836c99be494f45dda92583eedf5fcd81a58d3c3e804f22301ef3ea11
Instruction Fuzzy Hash: 7641C431008944DBDF255F68ECA8BB93B69EB06331F148266FE758E1E1C7358C42EB51

Function 009CA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,009EF910), ref: 009CA90B
GetDriveTypeW.KERNEL32(00000061,00A189A0,00000061), ref: 009CA9D5
_wcscpy.LIBCMT ref: 009CA9FF

Strings

ramdisk, xrefs: 009CA97F
removable, xrefs: 009CA93D
network, xrefs: 009CA969
cdrom, xrefs: 009CA927
all, xrefs: 009CA911
unknown, xrefs: 009CA996
fixed, xrefs: 009CA953

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 98acc60570272404ad4af226146c4aa31410b0aef106ec8b58c40c70012446e8
Instruction ID: dc9d79b8fe9e38acf57e07196c9fa5ca7ac2a57ffad2534f79f646761d652d00
Opcode Fuzzy Hash: 98acc60570272404ad4af226146c4aa31410b0aef106ec8b58c40c70012446e8
Instruction Fuzzy Hash: 15517831918305ABC304EF14C892FAEB7A9AFC4348F54482DF496572A2DB319909CB53

Function 00969837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00969862
__swprintf.LIBCMT ref: 009698AC
__i64tow.LIBCMT ref: 0099F5E6

Strings

%.15g, xrefs: 009698A6
0x%p, xrefs: 0099F5C8
True, xrefs: 0099F5A7
False, xrefs: 0099F5AE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 04517841f23af4ec19cd7565a7fc9d4cbd65984e60f2819ba10cae45438f38aa
Instruction ID: fd1dba98ca0ba817e60c09376a51cd747bf988eb9e19cac59af1ad188f6bec77
Opcode Fuzzy Hash: 04517841f23af4ec19cd7565a7fc9d4cbd65984e60f2819ba10cae45438f38aa
Instruction Fuzzy Hash: 6341D371500205AFEB24EF78D852F7AB3ECFF85310F20486EF549DB292EA3599428B11

Function 009E7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E716A
CreateMenu.USER32 ref: 009E7185
SetMenu.USER32(?,00000000), ref: 009E7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E7221
IsMenu.USER32(?), ref: 009E7237
CreatePopupMenu.USER32 ref: 009E7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E726E
DrawMenuBar.USER32 ref: 009E7276

Strings

0, xrefs: 009E7160
F, xrefs: 009E7262

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a455f257351704988e6b890c72459c123f58862b18ce0d6978c8a2f5ab620dea
Instruction ID: 3482466d85400da7448a7b367ebc3bfd4aae4be391b22da7e84dbc04b07aa5f0
Opcode Fuzzy Hash: a455f257351704988e6b890c72459c123f58862b18ce0d6978c8a2f5ab620dea
Instruction Fuzzy Hash: 4D418A74A05245EFDB21DFA5E884EAABBB9FF48310F144029FA15AB360D731AD10DF91

Function 009E74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009E755E
CreateCompatibleDC.GDI32(00000000), ref: 009E7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009E7578
SelectObject.GDI32(00000000,00000000), ref: 009E7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 009E758B
DeleteDC.GDI32(00000000), ref: 009E7594
GetWindowLongW.USER32(?,000000EC), ref: 009E759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009E75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009E75BE

Strings

static, xrefs: 009E74F6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0d01de9439040d2106a2323a05332ece103e66480cfbe2bf7c600d3697518308
Instruction ID: afe3d2f86b89a37c860ccdfe757b5abf0084bbab4e6f39548b3d02d1211aab5a
Opcode Fuzzy Hash: 0d01de9439040d2106a2323a05332ece103e66480cfbe2bf7c600d3697518308
Instruction Fuzzy Hash: A8316D32108298BBDF129FA5DC48FEB7B69FF09721F110225FA15960A0CB31DC11EBA5

Function 00986E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00986E3E

Part of subcall function 00988B28: __getptd_noexit.LIBCMT ref: 00988B28

__gmtime64_s.LIBCMT ref: 00986ED7
__gmtime64_s.LIBCMT ref: 00986F0D
__gmtime64_s.LIBCMT ref: 00986F2A
__allrem.LIBCMT ref: 00986F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00986F9C
__allrem.LIBCMT ref: 00986FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00986FD1
__allrem.LIBCMT ref: 00986FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00987006
__invoke_watson.LIBCMT ref: 00987077

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 2011c4d7fecaf673fcf97db352267261a759f6fd7430d20bcf6f2742229fce57
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: A4710676A00717ABDB14BE6CDC81B5AB7A8AF44324F148629F514EB3C1E770DE508B90

Function 009C2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2542
GetMenuItemInfoW.USER32(00A25890,000000FF,00000000,00000030), ref: 009C25A3
SetMenuItemInfoW.USER32(00A25890,00000004,00000000,00000030), ref: 009C25D9
Sleep.KERNEL32(000001F4), ref: 009C25EB
GetMenuItemCount.USER32(?), ref: 009C262F
GetMenuItemID.USER32(?,00000000), ref: 009C264B
GetMenuItemID.USER32(?,-00000001), ref: 009C2675
GetMenuItemID.USER32(?,?), ref: 009C26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2735

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 57dc0e3f7cfb6c03c20668bace85842add35b4d0d0bb0a5bd35161230e6e7c8f
Instruction ID: ebf38a178bf191ab7c0f9f9c3c7cb70f3d2a5f4817cfe88222b589175b14ec74
Opcode Fuzzy Hash: 57dc0e3f7cfb6c03c20668bace85842add35b4d0d0bb0a5bd35161230e6e7c8f
Instruction Fuzzy Hash: F8616D74D04249AFDB21CFA4D998FBE7BB8EB45344F14046EF841A7291D731AE06DB22

Function 009E6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E6FA8
GetWindowLongW.USER32(?,000000F0), ref: 009E6FCC
_memset.LIBCMT ref: 009E6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E7067

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 730264e1132b14c7c9040e9a93912a2955b1b4efe9a46055e3acb40e2b1a2a3f
Instruction ID: 0db28a8536c61a0d19866b15f0869c90033d4a850cada6c11a645f3f8213b6ad
Opcode Fuzzy Hash: 730264e1132b14c7c9040e9a93912a2955b1b4efe9a46055e3acb40e2b1a2a3f
Instruction Fuzzy Hash: 94617D75904248AFDB11DFA8CC81EEEB7F8EB49710F100569FA14EB2A1C771AD41DB51

Function 009B6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009B6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 009B6C18
VariantInit.OLEAUT32(?), ref: 009B6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009B6C4A
VariantCopy.OLEAUT32(?,?), ref: 009B6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009B6CB1
VariantClear.OLEAUT32(?), ref: 009B6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 009B6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B6CDC
VariantClear.OLEAUT32(?), ref: 009B6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B6CF9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3786163da97ee137b8d0b8fa32984f8e9cb4368b904cd7b97cf121c045dfa2fa
Instruction ID: 2b2bdcd10817f11f5530b9c3675ce066d25ad067858c65ddedbc306a9fc1bede
Opcode Fuzzy Hash: 3786163da97ee137b8d0b8fa32984f8e9cb4368b904cd7b97cf121c045dfa2fa
Instruction Fuzzy Hash: B6418131A041199FCF00DFA8D998DEEBBB9EF48350F008079E955EB2A1DB34AD45CB90

Function 009D83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

CoInitialize.OLE32 ref: 009D8403
CoUninitialize.OLE32 ref: 009D840E
CoCreateInstance.OLE32(?,00000000,00000017,009F2BEC,?), ref: 009D846E
IIDFromString.OLE32(?,?), ref: 009D84E1
VariantInit.OLEAUT32(?), ref: 009D857B
VariantClear.OLEAUT32(?), ref: 009D85DC

Strings

Failed to create object, xrefs: 009D8479, 009D852F
Invalid parameter, xrefs: 009D84FA
NULL Pointer assignment, xrefs: 009D84B3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7bcb4338c565d75453284f35ef8c6f46544f9a054385ac964d5d8873f11d922d
Instruction ID: 1db4401f51a7b24a790e4f17fa82ad9355f38936d16b29148083c8b926aad96e
Opcode Fuzzy Hash: 7bcb4338c565d75453284f35ef8c6f46544f9a054385ac964d5d8873f11d922d
Instruction Fuzzy Hash: 2E61A070648312AFC710DF54D888F6BB7E8AF85754F00885AF9859B3A2DB74ED44CB92

Function 009D5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009D5793
inet_addr.WSOCK32(?,?,?), ref: 009D57D8
gethostbyname.WSOCK32(?), ref: 009D57E4
IcmpCreateFile.IPHLPAPI ref: 009D57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 009D58ED
WSACleanup.WSOCK32 ref: 009D58F3

Strings

Ping, xrefs: 009D5816

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8bff713dfecaa41d769ca7b9decc9beef7e6e444d19f40e0b9c925bf8c254a62
Instruction ID: b8ea77db25d67bffc4ba05e49c133d3d64e6c6cd5d207f9075524a07615df51d
Opcode Fuzzy Hash: 8bff713dfecaa41d769ca7b9decc9beef7e6e444d19f40e0b9c925bf8c254a62
Instruction Fuzzy Hash: 46517F316446009FDB10DF64DC95B6A7BE8AF84720F05892AF956DB3A1DB74ED00EB41

Function 009CB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009CB546
GetLastError.KERNEL32 ref: 009CB550
SetErrorMode.KERNEL32(00000000,READY), ref: 009CB5BD

Strings

READONLY, xrefs: 009CB588
READY, xrefs: 009CB596
INVALID, xrefs: 009CB58F
NOTREADY, xrefs: 009CB57C
UNKNOWN, xrefs: 009CB575

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e314ba2c5410f660eec2aa298a2177141a8adbff2020c73706a19050970d0391
Instruction ID: a6293199f1398b332b7b0935e4c601f9b7408f22c0d12f7f1d888fa4c22cd20b
Opcode Fuzzy Hash: e314ba2c5410f660eec2aa298a2177141a8adbff2020c73706a19050970d0391
Instruction Fuzzy Hash: 5331A135E04249EFCB00DBA8C896FADB7B8FF44310F10442AF5059B291DB759A46CB42

Function 009B8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009B9014
GetDlgCtrlID.USER32 ref: 009B901F
GetParent.USER32 ref: 009B903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B903E
GetDlgCtrlID.USER32(?), ref: 009B9047
GetParent.USER32(?), ref: 009B9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 009B9066

Strings

ListBox, xrefs: 009B8FD1
ComboBox, xrefs: 009B8F9C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3801b49413f1eb1c6b12d58cb601358734f71011aca119d30c2985c0cc7c79ad
Instruction ID: a321a37b5dab88f5f201efd47a383b687f7c5e147db60309c70be02ee15efa1a
Opcode Fuzzy Hash: 3801b49413f1eb1c6b12d58cb601358734f71011aca119d30c2985c0cc7c79ad
Instruction Fuzzy Hash: 5721F570A00148BBDF04ABA0CC95EFEBB79EF89320F10411AF961972E1DB795855DB20

Function 009B907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009B90FD
GetDlgCtrlID.USER32 ref: 009B9108
GetParent.USER32 ref: 009B9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B9127
GetDlgCtrlID.USER32(?), ref: 009B9130
GetParent.USER32(?), ref: 009B914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 009B914F

Strings

ListBox, xrefs: 009B90BC
ComboBox, xrefs: 009B9087

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7f15b89f786df3930940f4d209141f3bd357a36b756fa5f84b51f6bb1ff83a6c
Instruction ID: a3d50052a4d5470d5b91d6b11eec52bc3f36591ab491434b52d25a233a26605b
Opcode Fuzzy Hash: 7f15b89f786df3930940f4d209141f3bd357a36b756fa5f84b51f6bb1ff83a6c
Instruction Fuzzy Hash: 64210774A00148BBDF00ABA4CC99FFEBB78EF84310F504016FA519B2A2DB754855EB20

Function 009B9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009B916F
GetClassNameW.USER32(00000000,?,00000100), ref: 009B9184
_wcscmp.LIBCMT ref: 009B9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B9211

Strings

smallicons, xrefs: 009B91D9
list, xrefs: 009B91F3
SHELLDLL_DefView, xrefs: 009B9190
details, xrefs: 009B91BF
largeicons, xrefs: 009B91A5

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 146c893b00a4d026049d97a55b51958432e5e41ece6ddd46e24881eee3f7cf7d
Instruction ID: 3ba85434680692c2908464f7c97b93680c67f725f7c3aa03905e5182fde4b337
Opcode Fuzzy Hash: 146c893b00a4d026049d97a55b51958432e5e41ece6ddd46e24881eee3f7cf7d
Instruction Fuzzy Hash: 3D112C3B69C317BAFA113724DC16EEB379CAB15730B200426FB10A41D2FE7168516A94

Function 009D88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D88D7
CoInitialize.OLE32(00000000), ref: 009D8904
CoUninitialize.OLE32 ref: 009D890E
GetRunningObjectTable.OLE32(00000000,?), ref: 009D8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 009D8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,009F2C0C), ref: 009D8B6F
CoGetObject.OLE32(?,00000000,009F2C0C,?), ref: 009D8B92
SetErrorMode.KERNEL32(00000000), ref: 009D8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D8C25
VariantClear.OLEAUT32(?), ref: 009D8C35

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b8a7bcc9931a00da7367b4ed113ef1b520b4f3d89f365ca82427925c6ee19f74
Instruction ID: 14e91b6a6698f5d6ccdb7cea47d6fe1f164dc67386da64465b167c83f94890d6
Opcode Fuzzy Hash: b8a7bcc9931a00da7367b4ed113ef1b520b4f3d89f365ca82427925c6ee19f74
Instruction Fuzzy Hash: 0AC1F4B1608345AFD700DF64C884A2BB7E9FF89748F00895EF58A9B251DB71ED05CB52

Function 009C7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 009C7A6C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 2c58243bbe766d4d56d693555a84fdcdef64870ebc58d73a0f272896e7461d04
Instruction ID: d8fc74bc7c4485c63e0e041f84a3cc5649e40f3d12ce747969aaa8efcc108e99
Opcode Fuzzy Hash: 2c58243bbe766d4d56d693555a84fdcdef64870ebc58d73a0f272896e7461d04
Instruction Fuzzy Hash: 3FB14A71D0821A9FDB00DFE4C895BBEB7B8EF49321F244429E551AB391D734A941CF92

Function 009C11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009C11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009C0268,?,00000001), ref: 009C1204
GetWindowThreadProcessId.USER32(00000000), ref: 009C120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0268,?,00000001), ref: 009C121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 009C122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0268,?,00000001), ref: 009C1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0268,?,00000001), ref: 009C1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009C0268,?,00000001), ref: 009C129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009C0268,?,00000001), ref: 009C12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009C0268,?,00000001), ref: 009C12BC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ed1eed9040ceb2b6a218559831a46ce1c5e5b566e64b669f9b7ede6f7106def4
Instruction ID: 55a2a34e7c2e217e621159129cacc8d3178b3a116e59d63ae66691ae26afc023
Opcode Fuzzy Hash: ed1eed9040ceb2b6a218559831a46ce1c5e5b566e64b669f9b7ede6f7106def4
Instruction Fuzzy Hash: 3D31F279A01208FFDF20DF98ED88F7937ADEB56311F10812AF811CA1A1D3749D828B55

Function 0096FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0096FAA6
OleUninitialize.OLE32(?,00000000), ref: 0096FB45
UnregisterHotKey.USER32(?), ref: 0096FC9C
DestroyWindow.USER32(?), ref: 009A45D6
FreeLibrary.KERNEL32(?), ref: 009A463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009A4668

Strings

close all, xrefs: 0096FAA1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3ec1b10a489ceeda00de496879e98acc83e43230156347f240827fc3a6cd6713
Instruction ID: 720a449b6097ee9e5ecc8116ad94e75e6fcf3474a03ce6d73e659c44474a3d00
Opcode Fuzzy Hash: 3ec1b10a489ceeda00de496879e98acc83e43230156347f240827fc3a6cd6713
Instruction Fuzzy Hash: E2A19131701212CFCB29EF14D5A5B69F368BF86700F5542ADE80AAB261DB34ED16CF90

Function 009BA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,009BA439), ref: 009BA377

Strings

INSTANCE, xrefs: 009BA285
TEXT, xrefs: 009BA2AE
NAME, xrefs: 009BA1A9
REGEXPCLASS, xrefs: 009BA13C
CLASSNN, xrefs: 009BA119
CLASS, xrefs: 009BA0F6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 3345fbd66281168678ee0270d17bda3e6c0488e4897744f156aa7fd1b9ef75d6
Instruction ID: e26dc337163653b1e8b747e0ae34672ee2e3359e90ee43bc7253a9767ac451c0
Opcode Fuzzy Hash: 3345fbd66281168678ee0270d17bda3e6c0488e4897744f156aa7fd1b9ef75d6
Instruction Fuzzy Hash: 8291E830604605EBCB48EFA4C582BEEFBB8FF44320F548519E859A7241DF31A99DCB91

Function 00962E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00962EAE

Part of subcall function 00961DB3: GetClientRect.USER32(?,?), ref: 00961DDC
Part of subcall function 00961DB3: GetWindowRect.USER32(?,?), ref: 00961E1D
Part of subcall function 00961DB3: ScreenToClient.USER32(?,?), ref: 00961E45

GetDC.USER32 ref: 0099CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0099CD45
SelectObject.GDI32(00000000,00000000), ref: 0099CD53
SelectObject.GDI32(00000000,00000000), ref: 0099CD68
ReleaseDC.USER32(?,00000000), ref: 0099CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0099CDFB

Strings

U, xrefs: 0099CCD0

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2509309bfb75abde1d6632747d59d7890b0e8efc03c10ff7d4a6f3b285109570
Instruction ID: ea18fa1949406e540f76b17f79371f520e804d07217666409074fd51cceda005
Opcode Fuzzy Hash: 2509309bfb75abde1d6632747d59d7890b0e8efc03c10ff7d4a6f3b285109570
Instruction Fuzzy Hash: CB71C171900609DFCF22CF68CC94ABA7BB9FF49320F14467AED555A2A6D7318C41DB60

Function 009D1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009D1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009D1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009D1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009D1B10
InternetCloseHandle.WININET(00000000), ref: 009D1B57

Part of subcall function 009D2483: GetLastError.KERNEL32(?,?,009D1817,00000000,00000000,00000001), ref: 009D2498
Part of subcall function 009D2483: SetEvent.KERNEL32(?,?,009D1817,00000000,00000000,00000001), ref: 009D24AD

Strings

, xrefs: 009D1B01

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: ae8abad96224654c95d2ef74a01943835c9d705e5ad30ed25ba3b745d29c2389
Instruction ID: 62610e11fedbf91561e68c6e2f3443a7f7fc1bbb66dc47e31376036cbcd7a39b
Opcode Fuzzy Hash: ae8abad96224654c95d2ef74a01943835c9d705e5ad30ed25ba3b745d29c2389
Instruction Fuzzy Hash: 8C419EB2541218BFEB118F50CC99FBB7BACEF48354F00812BFE059A241E7759E409BA0

Function 009D8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,009EF910), ref: 009D8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009EF910), ref: 009D8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009D8ED6
SysFreeString.OLEAUT32(?), ref: 009D8F00

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: adbcdd681aff71b094a4bc526cd86017797f047128bae6bce467651a2e785e01
Instruction ID: a84fc24f2662f80ef7d20f773a83ed28712004d7db63db33a256c2398a1de319
Opcode Fuzzy Hash: adbcdd681aff71b094a4bc526cd86017797f047128bae6bce467651a2e785e01
Instruction Fuzzy Hash: 5AF10971A40209EFDF14EF94C884EAEB7B9FF89314F108559F905AB251DB31AE45CB60

Function 009DF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009DFA7C
CloseHandle.KERNEL32(?), ref: 009DFAAB
CloseHandle.KERNEL32(?), ref: 009DFB22

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f02e387f26f48885c7662e5577decc253614bd85239d159b21e2723130f0c4db
Instruction ID: d221ff28caab3538eedf3e97aa4cabd057c209cb41487489e14907461435b595
Opcode Fuzzy Hash: f02e387f26f48885c7662e5577decc253614bd85239d159b21e2723130f0c4db
Instruction Fuzzy Hash: 83E194316443409FC714EF24C8A2B6ABBE5EF85354F14856EF89A9B3A2DB30DC45CB52

Function 009C4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C3697,?), ref: 009C468B

Part of subcall function 009C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C3697,?), ref: 009C46A4

Part of subcall function 009C4A31: GetFileAttributesW.KERNEL32(?,009C370B), ref: 009C4A32

lstrcmpiW.KERNEL32(?,?), ref: 009C4D40
_wcscmp.LIBCMT ref: 009C4D5A
MoveFileW.KERNEL32(?,?), ref: 009C4D75

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 88853f69aab2b7bdee5293c6282d4b385c83507087fe668fa12c0d35b5fffff4
Instruction ID: c0535f726f883eb1aafa3cf7f1e5a465c35bca2506cada5e0b37aba41f58ce47
Opcode Fuzzy Hash: 88853f69aab2b7bdee5293c6282d4b385c83507087fe668fa12c0d35b5fffff4
Instruction Fuzzy Hash: 8D5154B25083859BC724EBA0D891EDFB3ECAFC5350F40492EB589D3191EF34A588C756

Function 009E8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009E86FF

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 670e23186dfeb91b567a63178dfaddab396abc20c28a1cc6f9f560a6cdeeed42
Instruction ID: f32d25b8bfbd1858abce8966e56af79b397a5dc95cd735dc6e3c397293cd4101
Opcode Fuzzy Hash: 670e23186dfeb91b567a63178dfaddab396abc20c28a1cc6f9f560a6cdeeed42
Instruction Fuzzy Hash: EC51B6305002C4BFDB229BAACC85F6E3B69BB05710F604515F919EA1E1CF76AD80DB40

Function 00962B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0099C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0099C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0099C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0099C370
DestroyIcon.USER32(00000000), ref: 0099C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0099C39C
DestroyIcon.USER32(?), ref: 0099C3AB

Part of subcall function 009EA4AF: DeleteObject.GDI32(00000000), ref: 009EA4E8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 4128d488726105c437125493ca1aa711a1c2f3b89a9b641cf213a084bec04fb2
Instruction ID: 725a010046eee32cf9294cfeaaf4be9ae00a40402e9965af730e6a5f54d7637b
Opcode Fuzzy Hash: 4128d488726105c437125493ca1aa711a1c2f3b89a9b641cf213a084bec04fb2
Instruction Fuzzy Hash: EB517B70A10609AFDB20DF68CC95FAA3BA9FB58710F104529F9429B2A0D770ED91EB50

Function 009B966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009BA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BA84C
Part of subcall function 009BA82C: GetCurrentThreadId.KERNEL32 ref: 009BA853
Part of subcall function 009BA82C: AttachThreadInput.USER32(00000000,?,009B9683,?,00000001), ref: 009BA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 009B968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009B96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B96FB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0311e382d2c5f3ebc221c1372b0e84fa971af7ecdfd9de38fa7c9dcea7995e56
Instruction ID: f070dae4d145dc8fabdccf14a6a6b4220204ddffcb5a2684294f6ca3357e0fa9
Opcode Fuzzy Hash: 0311e382d2c5f3ebc221c1372b0e84fa971af7ecdfd9de38fa7c9dcea7995e56
Instruction Fuzzy Hash: A211C271924618BFF6106B609C89FAA3F2DDB4C760F100426F244AB0E0C9F25C10AAA4

Function 009B8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009B853C,00000B00,?,?), ref: 009B892A
HeapAlloc.KERNEL32(00000000,?,009B853C,00000B00,?,?), ref: 009B8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B853C,00000B00,?,?), ref: 009B8946
GetCurrentProcess.KERNEL32(?,00000000,?,009B853C,00000B00,?,?), ref: 009B894E
DuplicateHandle.KERNEL32(00000000,?,009B853C,00000B00,?,?), ref: 009B8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009B853C,00000B00,?,?), ref: 009B8961
GetCurrentProcess.KERNEL32(009B853C,00000000,?,009B853C,00000B00,?,?), ref: 009B8969
DuplicateHandle.KERNEL32(00000000,?,009B853C,00000B00,?,?), ref: 009B896C
CreateThread.KERNEL32(00000000,00000000,009B8992,00000000,00000000,00000000), ref: 009B8986

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 40e448ab8b9f63366675a3c777b0c3a81ef96a8b9e06c2498dbcf5159a18b282
Instruction ID: f3c9d5db9152224eec64e4c7394836953ad773069e8cebaf724e900f4a351dd0
Opcode Fuzzy Hash: 40e448ab8b9f63366675a3c777b0c3a81ef96a8b9e06c2498dbcf5159a18b282
Instruction Fuzzy Hash: 6501AC75254348FFE610ABA5DC8DF673B6CEB89711F418421FA05DF291CA709C00DA20

Function 009D9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 009D9B7B
NULL Pointer assignment, xrefs: 009D9BA4, 009D9EC8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6fddc175a6ede6b5484c36fc675b535037a68905530ddcc7aeae78a98ea44cf5
Instruction ID: a7aacef122f705f7b58ab6935823224224d65ea996419907b86d346787e28544
Opcode Fuzzy Hash: 6fddc175a6ede6b5484c36fc675b535037a68905530ddcc7aeae78a98ea44cf5
Instruction Fuzzy Hash: 83C19671A402199FDF10EFA8D984BAEB7F9FB88314F15846AE905A7380E7709D41CB60

Function 009D9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D9167
VariantInit.OLEAUT32(?), ref: 009D9238
VariantInit.OLEAUT32(?), ref: 009D9339
VariantClear.OLEAUT32(?), ref: 009D9343
VariantClear.OLEAUT32(?), ref: 009D93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009D931C
Null Object assignment in FOR..IN loop, xrefs: 009D91C8, 009D92F6, 009D93AE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 18521fb576c85ceb5080a223bb82f9bb9109716c45b87c09f80ca224d736b029
Instruction ID: f7377f1eca16cd4080f8886cf7096751c90c9ef6bda1dd7ec2774ad132428c57
Opcode Fuzzy Hash: 18521fb576c85ceb5080a223bb82f9bb9109716c45b87c09f80ca224d736b029
Instruction Fuzzy Hash: 7391AE71A40219ABDF24EFA5C848FAEBBB8EF85714F10C55AF515AB380D7709941CFA0

Function 009D975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 009B710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?,?,009B7455), ref: 009B7127
Part of subcall function 009B710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?), ref: 009B7142
Part of subcall function 009B710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?), ref: 009B7150
Part of subcall function 009B710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?), ref: 009B7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009D9806
_memset.LIBCMT ref: 009D9813
_memset.LIBCMT ref: 009D9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009D9982
CoTaskMemFree.OLE32(?), ref: 009D998D

Strings

NULL Pointer assignment, xrefs: 009D99DB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7773c0b6b8bc8dddb6eb9c2eaf47400367ea45b4ed80857004576b0382cee817
Instruction ID: 7e251f18090a4662fcc8cfd78c54c4c6b44b11c1912f7c8c61c47815700cc820
Opcode Fuzzy Hash: 7773c0b6b8bc8dddb6eb9c2eaf47400367ea45b4ed80857004576b0382cee817
Instruction Fuzzy Hash: ED913871D00229EBDB10EFA5DC80FDEBBB9AF48350F10815AF419A7291DB719A44CFA0

Function 009E6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 009E6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E6E52
_wcscat.LIBCMT ref: 009E6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 009E6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E6EF2

Strings

SysListView32, xrefs: 009E6DF6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: e8855f41d269e8585b956085e12ff79c3f43cf2d9aa7eebd40f157c5afbb20c4
Instruction ID: 1c3d63a23d66d147e0195b22135f2bc6ecbf727f4e1de2f68f395542c729b16c
Opcode Fuzzy Hash: e8855f41d269e8585b956085e12ff79c3f43cf2d9aa7eebd40f157c5afbb20c4
Instruction Fuzzy Hash: F141A070A00388AFDB229F64CC85BEA77A8EF58790F10082AF584E72D1D6719D848B60

Function 009DE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 009C3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 009C3C7A
Part of subcall function 009C3C55: Process32FirstW.KERNEL32(00000000,?), ref: 009C3C88
Part of subcall function 009C3C55: CloseHandle.KERNEL32(00000000), ref: 009C3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DE9A4
GetLastError.KERNEL32 ref: 009DE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 009DEA63
GetLastError.KERNEL32(00000000), ref: 009DEA6E
CloseHandle.KERNEL32(00000000), ref: 009DEAA3

Strings

SeDebugPrivilege, xrefs: 009DE9C2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4920c96d268d5dcea9f740129486250c8544404b83aa2a5b16d2733f5bbc1800
Instruction ID: 28cf22e3aa7f181102226ef9df2cc830d3956f2494ea30c8b67b85f9bcb50510
Opcode Fuzzy Hash: 4920c96d268d5dcea9f740129486250c8544404b83aa2a5b16d2733f5bbc1800
Instruction Fuzzy Hash: C84177712442019FDB24EF54CCA5B6EB7A9AF84314F04C41AF9069F3D2CBB4AD04CB92

Function 009C2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009C3033

Strings

stop, xrefs: 009C3004
blank, xrefs: 009C2FB5
info, xrefs: 009C2FD4
question, xrefs: 009C2FEC
warning, xrefs: 009C301C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: dbf65485ada282aea40c52835d281ec1bdd7f857157988957ba01f88c2f061bc
Instruction ID: b55960c5e65f01de8a6ce873d546eda8c50a8a89dfd265702d65bd96619ffef6
Opcode Fuzzy Hash: dbf65485ada282aea40c52835d281ec1bdd7f857157988957ba01f88c2f061bc
Instruction Fuzzy Hash: 2B11EE33B48346BEE714DB54DC82EAB779CEF19370B10846EF90066282DB755F4056A6

Function 009C42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009C4312
LoadStringW.USER32(00000000), ref: 009C4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009C432F
LoadStringW.USER32(00000000), ref: 009C4336
_wprintf.LIBCMT ref: 009C435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009C4357

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5c3571d28e7256fcfaea0a98e85bff456ad15606fa67c395a066c5d4f7634718
Instruction ID: bb531d7208d8517b68ddece5eb2a62a86975607366fa4e011211fe2a9dc0a364
Opcode Fuzzy Hash: 5c3571d28e7256fcfaea0a98e85bff456ad15606fa67c395a066c5d4f7634718
Instruction Fuzzy Hash: 8C01A2F390424CFFE721A7A0DD89FE6736CEB08700F0004A6BB45E6011EA345E854B71

Function 009ED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetSystemMetrics.USER32(0000000F), ref: 009ED47C
GetSystemMetrics.USER32(0000000F), ref: 009ED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009ED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009ED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009ED716
ShowWindow.USER32(00000003,00000000), ref: 009ED735
InvalidateRect.USER32(?,00000000,00000001), ref: 009ED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 009ED77D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f63fbe697f53347dddd421763932a87a867ccf3186ce3b89f9edc7d064d57f16
Instruction ID: b36fe7e488428fad798ded4fa8c80a315cbc1b7f3833f7c63bf412c879330267
Opcode Fuzzy Hash: f63fbe697f53347dddd421763932a87a867ccf3186ce3b89f9edc7d064d57f16
Instruction Fuzzy Hash: 27B1A9716012A9EBDF15CF6AC9C57BD7BB5BF04700F088069EC489E299DB35AE50CB90

Function 00962A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C1C7,00000004,00000000,00000000,00000000), ref: 00962ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0099C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00962B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0099C1C7,00000004,00000000,00000000,00000000), ref: 0099C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C1C7,00000004,00000000,00000000,00000000), ref: 0099C286

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a1b33a9ba570811cdba8fd29d3ac3803a83ed9a6195b2cd38a51ca47779298c0
Instruction ID: 968b8bda32d48c3397ecd8fafd2273ec7f61756fb6da6cd437ad8b93ccb1c387
Opcode Fuzzy Hash: a1b33a9ba570811cdba8fd29d3ac3803a83ed9a6195b2cd38a51ca47779298c0
Instruction Fuzzy Hash: B641EA30618FC09BCB358BBC9CDCB7A7B99AB85310F548C1EE0974A5A1C6B5D841E710

Function 009C70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009C70DD

Part of subcall function 00980DB6: std::exception::exception.LIBCMT ref: 00980DEC
Part of subcall function 00980DB6: __CxxThrowException@8.LIBCMT ref: 00980E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009C7114
EnterCriticalSection.KERNEL32(?), ref: 009C7130
_memmove.LIBCMT ref: 009C717E
_memmove.LIBCMT ref: 009C719B
LeaveCriticalSection.KERNEL32(?), ref: 009C71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009C71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 009C71DE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 6972e9f864c9e19b7518529b5ad9dcd2d6f42cc0065d14f1baea5d8f2d7694bf
Instruction ID: e653a5a6d36d4898b0bb15f477468201612a4212ebece4f7cda2db6d15252129
Opcode Fuzzy Hash: 6972e9f864c9e19b7518529b5ad9dcd2d6f42cc0065d14f1baea5d8f2d7694bf
Instruction Fuzzy Hash: D7315E31904205EBDB40EFA4DC85AABB778EF85710F1481A9F9049B256DB349E14DB61

Function 009E61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009E61EB
GetDC.USER32(00000000), ref: 009E61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E61FE
ReleaseDC.USER32(00000000,00000000), ref: 009E620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E902A,?,?,000000FF,00000000,?,000000FF,?), ref: 009E6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E62B1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ffd383291d23eacd0fe2523afd62553bfcfd1529f8ada7fe925c103679ec4309
Instruction ID: c77419a7ee5a848724c8ecf7d75f65b61e5aba014f9ddaf4629e4a7bf0d3c7b6
Opcode Fuzzy Hash: ffd383291d23eacd0fe2523afd62553bfcfd1529f8ada7fe925c103679ec4309
Instruction Fuzzy Hash: 9A317A72214254BFEF118F51CC8AFAA3BADEF5A765F044066FE08DE291C6759C41CB60

Function 009BBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009BBBC4
_memcmp.LIBCMT ref: 009BBBE6
_memcmp.LIBCMT ref: 009BBBFE
_memcmp.LIBCMT ref: 009BBC11
_memcmp.LIBCMT ref: 009BBC2B
_memcmp.LIBCMT ref: 009BBC3E
_memcmp.LIBCMT ref: 009BBC56
_memcmp.LIBCMT ref: 009BBC71

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c6a4e554f8973be181b225c8075b03b4bc4a0e32070b155bf22bbf299fd8b46b
Instruction ID: 5791bf1d12632748486869b12e6936b00167f55edda51820dda7d066614aa5c7
Opcode Fuzzy Hash: c6a4e554f8973be181b225c8075b03b4bc4a0e32070b155bf22bbf299fd8b46b
Instruction Fuzzy Hash: ED21C2626022197BE604B7259E42FFB775C9E913A8F044021FE44967C7EBA4DE1283A1

Function 009CEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

Part of subcall function 0097FC86: _wcscpy.LIBCMT ref: 0097FCA9

_wcstok.LIBCMT ref: 009CEC94
_wcscpy.LIBCMT ref: 009CED23
_memset.LIBCMT ref: 009CED56

Strings

X, xrefs: 009CED93

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 11cc3eaedccfd9f09d4ac836558a4aae3002ccc98a87011ce72caca03f582fc1
Instruction ID: 9ab3b23a39128921aa28055df6622dbb7aedac795a6830268920ad98b7152e6c
Opcode Fuzzy Hash: 11cc3eaedccfd9f09d4ac836558a4aae3002ccc98a87011ce72caca03f582fc1
Instruction Fuzzy Hash: 25C15B719083419FC764EF64C881F6AB7E4BF85354F00492DF89A9B2A2DB30ED45CB92

Function 009D6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D6C21
WSAGetLastError.WSOCK32(00000000), ref: 009D6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 009D6CEA
inet_ntoa.WSOCK32(?), ref: 009D6CA7

Part of subcall function 009BA7E9: _strlen.LIBCMT ref: 009BA7F3
Part of subcall function 009BA7E9: _memmove.LIBCMT ref: 009BA815

_strlen.LIBCMT ref: 009D6D44
_memmove.LIBCMT ref: 009D6DAD

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 15de288dff947e5348005fd247bbc7f93dc899117dba966aff525c9f253db4fb
Instruction ID: ff724e0a7006ee96dcbbfee0c1c96851d27f9c8a2964e60d7c169ef7c36c0a7c
Opcode Fuzzy Hash: 15de288dff947e5348005fd247bbc7f93dc899117dba966aff525c9f253db4fb
Instruction Fuzzy Hash: 6081CE71208300ABC710EB64DC92F6BB7ADAFD4714F108A1EF9559B2D2DA70ED04CB92

Function 00961424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2db2d268dc853a2d2c55bd1ab9f239cc8a758de04c5048e78d8a94d1395b182
Instruction ID: 4a30ed476eaa338624745acdea9d362ccfe7f2116bc6f79a383965d11a58cd55
Opcode Fuzzy Hash: a2db2d268dc853a2d2c55bd1ab9f239cc8a758de04c5048e78d8a94d1395b182
Instruction Fuzzy Hash: FB715931904109EFCB04CF98CC89EBEBB79FF85314F188159F915AB261C734AA51CBA0

Function 009EB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00B85878), ref: 009EB3EB
IsWindowEnabled.USER32(00B85878), ref: 009EB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 009EB4DB
SendMessageW.USER32(00B85878,000000B0,?,?), ref: 009EB512
IsDlgButtonChecked.USER32(?,?), ref: 009EB54F
GetWindowLongW.USER32(00B85878,000000EC), ref: 009EB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009EB589

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6c95d7ec6e0399f1f3915d81e63ee811dbd1b57afdc351e4bfa9cbf1337931b7
Instruction ID: d64cff52381a75bcd9a6050dd9b4f0f7fc0a2a92f0abb5b846f06ec1d17189f2
Opcode Fuzzy Hash: 6c95d7ec6e0399f1f3915d81e63ee811dbd1b57afdc351e4bfa9cbf1337931b7
Instruction Fuzzy Hash: C971BB34A05284EFDB229F66C8E1FBB7BA9FF49300F104469F945972A2D731AD41DB50

Function 009DF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DF448
_memset.LIBCMT ref: 009DF511
ShellExecuteExW.SHELL32(?), ref: 009DF556

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

Part of subcall function 0097FC86: _wcscpy.LIBCMT ref: 0097FCA9

GetProcessId.KERNEL32(00000000), ref: 009DF5CD
CloseHandle.KERNEL32(00000000), ref: 009DF5FC

Strings

@, xrefs: 009DF525

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d04151a46fa13828751858bf00ca18250118722a80471fd1d59949b97f76979f
Instruction ID: 1fd5fd60e397ba0e851cd22ae87fa0ddc83b88f00cf66a7de83c49f64769d792
Opcode Fuzzy Hash: d04151a46fa13828751858bf00ca18250118722a80471fd1d59949b97f76979f
Instruction Fuzzy Hash: 80618175A00619DFCB14DF94C495AAEBBF5FF89310F14846AE856AB351CB30AD41CF90

Function 009C0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009C0F8C
GetKeyboardState.USER32(?), ref: 009C0FA1
SetKeyboardState.USER32(?), ref: 009C1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 009C1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 009C104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009C1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009C10B8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
Instruction ID: 6b5a63694ad7b46afb26d329b3834141787b3d9a4959d7707fafdc01162d3181
Opcode Fuzzy Hash: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
Instruction Fuzzy Hash: 4C51D0A09087D57AFB3682348C55FBABEAD6B47304F08858DE1D4868D3C398ACC8D756

Function 009C0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009C0DA5
GetKeyboardState.USER32(?), ref: 009C0DBA
SetKeyboardState.USER32(?), ref: 009C0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009C0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009C0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009C0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009C0EC9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
Instruction ID: d9eb78e2a2d2b7626ee84685497026c1917396eb9a6c5838f9482e163558e2bf
Opcode Fuzzy Hash: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
Instruction Fuzzy Hash: DF5105A0D487D5BDFB3243648C55F7A7EAD6B86300F08888DE1D5474C3C795AC84E362

Function 009C55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009C560A
_wcsncpy.LIBCMT ref: 009C563F
_wcsncpy.LIBCMT ref: 009C5671
_wcsncpy.LIBCMT ref: 009C56A4
_wcsncpy.LIBCMT ref: 009C56E6
_wcsncpy.LIBCMT ref: 009C5720
_wcsncpy.LIBCMT ref: 009C574F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b47d690c97eeb87deb6102d35975610ee1bf24b8142fda70cbc0717973a33713
Instruction ID: bda0956e03d207fdfc4b5c15d0c010d0ee44bdfd6eeaef928a776c41783d4dd5
Opcode Fuzzy Hash: b47d690c97eeb87deb6102d35975610ee1bf24b8142fda70cbc0717973a33713
Instruction Fuzzy Hash: E041A376C1161476CB11FBB48C86BCFB3B89F45310F508956F918E3321EB34A685C7A6

Function 009C3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C3697,?), ref: 009C468B

Part of subcall function 009C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C3697,?), ref: 009C46A4

lstrcmpiW.KERNEL32(?,?), ref: 009C36B7
_wcscmp.LIBCMT ref: 009C36D3
MoveFileW.KERNEL32(?,?), ref: 009C36EB
_wcscat.LIBCMT ref: 009C3733
SHFileOperationW.SHELL32(?), ref: 009C379F

Strings

\*.*, xrefs: 009C372D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 7d2235e5317197d5b851acf2a21e403e1ff292e6bbbf502d4e2a3e8793cfdb78
Instruction ID: 1ba990965c120eec09f87eb50f4573032aa700c5566201265f420f673d922d61
Opcode Fuzzy Hash: 7d2235e5317197d5b851acf2a21e403e1ff292e6bbbf502d4e2a3e8793cfdb78
Instruction Fuzzy Hash: B5416EB1908344AAC751EF64C452FDFB7ECAF89380F40882EB499C7251EA34D6898B52

Function 009E7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E7351
IsMenu.USER32(?), ref: 009E7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E73B1
DrawMenuBar.USER32 ref: 009E73C4

Strings

0, xrefs: 009E729E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b099584d7fdcecf67437e9bf3cfdaabdb8a52cd65d1e2fc0b76bf0758e1899f3
Instruction ID: 0e1258125f4ce31f33568950451f20bc007f66e08d226d4d94670cad183f16c7
Opcode Fuzzy Hash: b099584d7fdcecf67437e9bf3cfdaabdb8a52cd65d1e2fc0b76bf0758e1899f3
Instruction Fuzzy Hash: 17414A75A04289EFDB21DF95E884EAABBF8FB04310F14942AFD159B250D730AD50EF61

Function 009E0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 009E0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E0FFE
FreeLibrary.KERNEL32(00000000), ref: 009E10B5

Part of subcall function 009E0FA5: RegCloseKey.ADVAPI32(?), ref: 009E101B
Part of subcall function 009E0FA5: FreeLibrary.KERNEL32(?), ref: 009E106D
Part of subcall function 009E0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009E1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 009E1058

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 4e938de1edcf64c23cc1bf4603bf925277d7594b1092067dccc08578755c2e6e
Instruction ID: 336c499b4a9f606b781b3e03cebb212ca0c805afbea37a46e7277558082ad74f
Opcode Fuzzy Hash: 4e938de1edcf64c23cc1bf4603bf925277d7594b1092067dccc08578755c2e6e
Instruction Fuzzy Hash: 09314B71910149BFDB15DFA1DC89EFFB7BCEF08311F00016AE501A2141EB749E859AA0

Function 009E62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E62EC
GetWindowLongW.USER32(00B85878,000000F0), ref: 009E631F
GetWindowLongW.USER32(00B85878,000000F0), ref: 009E6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009E6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009E63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 009E63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009E63DB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3c18bf3d1a23c0dc1c1b6a369873272f43ff94cdbcd3f674b41aa6955a4e900a
Instruction ID: dd6ad25b69606520fc8482fa19a0f3806d4744d475552cef3d22116fb3b75523
Opcode Fuzzy Hash: 3c18bf3d1a23c0dc1c1b6a369873272f43ff94cdbcd3f674b41aa6955a4e900a
Instruction Fuzzy Hash: 42313830644285AFDB22CF6ADC88F6837E5FB6A754F181168F510CF2B2CB71AC41AB51

Function 009BDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDB54
SysAllocString.OLEAUT32(00000000), ref: 009BDB57
SysAllocString.OLEAUT32(?), ref: 009BDB75
SysFreeString.OLEAUT32(?), ref: 009BDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 009BDBA3
SysAllocString.OLEAUT32(?), ref: 009BDBB1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 308cc0156db2ecc0fd06b3f1908cc4808e791bec2ae52cd394f39f948ff55ae7
Instruction ID: 86fa570a4efe7e312fe109882fedce646b19a993fa345150669e947e355f8a18
Opcode Fuzzy Hash: 308cc0156db2ecc0fd06b3f1908cc4808e791bec2ae52cd394f39f948ff55ae7
Instruction Fuzzy Hash: D8219F36605229AF9B10AFA8DC88CFB73ACEB08360B018526F914DB2A0E6749D419760

Function 009D6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D61C6
WSAGetLastError.WSOCK32(00000000), ref: 009D61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D620E
connect.WSOCK32(00000000,?,00000010), ref: 009D6217
WSAGetLastError.WSOCK32 ref: 009D6221
closesocket.WSOCK32(00000000), ref: 009D624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D6263

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d1827874be8e9ea3f26a2c98b2f6d8c9f34bdca32c8ec07cf6fe7e289a2d8873
Instruction ID: bf765180698eb9a292f2df4edbac0d799bcd6e0403f0d50058ab430e3b614036
Opcode Fuzzy Hash: d1827874be8e9ea3f26a2c98b2f6d8c9f34bdca32c8ec07cf6fe7e289a2d8873
Instruction Fuzzy Hash: D531A171644118ABEF10AF64CC85BBE77ADEB85720F04842AFD15EB291DB74AC049BA1

Function 009BF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009BF671
__wcsnicmp.LIBCMT ref: 009BF692
__wcsnicmp.LIBCMT ref: 009BF6AC

Strings

#OnAutoItStartRegister, xrefs: 009BF6A6
#notrayicon, xrefs: 009BF669
#requireadmin, xrefs: 009BF68C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: e18c99fc24118d4bd5c38e5b6c5c03e41ae9bc5a0b4838e018bc219b77de8978
Instruction ID: ee9506bd84a62076d598400cef55becb7a678ec7a054f21a8a421151abbaacec
Opcode Fuzzy Hash: e18c99fc24118d4bd5c38e5b6c5c03e41ae9bc5a0b4838e018bc219b77de8978
Instruction Fuzzy Hash: 91217672205215A6C720BB34AE22FF773DCEF95724F10843AF94687191EF509E42C394

Function 009BDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDC2F
SysAllocString.OLEAUT32(00000000), ref: 009BDC32
SysAllocString.OLEAUT32 ref: 009BDC53
SysFreeString.OLEAUT32 ref: 009BDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 009BDC76
SysAllocString.OLEAUT32(?), ref: 009BDC84

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ee2acecef3f37e4e61fee6c51f7f05191a227e51bec12a43ac686b696937b422
Instruction ID: c102f97ef109130c6a1c928d75deee933099ec2b37df446b51c809c68703db04
Opcode Fuzzy Hash: ee2acecef3f37e4e61fee6c51f7f05191a227e51bec12a43ac686b696937b422
Instruction Fuzzy Hash: CE217435609205AF9B10EFA8DD88DBB77ECEB48370B108126F954CB2A1E674DD41D764

Function 009E75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E7665

Strings

Msctls_Progress32, xrefs: 009E7603

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 717d15011dc90dec76608641d5ebb1370d8f5c5e651e680e48771a25281d5bef
Instruction ID: 7da6e4c0d50106f49d4fbc91ab27e17caad6d11be85dd81ebcc1635030ec86fa
Opcode Fuzzy Hash: 717d15011dc90dec76608641d5ebb1370d8f5c5e651e680e48771a25281d5bef
Instruction Fuzzy Hash: 641193B1154219BFEF118FA5CC85EE7BF5DFF08798F014115B604A6090CA729C21DBA4

Function 00989AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00989AE6

Part of subcall function 00983187: EncodePointer.KERNEL32(00000000), ref: 0098318A
Part of subcall function 00983187: __initp_misc_winsig.LIBCMT ref: 009831A5
Part of subcall function 00983187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00989EA0
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00989EB4
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00989EC7
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00989EDA
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00989EED
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00989F00
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00989F13
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00989F26
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00989F39
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00989F4C
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00989F5F
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00989F72
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00989F85
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00989F98
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00989FAB
Part of subcall function 00983187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00989FBE

__mtinitlocks.LIBCMT ref: 00989AEB
__mtterm.LIBCMT ref: 00989AF4

Part of subcall function 00989B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00989AF9,00987CD0,00A1A0B8,00000014), ref: 00989C56
Part of subcall function 00989B5C: _free.LIBCMT ref: 00989C5D
Part of subcall function 00989B5C: DeleteCriticalSection.KERNEL32(00A1EC00,?,?,00989AF9,00987CD0,00A1A0B8,00000014), ref: 00989C7F

__calloc_crt.LIBCMT ref: 00989B19
__initptd.LIBCMT ref: 00989B3B
GetCurrentThreadId.KERNEL32 ref: 00989B42

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b25364e6ac7b3f49cc4fe8ada4e0e463cf5ae4f05774b1eb325e4adf42f15562
Instruction ID: e53e54afb459ade129984b30fcb0b063e1cbf1c51a0c25d1db9bfa61bdfc6cd0
Opcode Fuzzy Hash: b25364e6ac7b3f49cc4fe8ada4e0e463cf5ae4f05774b1eb325e4adf42f15562
Instruction Fuzzy Hash: 5BF090326197116AE638B774BC077AA26949F82734F284A1EF460DA3D2FF20984143A4

Function 0098406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00983F85), ref: 00984085
GetProcAddress.KERNEL32(00000000), ref: 0098408C
EncodePointer.KERNEL32(00000000), ref: 00984097
DecodePointer.KERNEL32(00983F85), ref: 009840B2

Strings

RoUninitialize, xrefs: 00984074
combase.dll, xrefs: 00984080

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d43c1e3544d4567edd97b6e227efb61baf9a7cd1a1f3fdc420e5c47907cbc192
Instruction ID: 109a648d839ea5b857df34f12662738104d0e89e64450f66af874ccf7f7c1dad
Opcode Fuzzy Hash: d43c1e3544d4567edd97b6e227efb61baf9a7cd1a1f3fdc420e5c47907cbc192
Instruction Fuzzy Hash: B2E04F71659301DFDF20EFA4EC4DB213AA4BF05742F004135F611D91E0CB7A4A12EB00

Function 009C64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009C660B
_memmove.LIBCMT ref: 009C6546

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

_memmove.LIBCMT ref: 009C65B9
_memmove.LIBCMT ref: 009C66A0
_memmove.LIBCMT ref: 009C66B9
_memmove.LIBCMT ref: 009C66D5

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 7b8d150d4dffc274eb5c4e00e4e4c626159194984b3619a6c06686e6ad4028b5
Instruction ID: 7cc8f597cc89fbe3417b97298802ff330d79d3e7fc74fd8e95a3d046c1d42190
Opcode Fuzzy Hash: 7b8d150d4dffc274eb5c4e00e4e4c626159194984b3619a6c06686e6ad4028b5
Instruction Fuzzy Hash: 21618C3090065A9BCF01EFA4CD82FFE77A9AF85308F044919F9595B292DB35ED05CB52

Function 009E01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFDAD,?,?), ref: 009E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009E0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009E0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009E038C
RegCloseKey.ADVAPI32(00000000), ref: 009E0399

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: bb6a8fe599f3ad83b6a7b8e9c75e4453fb87e24d6f411e0ea2d850c6c78ef884
Instruction ID: 52b0812dd52aefeba012ceb2cfe7def614a1659f77749b3ac4775a984587a54c
Opcode Fuzzy Hash: bb6a8fe599f3ad83b6a7b8e9c75e4453fb87e24d6f411e0ea2d850c6c78ef884
Instruction Fuzzy Hash: 99514531208240AFCB15EB64C895EAEBBE8FFC4314F44492DF5958B2A2DB71ED45CB52

Function 009E5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009E57FB
GetMenuItemCount.USER32(00000000), ref: 009E5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E585A
GetMenuItemID.USER32(?,?), ref: 009E58C9
GetSubMenu.USER32(?,?), ref: 009E58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 009E5928

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 73b44ec8947057050651b395929dbb701fa658c1e210acb247a66f3be432c884
Instruction ID: 8ac89f407dd24f29eccf0a923b24ff835f29b557d1017838c80b0e5616e3d585
Opcode Fuzzy Hash: 73b44ec8947057050651b395929dbb701fa658c1e210acb247a66f3be432c884
Instruction Fuzzy Hash: 27518F31E00659EFCF11EF65C885AAEB7B8EF88324F114069E801BB351CB34AE41DB90

Function 009BEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009BEF06
VariantClear.OLEAUT32(00000013), ref: 009BEF78
VariantClear.OLEAUT32(00000000), ref: 009BEFD3
_memmove.LIBCMT ref: 009BEFFD
VariantClear.OLEAUT32(?), ref: 009BF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009BF078

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 7713a64df5d981fde4d5995746f4bcac7750c03328ece14614fc77b6b1cc3954
Instruction ID: 0c0a3101fdfffaf3be5774fe76208eecfcca0b9b33afd449f5b20cf2d27e9e97
Opcode Fuzzy Hash: 7713a64df5d981fde4d5995746f4bcac7750c03328ece14614fc77b6b1cc3954
Instruction Fuzzy Hash: B45169B5A00209EFCB14DF58C894AAAB7B8FF4C314B15856AED59DB351E334E911CFA0

Function 009C220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C22A3
IsMenu.USER32(00000000), ref: 009C22C3
CreatePopupMenu.USER32 ref: 009C22F7
GetMenuItemCount.USER32(000000FF), ref: 009C2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009C2386

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
Instruction ID: edc46e4c384d21e404a5de11e26a15880d111a2b62ef52829a616b75e1749d1d
Opcode Fuzzy Hash: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
Instruction Fuzzy Hash: F651C130A0428ADFDF25CF68C988FADBBF9BF45B14F10452DE8119B290D7799904CB52

Function 00961765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0096179A
GetWindowRect.USER32(?,?), ref: 009617FE
ScreenToClient.USER32(?,?), ref: 0096181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0096182C
EndPaint.USER32(?,?), ref: 00961876

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d0c2b984f9da52e7dafa0ea5d63515e9fd38e4d36de260878d42858369b4b2a7
Instruction ID: 3558b1821ef7fe307f23fd17ef64b35600afc043741560efb025664523cd833f
Opcode Fuzzy Hash: d0c2b984f9da52e7dafa0ea5d63515e9fd38e4d36de260878d42858369b4b2a7
Instruction Fuzzy Hash: 9B41C1305043009FDB10DF69DC84FBA7BE8FB49724F084669F5A48B1A1C7709C46EB61

Function 009EB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A257B0,00000000,00B85878,?,?,00A257B0,?,009EB5A8,?,?), ref: 009EB712
EnableWindow.USER32(00000000,00000000), ref: 009EB736
ShowWindow.USER32(00A257B0,00000000,00B85878,?,?,00A257B0,?,009EB5A8,?,?), ref: 009EB796
ShowWindow.USER32(00000000,00000004,?,009EB5A8,?,?), ref: 009EB7A8
EnableWindow.USER32(00000000,00000001), ref: 009EB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 009EB7EF

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
Instruction ID: 1e09dd2aa9f7ebe1f0f4d23a682e9f1d59afc64b212ba2dfed757c8f430d055d
Opcode Fuzzy Hash: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
Instruction Fuzzy Hash: BC417F34604284AFDB22CF25C499B967BE5FF45710F1881B9E9488FEA3C732AC56CB51

Function 009D709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,009D4E41,?,?,00000000,00000001), ref: 009D70AC

Part of subcall function 009D39A0: GetWindowRect.USER32(?,?), ref: 009D39B3

GetDesktopWindow.USER32 ref: 009D70D6
GetWindowRect.USER32(00000000), ref: 009D70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009D710F

Part of subcall function 009C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C52BC

GetCursorPos.USER32(?), ref: 009D713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D7199

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 884f94f2fe04387b725a15845d17d79adccf53fd6775a8715cedb7a54c8bf2dc
Instruction ID: 4273e7b7fcbe5d12c17c9aa744db24d7d6b9ff70c244d085dab39b3d6070ea0b
Opcode Fuzzy Hash: 884f94f2fe04387b725a15845d17d79adccf53fd6775a8715cedb7a54c8bf2dc
Instruction Fuzzy Hash: 2731D272509345ABD720DF54C849F9BB7EAFF88314F004A1AF5959B291DB30EE09CB92

Function 009B8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B80C0
Part of subcall function 009B80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B80CA
Part of subcall function 009B80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B80D9
Part of subcall function 009B80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B80E0
Part of subcall function 009B80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B80F6

GetLengthSid.ADVAPI32(?,00000000,009B842F), ref: 009B88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B88D6
HeapAlloc.KERNEL32(00000000), ref: 009B88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 009B88F6
GetProcessHeap.KERNEL32(00000000,00000000,009B842F), ref: 009B890A
HeapFree.KERNEL32(00000000), ref: 009B8911

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 43996cb91d68243697c5b30eeeef8a3a2435372957e63cff3f13cfc11085e332
Instruction ID: b5d1d389c4e51b159fb2283f354d4d559a5e1bb3e25e3e5625dab09bb11f7952
Opcode Fuzzy Hash: 43996cb91d68243697c5b30eeeef8a3a2435372957e63cff3f13cfc11085e332
Instruction Fuzzy Hash: 9F119D31525209FBDB119FA4DD59BFF7B6CEB89321F108029E84597150CB329E00DB60

Function 009B85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B85E2
OpenProcessToken.ADVAPI32(00000000), ref: 009B85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B85F8
CloseHandle.KERNEL32(00000004), ref: 009B8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 009B8646

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
Instruction ID: 7769f1ad2ff97f8746ec202fe35d7272145793af1baf3bcf2f2fc157efd811da
Opcode Fuzzy Hash: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
Instruction Fuzzy Hash: CB11367250524EABDB118FA4ED89BEE7BADEB48354F044065BE04A6160C6728E60EB60

Function 009BB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009BB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 009BB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009BB7CD
ReleaseDC.USER32(00000000,00000000), ref: 009BB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009BB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 009BB7FE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3221894295ede9640c43fc367daa35db838e8df5bf5a2c70495b86e90e76a16f
Instruction ID: 96f77dfe68cee3a91f26474009bf2ef006b38c17982a0d12d8a13c9d0ab12d14
Opcode Fuzzy Hash: 3221894295ede9640c43fc367daa35db838e8df5bf5a2c70495b86e90e76a16f
Instruction Fuzzy Hash: E4018475E04249BBEF109BE69D89B5EBFB8EB48721F004076FA04AB291D6709D00CF91

Function 00980162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00980193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0098019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 009801C1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
Instruction ID: 19e373fa8d6b581dbb484b1c3b89e7bd92cf471ae6b83a90461989590ba2832d
Opcode Fuzzy Hash: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
Instruction Fuzzy Hash: 75016CB09017597DE3008F5A8C85B52FFA8FF19754F00411BA15C4B941C7F5AC64CBE5

Function 009C53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009C53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009C540F
GetWindowThreadProcessId.USER32(?,?), ref: 009C541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C543E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
Instruction ID: e08cb2b02d12f21334a274d0c31ff86d2e269bb0143b18ebb78f43c2b92e0bc4
Opcode Fuzzy Hash: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
Instruction Fuzzy Hash: 89F0903225859CBBE7205BA2DC4DEEF7B7CEFC6B11F00016AFA04D50A0D7A01E0196B5

Function 009C7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009C7243
EnterCriticalSection.KERNEL32(?,?,00970EE4,?,?), ref: 009C7254
TerminateThread.KERNEL32(00000000,000001F6,?,00970EE4,?,?), ref: 009C7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00970EE4,?,?), ref: 009C726E

Part of subcall function 009C6C35: CloseHandle.KERNEL32(00000000,?,009C727B,?,00970EE4,?,?), ref: 009C6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 009C7281
LeaveCriticalSection.KERNEL32(?,?,00970EE4,?,?), ref: 009C7288

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
Instruction ID: 3809df6d09e3250114f30da4cc353fa94b4b373538347d0ba45f6f740d98a9f1
Opcode Fuzzy Hash: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
Instruction Fuzzy Hash: F4F0BE36858602EBD7111B64EC8CEEA7729EF48302B010136F213981A0CB761C00DB50

Function 009B8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B899D
UnloadUserProfile.USERENV(?,?), ref: 009B89A9
CloseHandle.KERNEL32(?), ref: 009B89B2
CloseHandle.KERNEL32(?), ref: 009B89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 009B89C3
HeapFree.KERNEL32(00000000), ref: 009B89CA

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
Instruction ID: 4f493f989d6f2853d277519f81224fddb567eda3061782d177cb7af2a4707450
Opcode Fuzzy Hash: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
Instruction Fuzzy Hash: AEE0C236018445FBDA011FE1EC5C90ABB69FB89362B108232F219890B0CB329860EB50

Function 009D85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D8613
CharUpperBuffW.USER32(?,?), ref: 009D8722
VariantClear.OLEAUT32(?), ref: 009D889A

Part of subcall function 009C7562: VariantInit.OLEAUT32(00000000), ref: 009C75A2
Part of subcall function 009C7562: VariantCopy.OLEAUT32(00000000,?), ref: 009C75AB
Part of subcall function 009C7562: VariantClear.OLEAUT32(00000000), ref: 009C75B7

Strings

AUTOIT.ERROR, xrefs: 009D8728
Incorrect Parameter format, xrefs: 009D864B, 009D880D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 2703840ccedf857b27d1e9628613d54c6c3002b850d07960ea575eea2b438ba5
Instruction ID: 161372ae81be3c4acd8f979a945718710ddfe85ccbbf4b34818086f26b8132e5
Opcode Fuzzy Hash: 2703840ccedf857b27d1e9628613d54c6c3002b850d07960ea575eea2b438ba5
Instruction Fuzzy Hash: 12916D716083019FC710DF24C484A5BBBE8EFC9754F54896EF89A8B3A2DB31E905CB52

Function 009C2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0097FC86: _wcscpy.LIBCMT ref: 0097FCA9

_memset.LIBCMT ref: 009C2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009C2C97

Strings

0, xrefs: 009C2B73

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 8db7287b00937cfca902e719b9ee636b1d90384c226d5fc36731872c6875b891
Instruction ID: 89dc6c262fbc33aa3a347e6d5e2acbeeb6d11ac27731bc5f623f484129e97894
Opcode Fuzzy Hash: 8db7287b00937cfca902e719b9ee636b1d90384c226d5fc36731872c6875b891
Instruction Fuzzy Hash: 2E51BA71A083009AD724AF28D885F6FBBE8AF99310F040A6DF895D7291DB70CD049B93

Function 009BD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009BD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009BD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009BD69D

Strings

DllGetClassObject, xrefs: 009BD610

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 732bfd572ffc3aa5c66a70851fcb0e57be7fbc08b35b18bc1a5d9dd3080930b7
Instruction ID: 473c6ca7c23de51961a351017ee1088c8ea9def6bd2cbd2d388f098d11c0e7e2
Opcode Fuzzy Hash: 732bfd572ffc3aa5c66a70851fcb0e57be7fbc08b35b18bc1a5d9dd3080930b7
Instruction Fuzzy Hash: 224192B5601208EFDB15CF54C984BDA7BB9EF44324F1580A9ED099F205E7B5DE40CBA0

Function 009C2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009C27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 009C2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A25890,00000000), ref: 009C286B

Strings

0, xrefs: 009C27B5

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
Instruction ID: b2dfda7860fa67d3acad6ec7bce0d31cb9b27f0369933ae03e21e0fe55eacaee
Opcode Fuzzy Hash: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
Instruction Fuzzy Hash: 5E417E70A083419FDB20DF24D884F6ABBE8AF85314F144A2DF965972D1DB30E905CB63

Function 009DD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DD7C5

Part of subcall function 0096784B: _memmove.LIBCMT ref: 00967899

Strings

none, xrefs: 009DD8A0
cdecl, xrefs: 009DD81C
stdcall, xrefs: 009DD847
winapi, xrefs: 009DD836

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: c00040611f2cabab6c722bc3ae02f81787aa5d1706a8b56729f8b136c2bebab7
Instruction ID: 1074c067c79b2227b9cc7c26cee52ac9d89e04b89f4027e3de4dbbd17ae84e1c
Opcode Fuzzy Hash: c00040611f2cabab6c722bc3ae02f81787aa5d1706a8b56729f8b136c2bebab7
Instruction Fuzzy Hash: 3831B271904619ABCF00EF94CC51AEEB7B8FF54320B108A2AE865977D1DB31ED05CB80

Function 009B8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 009B8F57

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

Strings

ListBox, xrefs: 009B8ED3
ComboBox, xrefs: 009B8E9E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b721dff1cd45614b314c1eb1040a585c474a55629f8d592642ba2dfd121bcb53
Instruction ID: 308e0888835c8b7038e2bf9a50eb20708f98f30239bfd084d8537d56ad9e6690
Opcode Fuzzy Hash: b721dff1cd45614b314c1eb1040a585c474a55629f8d592642ba2dfd121bcb53
Instruction Fuzzy Hash: F121F071A04108BBDB14ABB0CD89EFFB76DDF89364B00452AF421972E1DE394D4AD660

Function 009D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009D18A2
InternetCloseHandle.WININET(00000000), ref: 009D18E9

Part of subcall function 009D2483: GetLastError.KERNEL32(?,?,009D1817,00000000,00000000,00000001), ref: 009D2498
Part of subcall function 009D2483: SetEvent.KERNEL32(?,?,009D1817,00000000,00000000,00000001), ref: 009D24AD

Strings

, xrefs: 009D1893

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1268c7b4a0e77ee049ad393d7e2caff42a76d6cc3a9f359c2f439f32e0a2f3d0
Instruction ID: 00363d906671f009866a85387cac0d911a748d1d30d7a2ea76a9276894c928a7
Opcode Fuzzy Hash: 1268c7b4a0e77ee049ad393d7e2caff42a76d6cc3a9f359c2f439f32e0a2f3d0
Instruction Fuzzy Hash: 8821BEB2544208BFEB11DB60DC85FBB77EDEB88744F10812BF805A6340EA358D04A7A0

Function 009E63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E6461
LoadLibraryW.KERNEL32(?), ref: 009E6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E647D
DestroyWindow.USER32(?), ref: 009E6485

Strings

SysAnimate32, xrefs: 009E643C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c537e6266e619843ce2e48ebe88ee47307536431e78641479209ddf4064e3efb
Instruction ID: 8ac16ab22f05a3593edc19e62063fb5f8054a793abcfe4ab1566f1dfbf31dad9
Opcode Fuzzy Hash: c537e6266e619843ce2e48ebe88ee47307536431e78641479209ddf4064e3efb
Instruction Fuzzy Hash: E9219F71110289BFEF124FA6DC90EBB37ADEB697A4F104629F910960E0E731DC41A760

Function 009C6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009C6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C6DEF
GetStdHandle.KERNEL32(0000000C), ref: 009C6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009C6E3B

Strings

nul, xrefs: 009C6E36

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ea27719af4d592083e289108a1dce9f1534d39471b905d7f09d96bcd55e747c2
Instruction ID: 227bb33ca4399dbe062b51c4d373907591e00dabd6dc4dd1046304f7830fc946
Opcode Fuzzy Hash: ea27719af4d592083e289108a1dce9f1534d39471b905d7f09d96bcd55e747c2
Instruction Fuzzy Hash: 25219575A00209ABDB209F29DC45F997BF8EF84720F204A1EFDA1D72D0D7709951DB52

Function 009C6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009C6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C6EBB
GetStdHandle.KERNEL32(000000F6), ref: 009C6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009C6F06

Strings

nul, xrefs: 009C6F01

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 92172d6ba7fb249b364f6bce466abc7697683f15cd061d6ba5064a80d140b4ab
Instruction ID: cd8aa686188b5972fcea64d74e401a0188c066e1e24442ec5dc24825554ea254
Opcode Fuzzy Hash: 92172d6ba7fb249b364f6bce466abc7697683f15cd061d6ba5064a80d140b4ab
Instruction Fuzzy Hash: CD219079900305ABDB209F69DC44FAA77E8AF45720F200A1EF9A1D72D0D770A861CB52

Function 009CAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009CACA8
__swprintf.LIBCMT ref: 009CACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,009EF910), ref: 009CACFF

Strings

%lu, xrefs: 009CACBB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fe9175f1e2571dc27b4c58bc932be88df969d44558271d2cdefafa7b11fbdc55
Instruction ID: 7cae92824bef17b254bcfdf4d20c73468154541fc7f5a12b5642f1cdb2c50318
Opcode Fuzzy Hash: fe9175f1e2571dc27b4c58bc932be88df969d44558271d2cdefafa7b11fbdc55
Instruction Fuzzy Hash: 99214470A0014DAFCB10DF59C985EEE77B8FF89714B008469F9099B251DB71EE41DB61

Function 009C1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C1B19

Strings

APPEND, xrefs: 009C1B52
EXISTS, xrefs: 009C1B41
KEYS, xrefs: 009C1B30
REMOVE, xrefs: 009C1B1F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e694c8301e76d2820c8e3240e48ce8972f92b9f44e775bbf4f9a32ff20e72930
Instruction ID: 61623f3468bf524ee15330d81c27d26f5328a4519cdb52cd96a101a5dddac936
Opcode Fuzzy Hash: e694c8301e76d2820c8e3240e48ce8972f92b9f44e775bbf4f9a32ff20e72930
Instruction Fuzzy Hash: 851161349101088FCF44EF94D856AFEB7B5FFA6704B504469D81467396EB329D0ACF54

Function 009DEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009DED6A
CloseHandle.KERNEL32(?), ref: 009DEDEB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: b2388887e986c00c6a1f6bd7049f2e2f6ae32d2478fda550585a673832187f2e
Instruction ID: d9a9bcf712e0eaef1f86e100a20c320d2a0325fb1e38747dad4eb7f2775fb100
Opcode Fuzzy Hash: b2388887e986c00c6a1f6bd7049f2e2f6ae32d2478fda550585a673832187f2e
Instruction Fuzzy Hash: D98170B16443009FD720EF28C896F2AB7E9AF94750F04891EF9999B3D2DA70AC40CB51

Function 009E0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFDAD,?,?), ref: 009E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009E0183
RegCloseKey.ADVAPI32(?,?), ref: 009E01AF
RegCloseKey.ADVAPI32(00000000), ref: 009E01BC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: eeed96d361263126fc7ce268267745bb0cdb47cb851779eaba94021d4d06ea40
Instruction ID: e4e2dd0eeb1c08546d7ea606f103eb6c7dba88d238ee057113638e5a507922d4
Opcode Fuzzy Hash: eeed96d361263126fc7ce268267745bb0cdb47cb851779eaba94021d4d06ea40
Instruction Fuzzy Hash: E8515671208244AFC715EF68C881FAAB7E8BFC4314F40892DF5958B2A2DB71ED44CB52

Function 009DD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DD927
GetProcAddress.KERNEL32(00000000,?), ref: 009DD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 009DD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 009DDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DDA21

Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7896,?,?,00000000), ref: 00965A2C
Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7896,?,?,00000000,?,?), ref: 00965A50

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 9066e80c17d156be30649e153945183889f51ff7d06668add56cfd67c4d10f60
Instruction ID: d5b812317ab049386e66eb1c8e3498d9d1a29503681aa15fdaca8baab9c5ba51
Opcode Fuzzy Hash: 9066e80c17d156be30649e153945183889f51ff7d06668add56cfd67c4d10f60
Instruction Fuzzy Hash: 26512535A05209DFCB00EFA8C494AADB7F8FF59320B05C06AE855AB312D731AD45CF90

Function 009CE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009CE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009CE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009CE687

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009CE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009CE6B4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e90014bba4ae2a2bef2dcfd14af030315c78993e63e045a8d6112b7e0709d980
Instruction ID: f271c00c210f4f877eca3a2cc1f8e2a97ae302be78c4160b0f0027e53b1fc316
Opcode Fuzzy Hash: e90014bba4ae2a2bef2dcfd14af030315c78993e63e045a8d6112b7e0709d980
Instruction Fuzzy Hash: EE510D35A10105DFCB01EFA4C981AAEBBF9EF49314F1480A9E919AB362CB31ED11DF51

Function 009EA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69ad7347d707d01083008def2e28831387418013b90de47f6ff0ccf2e076df7
Instruction ID: 41e9c638ff7b8f009f0d1c1986ad4877794697f0d66030120974e7b33c354474
Opcode Fuzzy Hash: a69ad7347d707d01083008def2e28831387418013b90de47f6ff0ccf2e076df7
Instruction Fuzzy Hash: A041D535908284AFD722DF79CC98FA9BBA8EB09310F154565F815A72F0CB70BD41EA51

Function 00962344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00962357
ScreenToClient.USER32(00A257B0,?), ref: 00962374
GetAsyncKeyState.USER32(00000001), ref: 00962399
GetAsyncKeyState.USER32(00000002), ref: 009623A7

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a6f7e1366d4c2e4c930819813e49384844fdfbac31c4ea05e471f580fe7c3464
Instruction ID: 4e5b90e62cea45853094e56de68dc1391bb586ce9d0bcc8f7a2482a95a065d98
Opcode Fuzzy Hash: a6f7e1366d4c2e4c930819813e49384844fdfbac31c4ea05e471f580fe7c3464
Instruction Fuzzy Hash: A7416075608609FBCF159F68CC44EEDBB78BB45760F20435AF82996290C7349D50DB91

Function 009B63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 009B6433
TranslateMessage.USER32(?), ref: 009B645C
DispatchMessageW.USER32(?), ref: 009B6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B6475

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 18f0390e0f490ddbf0c1a0f01c420a3bc0dcdd046175e5c7ea55dd100c0d4d1e
Instruction ID: ce0a564657f7d6926857da16d31b289e7e33a4da2d5dd7816d864272500a69ce
Opcode Fuzzy Hash: 18f0390e0f490ddbf0c1a0f01c420a3bc0dcdd046175e5c7ea55dd100c0d4d1e
Instruction Fuzzy Hash: E731B231904A46AFDB24CFB49D88BF67BADBB01320F144579E425C61B0E77DB886DB60

Function 009B8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B8A30
PostMessageW.USER32(?,00000201,00000001), ref: 009B8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009B8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 009B8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009B8AF8

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
Instruction ID: 29609bdbc27a842a4c21aac94afc598c4212f28c929a9944c2aa8f7222dda833
Opcode Fuzzy Hash: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
Instruction Fuzzy Hash: 4E31D171500219EBDF14CF68DA8CADE3BB9EB08325F10822AF924EA1D0C7B09D10DB90

Function 009BB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009BB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009BB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009BB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009BB27F
_wcsstr.LIBCMT ref: 009BB289

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 3ce7ea664cbd2688e21a117a35fc63c6a03c64430c7a812a7ec4fe24bb4bfcbb
Instruction ID: 006ce2c45ffb27055fb5b15f367fdeb9b4a719de53146c0a4060de4d71b488e5
Opcode Fuzzy Hash: 3ce7ea664cbd2688e21a117a35fc63c6a03c64430c7a812a7ec4fe24bb4bfcbb
Instruction Fuzzy Hash: 2621F5322042447BEB256B79DD49EBF7B9CDF99720F00413AF808DE1A1EBA5DC409360

Function 009EB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetWindowLongW.USER32(?,000000F0), ref: 009EB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 009EB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009EB1CF
GetSystemMetrics.USER32(00000004), ref: 009EB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009D0E90,00000000), ref: 009EB216

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d7895c9401d13dd956e1866113ab3e6f4d7775c41cc25e3292192edc492855e6
Instruction ID: e873b88a050fc9fb632f6846f628365ae91b6f2193fbc0833d3df19821110e25
Opcode Fuzzy Hash: d7895c9401d13dd956e1866113ab3e6f4d7775c41cc25e3292192edc492855e6
Instruction Fuzzy Hash: 362171719146A5AFCB119F799C54A6B37A8FB15331F104A35B932D72E0D7309C119B90

Function 009B9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B9320

Part of subcall function 00967BCC: _memmove.LIBCMT ref: 00967C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9352
__itow.LIBCMT ref: 009B936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9392
__itow.LIBCMT ref: 009B93A3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 18b9b44f2a7ac20349c2ba2b9bb52aeeaadaf5b2976f711fee84b3444d19f2ad
Instruction ID: 84e896b98a966acf079b485467141841ddbec519f78f3f25c573285da132e386
Opcode Fuzzy Hash: 18b9b44f2a7ac20349c2ba2b9bb52aeeaadaf5b2976f711fee84b3444d19f2ad
Instruction Fuzzy Hash: 3B21D431714208BBDB10AAA48DC9FEE7BEDEF89B24F044025FA45DB2D1D6B08D459791

Function 009D5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009D5A6E
GetForegroundWindow.USER32 ref: 009D5A85
GetDC.USER32(00000000), ref: 009D5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 009D5ACD
ReleaseDC.USER32(00000000,00000003), ref: 009D5B08

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 26d717a7cf0e12a5f61c7c78cdc176f5cf5e9102a3507c218aa0f35131a84eff
Instruction ID: 724dbb7da760f8bc57282529b212f1e4e9fa3364c34fb38a6c5c70f532322d9a
Opcode Fuzzy Hash: 26d717a7cf0e12a5f61c7c78cdc176f5cf5e9102a3507c218aa0f35131a84eff
Instruction Fuzzy Hash: 38218175A00114EFDB14EF65DC94B9ABBE9EF88710F14C47AF80997362DA30AD00DB90

Function 009612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
SelectObject.GDI32(?,00000000), ref: 0096135C
BeginPath.GDI32(?), ref: 00961373
SelectObject.GDI32(?,00000000), ref: 0096139C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4958ec173ec5507631d390411a179b424dc8d670cff5c6474c3586ceeaf7e73e
Instruction ID: 570474d862dfc10029a6747afea887929aaf613ed24fbeb15f6c1aff823688e4
Opcode Fuzzy Hash: 4958ec173ec5507631d390411a179b424dc8d670cff5c6474c3586ceeaf7e73e
Instruction Fuzzy Hash: 2E213E30C04608EBDB21DF79DD45B797BA8FB00322F184226E8119A6B0D7B59993EF90

Function 009BBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009BBCB3
_memcmp.LIBCMT ref: 009BBCD1
_memcmp.LIBCMT ref: 009BBCE4
_memcmp.LIBCMT ref: 009BBCFC
_memcmp.LIBCMT ref: 009BBD14

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 09a23afd12e8303da0cb3e3bf39747c07fddfbfbf9284a4b50d1f287f1701eed
Instruction ID: 39405ba615197359d36dbe3b3807dab158a5ae2e7523914bbce49228ce7cf29f
Opcode Fuzzy Hash: 09a23afd12e8303da0cb3e3bf39747c07fddfbfbf9284a4b50d1f287f1701eed
Instruction Fuzzy Hash: FF01B5B16011097BD204AB25DE42FFBB75CDE913A8F044421FE45963C2EB94DE11C3E0

Function 009C4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009C4ABA
__beginthreadex.LIBCMT ref: 009C4AD8
MessageBoxW.USER32(?,?,?,?), ref: 009C4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009C4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009C4B0A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0c94729ba905fa9a5706f84206ff01b9d9e3967f546aa866de1759617545f3a2
Instruction ID: 8368c8067c301a032d7183907879cca878b82f5258e8209cf905c24f9e2ea677
Opcode Fuzzy Hash: 0c94729ba905fa9a5706f84206ff01b9d9e3967f546aa866de1759617545f3a2
Instruction Fuzzy Hash: 9411E176E08648BBC7119BB8AC58FEE7BADAB85320F14426AF814D3291D671CD0187A1

Function 009B8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B821E
GetLastError.KERNEL32(?,009B7CE2,?,?,?), ref: 009B8228
GetProcessHeap.KERNEL32(00000008,?,?,009B7CE2,?,?,?), ref: 009B8237
HeapAlloc.KERNEL32(00000000,?,009B7CE2,?,?,?), ref: 009B823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B8255

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
Instruction ID: b73671960825904ea79a5404ff3d4b8df522c4b5a31bce189b4b8f98209d734f
Opcode Fuzzy Hash: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
Instruction Fuzzy Hash: 8D0186B1214649FFDB104FA5DD98DA77F6CEF8A7A4750442AF819C7160DB318C00DA60

Function 009B710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?,?,009B7455), ref: 009B7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?), ref: 009B7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?), ref: 009B7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?), ref: 009B7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B7044,80070057,?,?), ref: 009B716C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
Instruction ID: e54bbdfcdb84728548156a2ab43e2cf608cc8f7ecc9a47e5e72442353e907983
Opcode Fuzzy Hash: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
Instruction Fuzzy Hash: 870184B2619208BBDB114FA8DD84BAABBADEF847A1F144165FD05D6210D731DD40A7A0

Function 009C5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C52BC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2dbf26efd9f257f07083f946b92bff365d20dcec90af26991d557f3ae395952f
Instruction ID: 3ff7e83340ade3348a72081c3fedb6ec558914742acfe85fa525db152a354e98
Opcode Fuzzy Hash: 2dbf26efd9f257f07083f946b92bff365d20dcec90af26991d557f3ae395952f
Instruction Fuzzy Hash: 50016D31D09A1DDBCF00DFE4E899AEDBBB8FB0D311F41045AE951B6180CB3469909BA2

Function 009B810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8157

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
Instruction ID: fdd0d98e5e745aad32c4212a28b6c208f23edf717f09dd882b32bd961081cfe7
Opcode Fuzzy Hash: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
Instruction Fuzzy Hash: DAF06871219344AFDB110F65DCD8EA73BACFF89765B000026F545D6150CB619D41EA60

Function 009BC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009BC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 009BC20E
MessageBeep.USER32(00000000), ref: 009BC226
KillTimer.USER32(?,0000040A), ref: 009BC242
EndDialog.USER32(?,00000001), ref: 009BC25C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b0c7420d6b136de403fe85a2ddc02cfe224587707e0147bd5eadd4bfe9e95307
Instruction ID: f5bdda1c8c20cf9b92b8560c97688115f41a1c83bddec39a306ad09f8296ff1e
Opcode Fuzzy Hash: b0c7420d6b136de403fe85a2ddc02cfe224587707e0147bd5eadd4bfe9e95307
Instruction Fuzzy Hash: 2601DB70414708A7EB205B60DD9EFD6777CFF00B06F00066AF552954E0D7F4AD449B50

Function 009613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009613BF
StrokeAndFillPath.GDI32(?,?,0099B888,00000000,?), ref: 009613DB
SelectObject.GDI32(?,00000000), ref: 009613EE
DeleteObject.GDI32 ref: 00961401
StrokePath.GDI32(?), ref: 0096141C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 53f3bed7e459d766286168d233e2583f1e0e3334ecb40a3221643e34e7504502
Instruction ID: 5e10cfdf0e297b0b673d92df90028c6380904ef5b8b7ec4c2c0370d0f22d26da
Opcode Fuzzy Hash: 53f3bed7e459d766286168d233e2583f1e0e3334ecb40a3221643e34e7504502
Instruction Fuzzy Hash: 59F0CD30418648DBDB259F6AEC4D7683BA8BB01326F088235E429495F1C7754997EF50

Function 00972CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00980DB6: std::exception::exception.LIBCMT ref: 00980DEC
Part of subcall function 00980DB6: __CxxThrowException@8.LIBCMT ref: 00980E01

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 00967A51: _memmove.LIBCMT ref: 00967AAB

__swprintf.LIBCMT ref: 00972ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00972D66

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 7218fe9fe68984a60e50314a48493ad5f0e46df1724131572e91e4f376a9ac28
Instruction ID: 0c3ba5c1d5fb8fbd6c5ab9db2ad4b78b9f1522545b51b15d7646e7fdb4e28f79
Opcode Fuzzy Hash: 7218fe9fe68984a60e50314a48493ad5f0e46df1724131572e91e4f376a9ac28
Instruction Fuzzy Hash: A2913C721183019FC714EF64C895E6FB7A8EFD6710F04491DF49A9B2A1EA34ED44CBA2

Function 009CB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00964750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00964743,?,?,009637AE,?), ref: 00964770

CoInitialize.OLE32(00000000), ref: 009CB9BB
CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CB9D4
CoUninitialize.OLE32 ref: 009CB9F1

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

Strings

.lnk, xrefs: 009CB99D, 009CB9AB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 74c7ef9f3b5ebb669232764d1ea96a897ca33396a2d1fa9158d91575017c674f
Instruction ID: 70c7d490487445b564680f4886de9d192bd2ef976bd134434be9d176b94d3eea
Opcode Fuzzy Hash: 74c7ef9f3b5ebb669232764d1ea96a897ca33396a2d1fa9158d91575017c674f
Instruction Fuzzy Hash: 18A13475A043059FCB00DF14C895E6ABBE9FF89314F148998F8999B3A1CB31ED45CB92

Function 0098501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009850AD

Part of subcall function 009900F0: __87except.LIBCMT ref: 0099012B

Strings

pow, xrefs: 00985085, 009850A2

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1409d871867452c40c51bedf7c064012b8d4cdd794424f60bab0e1a0b81ad97b
Instruction ID: 064e492c853744d3d74e20a2efa596003f65d33c7c09a3c1f03aa2111a628eaa
Opcode Fuzzy Hash: 1409d871867452c40c51bedf7c064012b8d4cdd794424f60bab0e1a0b81ad97b
Instruction Fuzzy Hash: B7515D6191C5019ADF21BB1CC90537E6B989BC1710F208D59E4F9863A9DF38CDDCDB86

Function 00976192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00976248
_memmove.LIBCMT ref: 009762E4
_memset.LIBCMT ref: 00976308

Strings

ERCP, xrefs: 009761B3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 4ab2e5942194074937906e649de10d0b6d9379f5b5e04ba4dd1317ea0de0c5a5
Instruction ID: dfb24af1deac367ecb462db261eddd5671ce42048dcb837942af9a996a1f2fca
Opcode Fuzzy Hash: 4ab2e5942194074937906e649de10d0b6d9379f5b5e04ba4dd1317ea0de0c5a5
Instruction Fuzzy Hash: 1D51CF71900B05DBDB24CF65C9817EBB7E8EF84314F20896EE85ACB281E774EA44CB40

Function 009B97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B9296,?,?,00000034,00000800,?,00000034), ref: 009C14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009B983F

Part of subcall function 009C1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009C14B1

Part of subcall function 009C13DE: GetWindowThreadProcessId.USER32(?,?), ref: 009C1409
Part of subcall function 009C13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009B925A,00000034,?,?,00001004,00000000,00000000), ref: 009C1419
Part of subcall function 009C13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009B925A,00000034,?,?,00001004,00000000,00000000), ref: 009C142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B98F9

Strings

@, xrefs: 009B9911

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f5da278c1d2daa6c957d596564308f54d8ab4203113a89d22bfb61a6c6a59957
Instruction ID: ae2d51c0707958a57f4ee3fe873b352aa5b39ffa2435099e9177a787e27fa772
Opcode Fuzzy Hash: f5da278c1d2daa6c957d596564308f54d8ab4203113a89d22bfb61a6c6a59957
Instruction Fuzzy Hash: 3E413976900218BFDB10DFA4CD85FDEBBB8AB4A710F004099FA45A7191DA706E85CBA1

Function 009E7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009EF910,00000000,?,?,?,?), ref: 009E79DF
GetWindowLongW.USER32 ref: 009E79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E7A0C

Strings

SysTreeView32, xrefs: 009E79B1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3c5819f47e732e9a26572d85b4494a7157711533980ae6809f802bb9dbf31bcb
Instruction ID: cb39cf6389eddbdce0f636cdad39e5edb796aa08224ba3e4121709e746924920
Opcode Fuzzy Hash: 3c5819f47e732e9a26572d85b4494a7157711533980ae6809f802bb9dbf31bcb
Instruction Fuzzy Hash: BB31FE31204646ABDB228FB9CC41BEAB7A9FF44324F204B25F875A32E1D730EC519B50

Function 009E73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009E7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009E7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E7499

Strings

SysMonthCal32, xrefs: 009E742C

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5cebcfd0058d7b8978433cfe2ff730ad317f174c34c7bfcf74f411c98f489aed
Instruction ID: f3b587c07aa720468ac2863e03d24afaf35c26c9413b1a4b6bda23841625516b
Opcode Fuzzy Hash: 5cebcfd0058d7b8978433cfe2ff730ad317f174c34c7bfcf74f411c98f489aed
Instruction Fuzzy Hash: EC21E432504258BBDF128F94CC42FEA7B6AFB48724F110114FE146B1E0EA75AC51DB90

Function 009E7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009E7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009E7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009E7C5F

Strings

msctls_updown32, xrefs: 009E7BC4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a701ade8e2492aa71d294fb8a2c721c8693b803edf100fc746c34a4b3b069ab0
Instruction ID: 6cd08530904af1cead20c87d61fea9c42e3eeef65c6e4f0d8cc87855e4144212
Opcode Fuzzy Hash: a701ade8e2492aa71d294fb8a2c721c8693b803edf100fc746c34a4b3b069ab0
Instruction Fuzzy Hash: D3219CB1604249AFDB11DFA8DCC1DB777ACEB5A754B140419FA019B3A1CB31EC019AA1

Function 009E6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E6D70

Strings

Listbox, xrefs: 009E6D08

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 968f8277ee2d42b64972edd747c98dd9eed410bd768a4b86a7f42bd40319106e
Instruction ID: d258f5cfddc7ec720f5a1a1d242e46650e77f86cbada03d1cb244afdf2b9be5c
Opcode Fuzzy Hash: 968f8277ee2d42b64972edd747c98dd9eed410bd768a4b86a7f42bd40319106e
Instruction Fuzzy Hash: C821B032610158BFDF128F55CC85FBB3BBEEF997A0F518124FA449B1A0CA71AC5197A0

Function 009E770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E7794

Strings

msctls_trackbar32, xrefs: 009E7749

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 892787c28e774aebb59654be39b96e08f073af332516a9724fe02a96ab45e59c
Instruction ID: cdf696e4bab6deaaff88e74a0d159cac15929a9c1b3e8cc477ec94f6428bb35b
Opcode Fuzzy Hash: 892787c28e774aebb59654be39b96e08f073af332516a9724fe02a96ab45e59c
Instruction Fuzzy Hash: 54112772244248BBEF215FA5CC01FE7776DEF88B54F010528F64196090C672EC51CB10

Function 00964C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964BD0,?,00964DEF,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00964C23

Strings

kernel32.dll, xrefs: 00964C0C
Wow64DisableWow64FsRedirection, xrefs: 00964C1D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d857c720a16a45c343d3661dc218a876e216fbb954366f54660dfaa5f2198a73
Instruction ID: 36ba34c7db465acfd18fa857250491986cdce903b1faf7ef8916d3e7af53cf39
Opcode Fuzzy Hash: d857c720a16a45c343d3661dc218a876e216fbb954366f54660dfaa5f2198a73
Instruction Fuzzy Hash: D1D0C230514713CFC7205FB1C858247B6DAEF08351B00CC3E94C5CA250E6B4C880D610

Function 00964C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964B83,?), ref: 00964C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00964C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00964C50
kernel32.dll, xrefs: 00964C3F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: c475a30461d76286a4e954d7c592bb8dc48166cd27963e62cdc88f3282aa757d
Instruction ID: 821dbf1df28cb19a31338c119fc130ac50685bda9412b1ab9c6747d903869a4d
Opcode Fuzzy Hash: c475a30461d76286a4e954d7c592bb8dc48166cd27963e62cdc88f3282aa757d
Instruction Fuzzy Hash: BBD0C730924B13CFC7248F72C85828A72EAAF00350B10C83E94D6CA260E674C880CA10

Function 009E0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009E1039), ref: 009E0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009E0E07

Strings

RegDeleteKeyExW, xrefs: 009E0E01
advapi32.dll, xrefs: 009E0DF0

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 231c929a591f30d4ee8a54814c33a793d74c86a50727cfdafa37cb66e9cfe4d4
Instruction ID: d111ebbf46caf816d89805c2559ed98a523c5dcbe3250b99a2cab20b8a1da2b1
Opcode Fuzzy Hash: 231c929a591f30d4ee8a54814c33a793d74c86a50727cfdafa37cb66e9cfe4d4
Instruction Fuzzy Hash: 19D0C730424726DFC3218FB2C85828372EAAF40362F008C3E9482E6150E6B0DCD0CA00

Function 009D90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,009D8CF4,?,009EF910), ref: 009D90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009D9100

Strings

GetModuleHandleExW, xrefs: 009D90FA
kernel32.dll, xrefs: 009D90E9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 09fcfd017078473e6f0adc0260f4f08173fd067401d6a1d64d43e61eff78a1cd
Instruction ID: e9a929de370260ee4785c39286f6900c73dd35debc71427b39148629ae5be8ad
Opcode Fuzzy Hash: 09fcfd017078473e6f0adc0260f4f08173fd067401d6a1d64d43e61eff78a1cd
Instruction Fuzzy Hash: 03D0173456C713DFDB20AF31D96864676E8AF05351B16CC3F948ADA690EA74C880CA90

Function 009A1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009A1718
__swprintf.LIBCMT ref: 009A1749

Strings

WIN_XPe, xrefs: 009A1788
%.3d, xrefs: 009A1723

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e62fbd5140166db34832d7e0521bb7dd0084b1bc1c0bc6d55042a0edaf5b91e1
Instruction ID: be9e4138a635b0b129d3200ccdc38c752e3691d41523efcb4614a8da713e2fb1
Opcode Fuzzy Hash: e62fbd5140166db34832d7e0521bb7dd0084b1bc1c0bc6d55042a0edaf5b91e1
Instruction Fuzzy Hash: E8D01275844119FBC7009690D8998F973BCA70A701F142D52B506D2140E2298B94E665

Function 009B717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
Instruction ID: 0c6786574ed5d2dd2a8ddf27f1bbab8a051d71a4239cc775e5b2c5213df58758
Opcode Fuzzy Hash: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
Instruction Fuzzy Hash: 8FC14F74A04216EFCB14CFE4C984AAEFBBAFF88724B154698E805EB251D730DD41DB90

Function 009DE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009DE0BE
CharLowerBuffW.USER32(?,?), ref: 009DE101

Part of subcall function 009DD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009DE301
_memmove.LIBCMT ref: 009DE314

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: ecf1184de034e9466650ecb6fe134995353ee8d35810677827e1ee08454e86ef
Instruction ID: 2020914941ddd6b61e0bbd5e3d84726bb0feaab7ee23fa9f4e2d355ef27f2fab
Opcode Fuzzy Hash: ecf1184de034e9466650ecb6fe134995353ee8d35810677827e1ee08454e86ef
Instruction Fuzzy Hash: 5CC14671648301DFC714EF28C480A6ABBE8FF89754F14896EF8999B351D731E946CB82

Function 009D8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D80C3
CoUninitialize.OLE32 ref: 009D80CE

Part of subcall function 009BD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BD5D4

VariantInit.OLEAUT32(?), ref: 009D80D9
VariantClear.OLEAUT32(?), ref: 009D83AA

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 2dfd70b6e3c732db49892a46c3cd1d4a83397447ecf3b9b26954b9e06b160824
Instruction ID: ab4d85e12c0bafaf4fdb4d5cf1b99ec18330ee78761b3435921951e54fda642c
Opcode Fuzzy Hash: 2dfd70b6e3c732db49892a46c3cd1d4a83397447ecf3b9b26954b9e06b160824
Instruction Fuzzy Hash: C2A15A75644701DFCB10DF64C881B2AB7E8BF89754F148859F99A9B3A2CB34ED05CB82

Function 009B7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7702
CLSIDFromProgID.OLE32(?,?,00000000,009EFB80,000000FF,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7727
_memcmp.LIBCMT ref: 009B7748

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b727bde655ab27ef182b9be404aa096e02025d41eacdd3029927be083ebe895f
Instruction ID: 81cf11bf794dff37f41da7d50ff04778b726762a18329a0fcff832c5f9a6b43e
Opcode Fuzzy Hash: b727bde655ab27ef182b9be404aa096e02025d41eacdd3029927be083ebe895f
Instruction Fuzzy Hash: A781E975A00109EFCB04DFE4C984EEEB7B9FF89315F204599E506AB250DB71AE06CB61

Function 009B687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B688E
SysAllocString.OLEAUT32(00000000), ref: 009B6937
VariantCopy.OLEAUT32 ref: 009B6966
VariantClear.OLEAUT32(?), ref: 009B698D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 4b59c543cc6cd8cbcb08374f6e73121ab913721464446870c5cd5fc793c4c144
Instruction ID: f939f9a343b3c2e9fd1e71c28d92d570f19e1b16bf53880563c22ad5dee110f1
Opcode Fuzzy Hash: 4b59c543cc6cd8cbcb08374f6e73121ab913721464446870c5cd5fc793c4c144
Instruction Fuzzy Hash: EC51B3747043059ADF24AF65D995BBAB3E9AF85320F20C81FE596DB2D1DA3CF8408701

Function 009E97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B8D9A0,?), ref: 009E9863
ScreenToClient.USER32(00000002,00000002), ref: 009E9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 009E9903

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b7da334ca44533d04c71a37b0c262fb673fe26796a893e14f0482a81f7d66508
Instruction ID: 1ddc9cece125f4b37da31c3ae2a688ab320271d9bda260af6d0cb77ce12e7aec
Opcode Fuzzy Hash: b7da334ca44533d04c71a37b0c262fb673fe26796a893e14f0482a81f7d66508
Instruction Fuzzy Hash: 84514F34A00249EFCF21CF69C880AAE7BB9FF55360F148169F8559B2A1D771AD41DB90

Function 009B9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009B9AD2
__itow.LIBCMT ref: 009B9B03

Part of subcall function 009B9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009B9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 009B9B6C
__itow.LIBCMT ref: 009B9BC3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: a01d12e5142663ca06cec1d33bff04235b9cf05ae5914ba2178f6aab7268d566
Instruction ID: ee60a8727d18af8c639ca3e7b2b7f37e362263bca766e61757031c34b9a6543d
Opcode Fuzzy Hash: a01d12e5142663ca06cec1d33bff04235b9cf05ae5914ba2178f6aab7268d566
Instruction Fuzzy Hash: 4341C370A1021CABDF11EF64D985BFEBBB9EF84724F000069FA05A7291DB749E44CB61

Function 009D69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009D69D1
WSAGetLastError.WSOCK32(00000000), ref: 009D69E1

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D6A45
WSAGetLastError.WSOCK32(00000000), ref: 009D6A51

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: cc31d048a5514015db03b7a106e55a99aec00394168edab5ed8b6bcc3fae42bd
Instruction ID: 889a454e68ee5209fb05c976402d4b2f6d6d79a4dc9c917bf2f7f5172c1fb394
Opcode Fuzzy Hash: cc31d048a5514015db03b7a106e55a99aec00394168edab5ed8b6bcc3fae42bd
Instruction Fuzzy Hash: 1141BF75740200AFEB60AF64CC96F3A77E89F94B54F04C519FA59AF3C2DAB49D008B91

Function 009D641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,009EF910), ref: 009D64A7
_strlen.LIBCMT ref: 009D64D9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 855c429b14c2ff7638aebd0e1d12648868fb0be0e1acc4142257003e2bb31c74
Instruction ID: d235e20ce15063b1cb88fa2fda305566146375ea42379b4014eb6529c97c7d55
Opcode Fuzzy Hash: 855c429b14c2ff7638aebd0e1d12648868fb0be0e1acc4142257003e2bb31c74
Instruction Fuzzy Hash: CE418471A40114ABCB14EBA8EC95FAEB7ADAF94310F14C15AF8199B392DB34AD44CB50

Function 009CB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009CB89E
GetLastError.KERNEL32(?,00000000), ref: 009CB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009CB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009CB915

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: fd19065209f4c40081a7d3779b564a57a665555c74e84c9da13019667fc811f0
Instruction ID: 552f5e2b141658438d3629a2c43cc7ec945ef3934cd95cdd216e38ad380b3c1b
Opcode Fuzzy Hash: fd19065209f4c40081a7d3779b564a57a665555c74e84c9da13019667fc811f0
Instruction Fuzzy Hash: 88412939A00650DFCB10EF55C495B59BBE9EF8A314F098099ED4AAB362CB30FD01DB91

Function 009E8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E88DE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b1898073097eab31a28994ab1731cb91aba0cea2ed1a9fb636aad97524292b9d
Instruction ID: 3fe95d952a7a3ffa13d71d9faf55a3ef82c29c3c3f12f02f2199b838c86ef776
Opcode Fuzzy Hash: b1898073097eab31a28994ab1731cb91aba0cea2ed1a9fb636aad97524292b9d
Instruction Fuzzy Hash: 04310830A40188FFEB229BEADC45BBA37A9FB05350F544412F929E61E2CE71DD409752

Function 009EAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009EAB60
GetWindowRect.USER32(?,?), ref: 009EABD6
PtInRect.USER32(?,?,009EC014), ref: 009EABE6
MessageBeep.USER32(00000000), ref: 009EAC57

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8de233077a46b9ab0aeab635c7f6dcf4839f81aee1765634d406bb096167488d
Instruction ID: af590db7f5c517432a130209784331f84e4b8884e8fe07262a783393aa68e181
Opcode Fuzzy Hash: 8de233077a46b9ab0aeab635c7f6dcf4839f81aee1765634d406bb096167488d
Instruction Fuzzy Hash: 82416B30A00599DFCB22DF5AD884B697BF5FB49700F2884A9E8559B270D730AC42DB92

Function 009C0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009C0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 009C0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009C0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009C0BFB

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
Instruction ID: 76adc379531f22e3196df96eb6090110d7e04910826c502a736741b977769d34
Opcode Fuzzy Hash: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
Instruction Fuzzy Hash: 9D311230D44608EAFF30CA298C15FFABBA9ABC5728F08426EE595521D1C3788D809762

Function 009C0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 009C0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 009C0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 009C0CE1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 009C0D33

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
Instruction ID: 33f625d4e799a72656fa503d427f9e18db0249d0fb109dc4f6b73df70d77b825
Opcode Fuzzy Hash: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
Instruction Fuzzy Hash: 9C311030D80718EEFB208A648814FFABBAAABC9320F04871EE4D1521D1C3399D5597A3

Function 009961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009961FB
__isleadbyte_l.LIBCMT ref: 00996229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00996257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0099628D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 57ca96bc50ae769b4ed8c49b7a16a68417e7abb2078f7960a8459dab4c3a7535
Instruction ID: e89b72ab8de3e7f1a0e7c629aa6a1afbdfd564d9c3eb855204ed908ee88681dc
Opcode Fuzzy Hash: 57ca96bc50ae769b4ed8c49b7a16a68417e7abb2078f7960a8459dab4c3a7535
Instruction Fuzzy Hash: 0D319031608246AFDF229F69CC44BAE7FA9FF82310F154529E864D71A1D731E950DB90

Function 009E4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009E4F02

Part of subcall function 009C3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009C365B
Part of subcall function 009C3641: GetCurrentThreadId.KERNEL32 ref: 009C3662
Part of subcall function 009C3641: AttachThreadInput.USER32(00000000,?,009C5005), ref: 009C3669

GetCaretPos.USER32(?), ref: 009E4F13
ClientToScreen.USER32(00000000,?), ref: 009E4F4E
GetForegroundWindow.USER32 ref: 009E4F54

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2b324f30af2627c9da5556d212d9bdc7eab5838f2af1b8b4adb8c124451d069a
Instruction ID: f2b114513748d76cda575ed7eaf96cadee48d2f2acbd4b7048e39ced13f169ce
Opcode Fuzzy Hash: 2b324f30af2627c9da5556d212d9bdc7eab5838f2af1b8b4adb8c124451d069a
Instruction Fuzzy Hash: 59310DB1D00108AFDB10EFA5C985AEFB7FDEF98300F10846AE415E7241DA759E458BA1

Function 009EC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetCursorPos.USER32(?), ref: 009EC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0099B9AB,?,?,?,?,?), ref: 009EC4E7
GetCursorPos.USER32(?), ref: 009EC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0099B9AB,?,?,?), ref: 009EC56E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d3fb29d687891114967a0687ba251a85f554b64dff7749e5bac41e42cf5de540
Instruction ID: 26f2e01e3c61e115ea460fffca80f7fb429f42cd5c58f91edfcfe084cb3e9f93
Opcode Fuzzy Hash: d3fb29d687891114967a0687ba251a85f554b64dff7749e5bac41e42cf5de540
Instruction Fuzzy Hash: 2131D775500098AFCB26CF59C898EFE7BB9FB09310F044066F9458B261CB31AD52DF94

Function 009B8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8121
Part of subcall function 009B810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B812B
Part of subcall function 009B810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B813A
Part of subcall function 009B810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8141
Part of subcall function 009B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B86A3
_memcmp.LIBCMT ref: 009B86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B86FC
HeapFree.KERNEL32(00000000), ref: 009B8703

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 74f67468833798d1ebd15fe4c485509f80768da7f1084f5d96718ae0640545a3
Instruction ID: 682b5ae74ca36352d4fe0e266e71bb8fc086fe5f278a9e782d724a80adab3146
Opcode Fuzzy Hash: 74f67468833798d1ebd15fe4c485509f80768da7f1084f5d96718ae0640545a3
Instruction Fuzzy Hash: 75218C71E05109EFDB10DFA8CA49BEEB7BCEF49325F158059E444AB241DB30AE05DB90

Function 0098098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 009809AE

Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7896,?,?,00000000), ref: 00965A2C
Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7896,?,?,00000000,?,?), ref: 00965A50

_fprintf.LIBCMT ref: 009809E5
OutputDebugStringW.KERNEL32(?), ref: 009B5DBB

Part of subcall function 00984AAA: _flsall.LIBCMT ref: 00984AC3

__setmode.LIBCMT ref: 00980A1A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: e41d199d7f406196a7a43fbb96b3b8de5a6f2180d60a6a45e5f98955e735015c
Instruction ID: df784a8192615ca51fac692a514b57d2819d2939b5a775012e91fa0abe82a38f
Opcode Fuzzy Hash: e41d199d7f406196a7a43fbb96b3b8de5a6f2180d60a6a45e5f98955e735015c
Instruction Fuzzy Hash: 50110672904649AFDB08B7F49C4ABFE77AC9FC5320F24016AF205973C2EE31594697A1

Function 009D1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D17A3

Part of subcall function 009D182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D184C
Part of subcall function 009D182D: InternetCloseHandle.WININET(00000000), ref: 009D18E9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
Instruction ID: 7d182e7e64009f99a37d4f40d8143dc2136baab062ddd9eba7c13a712c17b398
Opcode Fuzzy Hash: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
Instruction Fuzzy Hash: 0221C672284605BFEB169F60DC41FBABBADFF88710F10842BFA1196760D771D811A7A0

Function 009C3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009EFAC0), ref: 009C3A64
GetLastError.KERNEL32 ref: 009C3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 009C3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009EFAC0), ref: 009C3ADF

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 68322a88b858b7b7742d6cc749e110acdc3d244336510131a8024f99344ab61b
Instruction ID: 1ae514eeb1ea8e8cc93491023e4cdae91ad2f6b49d0ffc2a32f598f736b22b0b
Opcode Fuzzy Hash: 68322a88b858b7b7742d6cc749e110acdc3d244336510131a8024f99344ab61b
Instruction Fuzzy Hash: 152188749082019FC710DF24C891E6AB7E8AE99364F14CA2EF4D9C7291D731DE55CB43

Function 009BDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009BDCD3,?,?,?,009BEAC6,00000000,000000EF,00000119,?,?), ref: 009BF0CB
Part of subcall function 009BF0BC: lstrcpyW.KERNEL32(00000000,?,?,009BDCD3,?,?,?,009BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009BF0F1
Part of subcall function 009BF0BC: lstrcmpiW.KERNEL32(00000000,?,009BDCD3,?,?,?,009BEAC6,00000000,000000EF,00000119,?,?), ref: 009BF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009BDCEC
lstrcpyW.KERNEL32(00000000,?,?,009BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009BDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,009BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009BDD46

Strings

cdecl, xrefs: 009BDD3D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4337146b3b6f13e9d471d54c7e89f4b6f100116eccae2fabbbea97aeb128fa49
Instruction ID: 26b46d77b8634f4464efc010b4c440381b50d20f521f4724004028992ad31dce
Opcode Fuzzy Hash: 4337146b3b6f13e9d471d54c7e89f4b6f100116eccae2fabbbea97aeb128fa49
Instruction Fuzzy Hash: F811BE3A201305EFCB25AF74CC45ABA77A8FF85360B40802AF846CB2A1FB719C40D790

Function 009950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00995101

Part of subcall function 0098571C: __FF_MSGBANNER.LIBCMT ref: 00985733
Part of subcall function 0098571C: __NMSG_WRITE.LIBCMT ref: 0098573A
Part of subcall function 0098571C: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,?,?,00980DD3,?), ref: 0098575F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5bc8994fa2bff9892143d0ed9e86e80ba33053b7114582a459c58a65186efed5
Instruction ID: 7c06f2ca68722ecddf01be07921a2fc61488ac1f2e9b76c57696748f8132c2fd
Opcode Fuzzy Hash: 5bc8994fa2bff9892143d0ed9e86e80ba33053b7114582a459c58a65186efed5
Instruction Fuzzy Hash: 8011A3B2508A15AFCF323F78BC45B6F3B9C9B953A1B12492AF9049A250DF34CD4197A0

Function 009644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009644CF

Part of subcall function 0096407C: _memset.LIBCMT ref: 009640FC
Part of subcall function 0096407C: _wcscpy.LIBCMT ref: 00964150
Part of subcall function 0096407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00964160

KillTimer.USER32(?,00000001,?,?), ref: 00964524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00964533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0099D4B9

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f87011e87e83217a6203f0170cb300581df4a6798feb8e266eba28aeac9ab9fd
Instruction ID: 0021615ed34333e19ae3120c6638888efd0e4cf33db214e694d86e659c7acf74
Opcode Fuzzy Hash: f87011e87e83217a6203f0170cb300581df4a6798feb8e266eba28aeac9ab9fd
Instruction Fuzzy Hash: 262107709097849FEB32CB688899BE7BBECAF01314F04049EF68E5B191C3742A84DB51

Function 009D6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7896,?,?,00000000), ref: 00965A2C
Part of subcall function 00965A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7896,?,?,00000000,?,?), ref: 00965A50

gethostbyname.WSOCK32(?,?,?), ref: 009D6399
WSAGetLastError.WSOCK32(00000000), ref: 009D63A4
_memmove.LIBCMT ref: 009D63D1
inet_ntoa.WSOCK32(?), ref: 009D63DC

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a5b5703db2d3fe4858e21587a65ec3a718898f718091c92d5087b05450c256d2
Instruction ID: c3242ddd530abb81e4c6108f9f3ef0dc490d8feba1082556cac66c266562b7c5
Opcode Fuzzy Hash: a5b5703db2d3fe4858e21587a65ec3a718898f718091c92d5087b05450c256d2
Instruction Fuzzy Hash: 37113072500109AFCB04FFE4DD96EEEB7B8AF94310B548066F506A7262DB30AE14DB61

Function 009B8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009B8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8BA4

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
Instruction ID: 5836212165efb13aad4411c3baf0498a696d009e22664184633d0d6f4b4deabe
Opcode Fuzzy Hash: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
Instruction Fuzzy Hash: AE110A79901218FFDB11DBA5C985FAEBB78EB48710F2040A5E900B7250DA716E11DB94

Function 00961290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,00000020,?), ref: 009612D8
GetClientRect.USER32(?,?), ref: 0099B5FB
GetCursorPos.USER32(?), ref: 0099B605
ScreenToClient.USER32(?,?), ref: 0099B610

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9d2c21fefbf0c4f1eed2c864cb3f96d6c0dfb0c87fdc20e24f85006390e5ce22
Instruction ID: 5211b8aaf2f22213b64d4883837a28133ddb762d476e5c8254c4c5657c468064
Opcode Fuzzy Hash: 9d2c21fefbf0c4f1eed2c864cb3f96d6c0dfb0c87fdc20e24f85006390e5ce22
Instruction Fuzzy Hash: 31113635A10059EFCB10EFA8D899AFE77B8FB46300F404866FA11E7251C730BA519BA5

Function 009C1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009BFCED,?,009C0D40,?,00008000), ref: 009C115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009BFCED,?,009C0D40,?,00008000), ref: 009C1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009BFCED,?,009C0D40,?,00008000), ref: 009C118E
Sleep.KERNEL32(?,?,?,?,?,?,?,009BFCED,?,009C0D40,?,00008000), ref: 009C11C1

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cb6717975246ce650d792f168f1ac8779468e2e709d9d37997dfc599926cd1e2
Instruction ID: 17e6f9df8c8bcd31f183de3f9f6cf86ed4cdb453c37117c757305a9cc280ea5f
Opcode Fuzzy Hash: cb6717975246ce650d792f168f1ac8779468e2e709d9d37997dfc599926cd1e2
Instruction Fuzzy Hash: 4A118231C0851DDBCF00DFA5D894BEEBB78FF0A711F04445AEA40B6241CB389550DB9A

Function 009BD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009BD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009BD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009BD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009BD897

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 68980987ce4f7ece471f0b97f415522dcc0b59ac0fc0a140bc863d5a6c476d0a
Instruction ID: 7563ce27669f98ac10e9205b6f290b5c8f61dd7a9f4f4df124334ce6cef9dd21
Opcode Fuzzy Hash: 68980987ce4f7ece471f0b97f415522dcc0b59ac0fc0a140bc863d5a6c476d0a
Instruction Fuzzy Hash: 4311617560A704DBE3208F50DD4CFD3BBBCEB00B11F10896AA516D6090E7B5EA49ABA1

Function 00996FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00996FDB

Part of subcall function 009976C2: __fltout2.LIBCMT ref: 009976EB

__cftog_l.LIBCMT ref: 00997001
__cftoe_l.LIBCMT ref: 00997033

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4885a7694b1251932b165133f07d8ed254a8206ba2432a48b8c166bb9ba8aaf4
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D201497245814ABBCF265FC8CC42CEE7F66BB28390F598415FE5858031DA37C9B1AB91

Function 009EB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009EB2E4
ScreenToClient.USER32(?,?), ref: 009EB2FC
ScreenToClient.USER32(?,?), ref: 009EB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009EB33B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
Instruction ID: fd774b8d7b6959632515a1da653be8a0d4dff20dbf3ddf732a17138684efcb22
Opcode Fuzzy Hash: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
Instruction Fuzzy Hash: DF1143B9D0424DEFDB41CFA9D8849EEBBB9FB08310F108166E914E3220D735AA559F50

Function 009EB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009EB644
_memset.LIBCMT ref: 009EB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A26F20,00A26F64), ref: 009EB682
CloseHandle.KERNEL32 ref: 009EB694

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: bdb14aafd85bd2453d1d83c31888f89b9ac5e619776c5ffaf9d9faad487d0f13
Instruction ID: a19f34d11fcdd9f56e28a4d0aa758ec26bb530cdb36bfee1193710fb99611fd0
Opcode Fuzzy Hash: bdb14aafd85bd2453d1d83c31888f89b9ac5e619776c5ffaf9d9faad487d0f13
Instruction Fuzzy Hash: C2F082B2541350BBEB2067A9BD46FBB3E9CEB08795F004031FA08E9196D7718C0287B8

Function 009C6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009C6BE6

Part of subcall function 009C76C4: _memset.LIBCMT ref: 009C76F9

_memmove.LIBCMT ref: 009C6C09
_memset.LIBCMT ref: 009C6C16
LeaveCriticalSection.KERNEL32(?), ref: 009C6C26

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 2ebaa55d50a4ecc1f07c57d07cb61ea2b81e55e24bde954552f0b208036dff6c
Instruction ID: 5796bc304acd407d9e3c1fb6864855a56417195a1169ed2f02c98ed3059eb923
Opcode Fuzzy Hash: 2ebaa55d50a4ecc1f07c57d07cb61ea2b81e55e24bde954552f0b208036dff6c
Instruction Fuzzy Hash: DFF03A3A604500ABCF016F95DC85F8ABB29EF85320B048065FE085E267D731E911DBB5

Function 00962218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00962231
SetTextColor.GDI32(?,000000FF), ref: 0096223B
SetBkMode.GDI32(?,00000001), ref: 00962250
GetStockObject.GDI32(00000005), ref: 00962258
GetWindowDC.USER32(?,00000000), ref: 0099BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0099BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0099BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0099BEC2
GetPixel.GDI32(00000000,?,?), ref: 0099BEE2
ReleaseDC.USER32(?,00000000), ref: 0099BEED

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 63395a62c7f9476c77a630ae5d5eda3138b75f85fa047fc6abe1cb7e9b9a678d
Instruction ID: b688ec3e75f92cc92936ef1422b226f4f9dff3bacbf3f249a1f2e7c1032440ca
Opcode Fuzzy Hash: 63395a62c7f9476c77a630ae5d5eda3138b75f85fa047fc6abe1cb7e9b9a678d
Instruction Fuzzy Hash: DAE03031118184AAEF215FA8FC5D7D83B15EB15336F008367FA69480E187714984EB11

Function 009B8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009B871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,009B82E6), ref: 009B8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B82E6), ref: 009B872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,009B82E6), ref: 009B8736

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
Instruction ID: 3314030a43c682716537ad95e08cbe18cf01ddd5d985fa53d26d4ad92ee79660
Opcode Fuzzy Hash: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
Instruction Fuzzy Hash: FAE0263262A2129BD7205FB06D8CB8B3BACEF547E2F148828B241DD040DA348845D710

Function 009BB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 009BB4BE

Strings

AutoIt3GUI, xrefs: 009BB436
Container, xrefs: 009BB43B

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: b15b036439a18e62554c9fa7e7d38e8fb7730e263db602b3df07295c7aad28ab
Instruction ID: d34c079b618b8866b54017bb3f94ff943c6f067c4bab51c659eae2f457e68b0d
Opcode Fuzzy Hash: b15b036439a18e62554c9fa7e7d38e8fb7730e263db602b3df07295c7aad28ab
Instruction Fuzzy Hash: 3C913A70600601AFDB64DF64C984BAAB7F9FF49710F20856DF94ACB2A1DBB1E841CB50

Function 009CAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0097FC86: _wcscpy.LIBCMT ref: 0097FCA9

Part of subcall function 00969837: __itow.LIBCMT ref: 00969862
Part of subcall function 00969837: __swprintf.LIBCMT ref: 009698AC

__wcsnicmp.LIBCMT ref: 009CB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009CB0F6

Strings

LPT, xrefs: 009CB027

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 05d09a59c53e9afd29ed84bc98245a76e68135b0b29d479f35adf4f3c7a5e591
Instruction ID: 1e63368022bb96f15300d1f26eceafcdf438620e9425132f3cc18db1c6d6237c
Opcode Fuzzy Hash: 05d09a59c53e9afd29ed84bc98245a76e68135b0b29d479f35adf4f3c7a5e591
Instruction Fuzzy Hash: 39616D76E04219EFCB14DF94C8A2FAEB7B8EB48310F14406DF916AB291D774AE44CB51

Function 00972957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00972968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00972981

Strings

@, xrefs: 00972975

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 53e5d05d3ede07be3e0953ff3bf6ebe917251e43f363aed5a75a29ea244ce0a8
Instruction ID: e45212971a9e13905d3a458655faa7e1805e1003af95cd95786ceeec3fb169d7
Opcode Fuzzy Hash: 53e5d05d3ede07be3e0953ff3bf6ebe917251e43f363aed5a75a29ea244ce0a8
Instruction Fuzzy Hash: 695127B24187489BD320EF50D886BABBBE8FBC5344F81895DF2D8411A1DF318529CB66

Function 009C9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00964F0B: __fread_nolock.LIBCMT ref: 00964F29

_wcscmp.LIBCMT ref: 009C9824
_wcscmp.LIBCMT ref: 009C9837

Strings

FILE, xrefs: 009C9770

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 967f49afa2867d945f48abd6f642ef2c9be1199f7a2f58fd6b55033cba0715d0
Instruction ID: c4d66858791ef1a3d81d1a7ca6f205ef06a8417f3b41b366195dac866d214dfa
Opcode Fuzzy Hash: 967f49afa2867d945f48abd6f642ef2c9be1199f7a2f58fd6b55033cba0715d0
Instruction Fuzzy Hash: F841C671A04219BADF219BE4CC4AFEFBBBDEF85710F010469F904A7181DA759A048B61

Function 009D258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009D25D4

Strings

|, xrefs: 009D25A5

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 4cfab8e599152579ec0286cb47c91df0136101646cd29987e7dc99a959fbf7c4
Instruction ID: 392081f5fe2aa45c1b8ae82a956c63f77291c0ba22e1dd9134bd346edce0e5db
Opcode Fuzzy Hash: 4cfab8e599152579ec0286cb47c91df0136101646cd29987e7dc99a959fbf7c4
Instruction Fuzzy Hash: 63311971804219EBCF01EFA0CC85EEEBFB8FF58354F10405AF915A6266EB319956DB60

Function 009E7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 009E7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E7B76

Strings

', xrefs: 009E7ACA

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 648cf74edc59f777e7e2e39acb0a00f8aea4f55305ae089db486736b42b7fef8
Instruction ID: 2b9ae864adc8b27c63a14218b9417991c25702838bc08043e0f74ec79f5607c6
Opcode Fuzzy Hash: 648cf74edc59f777e7e2e39acb0a00f8aea4f55305ae089db486736b42b7fef8
Instruction Fuzzy Hash: F4410A74A05249AFDB15CFA9D881BEABBB9FB08300F14057AE904EB351E770AD51CF91

Function 009E6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009E6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E6B53

Strings

static, xrefs: 009E6AB3

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b056a3249d23284bc88a77c38962cde338e041514613b8a5e34d0bc81aa3f82e
Instruction ID: 56f86da7aee837f911ee3d089d1e55d3bc6cd923e305492ff1869ae74e282ed1
Opcode Fuzzy Hash: b056a3249d23284bc88a77c38962cde338e041514613b8a5e34d0bc81aa3f82e
Instruction Fuzzy Hash: 8931CF71200244AEDB119F69CC80BFB73ADFF987A0F10862AF9A5D7190DB31AC81C760

Function 009C28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009C294C

Strings

0, xrefs: 009C290A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0dd7d01de4bcd119702edaf4066705448398d40e0d8d885c136960bd38b70c8f
Instruction ID: c784c9b18857efa1bf072cb605ceb25b0bc6ec7da384eb245b80eeeb29ad8bc2
Opcode Fuzzy Hash: 0dd7d01de4bcd119702edaf4066705448398d40e0d8d885c136960bd38b70c8f
Instruction Fuzzy Hash: 6D31D235E00305DBEB24DF58CA85FAEBBF8EF45350F14002DE985AA2A1D7709A44CB52

Function 009D39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 009D3A66

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 009D3A58
, $, xrefs: 009D3AA6

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: c64593b847d6eaee9ffdf5370c08aa54b8f697c79d4b9709b241b152dc9385b9
Instruction ID: 9b1a55d2a03558bd1899042bd775d246e282d516af634079e17d75d976c37087
Opcode Fuzzy Hash: c64593b847d6eaee9ffdf5370c08aa54b8f697c79d4b9709b241b152dc9385b9
Instruction Fuzzy Hash: 36216471740119ABCF10EFA4CC81BEEB7B5BF84700F508856E445AB281DB34EA45CB62

Function 009E66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E676C

Strings

Combobox, xrefs: 009E672E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6359c43da81afe5fa95cde3dea9991770bcb614ce003cc7a106a786492f34784
Instruction ID: a9e2e386650443e5fa10645803b768bb330c96ae18ac1b3f02f6f06789c721e5
Opcode Fuzzy Hash: 6359c43da81afe5fa95cde3dea9991770bcb614ce003cc7a106a786492f34784
Instruction Fuzzy Hash: DE11B271200248BFEF22CF55CC80EBB3B6EEB983A8F100529F91497290D6329C9187A0

Function 009E6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

GetWindowRect.USER32(00000000,?), ref: 009E6C71
GetSysColor.USER32(00000012), ref: 009E6C8B

Strings

static, xrefs: 009E6C4E

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8087094f7a87dbfd24b85e311797e44b9eed480584663117c27fc33668122ae2
Instruction ID: a03a4a7afee23966dcfea0c3c3e0fb811d1b916ee22c505ca46d274e850ba084
Opcode Fuzzy Hash: 8087094f7a87dbfd24b85e311797e44b9eed480584663117c27fc33668122ae2
Instruction Fuzzy Hash: AE218972510249AFDF05DFB9CC45AFA7BB8FB08304F104A29FA95D2240E734E850DB60

Function 009E6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009E69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E69B1

Strings

edit, xrefs: 009E6986

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b1193d96a87e7e174dead14419e3e11e6e9db1e0c8000d53c73ff6fc0c3497b1
Instruction ID: e88735e8539d03866810e5b808cb9d339a94fd436292b9009469f2abf19c609b
Opcode Fuzzy Hash: b1193d96a87e7e174dead14419e3e11e6e9db1e0c8000d53c73ff6fc0c3497b1
Instruction Fuzzy Hash: D111BF71100288ABEB128F75DC90AFB3B6DEB653B8F104724F9A0971E1C735DC51A760

Function 009C29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009C2A41

Strings

0, xrefs: 009C2A18

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6fcecf9f3d556debf5dc25b66d5dd488010f6d410ddea7dfcee01552b250548d
Instruction ID: aa36a04983aeda256f4a44148639fbf323f47789402bd8d7e6968f1ee61b49c7
Opcode Fuzzy Hash: 6fcecf9f3d556debf5dc25b66d5dd488010f6d410ddea7dfcee01552b250548d
Instruction Fuzzy Hash: FB11B232D01618ABDB30DBA8DC44FAA77BCAB45350F154039E855E72D0D770AD0AC792

Function 009D21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009D222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009D2255

Strings

<local>, xrefs: 009D221D

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 37e246a40bb354f9934021fc804e6c5d95ed6cb15f4ad5f847667192488a2604
Instruction ID: 0f093f6550bb9c08ace9bb366254decfaadd15ad5467c9f104c0b4d66b023f74
Opcode Fuzzy Hash: 37e246a40bb354f9934021fc804e6c5d95ed6cb15f4ad5f847667192488a2604
Instruction Fuzzy Hash: 4B110270585265BEDB298F518C84EFBFBACFF26751F10C62BFA2446200D2716980D6F0

Function 009B8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B8E73

Strings

ListBox, xrefs: 009B8E3D
ComboBox, xrefs: 009B8E12

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6a0e0e840203d7c2dbc9b4d76ad30dd7a5d31fb42c47d48fa6c0a7d14cf38ea2
Instruction ID: 0d07081569a01c0632a2ac2c0bf2511f8d1342f899ab5f7dff4c4186070b4a5b
Opcode Fuzzy Hash: 6a0e0e840203d7c2dbc9b4d76ad30dd7a5d31fb42c47d48fa6c0a7d14cf38ea2
Instruction Fuzzy Hash: 4201F1B1601228BBCF14FBA4CD95AFE736DAF45330B400A19B861572E1DE319808C660

Function 009B8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 009B8D6B

Strings

ListBox, xrefs: 009B8D35
ComboBox, xrefs: 009B8D0A

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e209a5f4a691d830553662d4a085d75f7196c4192d19b67df3dd32def42c9541
Instruction ID: 452d222b1410da8bb5b293903ec580b5dd5fc806e38ceb4239b07590751afc33
Opcode Fuzzy Hash: e209a5f4a691d830553662d4a085d75f7196c4192d19b67df3dd32def42c9541
Instruction Fuzzy Hash: C301DFB1A41108BBCF15EBE0CA96BFF73AC9F99360F50041AB802672E1DE245E08D671

Function 009B8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967DE1: _memmove.LIBCMT ref: 00967E22

Part of subcall function 009BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009BAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 009B8DEE

Strings

ListBox, xrefs: 009B8DBA
ComboBox, xrefs: 009B8D8F

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 710063835fa1dd7b6ad93ea7829feb2cf18fec32f9a9c4e3c5a09e704604dd33
Instruction ID: ff60d3672dd295ae2a74b3fa571e3640ec4029e6e48a64dc0edb6915f011662e
Opcode Fuzzy Hash: 710063835fa1dd7b6ad93ea7829feb2cf18fec32f9a9c4e3c5a09e704604dd33
Instruction Fuzzy Hash: 3F01F271A41108B7CF10EBA4CA96BFF73AC9F65360F50041AB801672D2DE254E08D671

Function 009C4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009C4F46
_wcscmp.LIBCMT ref: 009C4F58

Strings

#32770, xrefs: 009C4F52

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 675bbec3921f3fbfe2970ea90c6f8a7130cfc43aaf24e962cecda98701e3810e
Instruction ID: b84452ad196c7a500bef566bb6b40f9baae0bc84b55ed2345d8d0ff4ec84ca3c
Opcode Fuzzy Hash: 675bbec3921f3fbfe2970ea90c6f8a7130cfc43aaf24e962cecda98701e3810e
Instruction Fuzzy Hash: 10E0D13260422827D720D7999C45FE7FBACEB45B70F00016BFD04D7151D5709B4587D1

Function 0099B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0099B314: _memset.LIBCMT ref: 0099B321

Part of subcall function 00980940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0099B2F0,?,?,?,0096100A), ref: 00980945

IsDebuggerPresent.KERNEL32(?,?,?,0096100A), ref: 0099B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0096100A), ref: 0099B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0099B2FE

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1cf7a54c97e60bef16fcd10ba4131139055d6af13305405cc8e8f641dcc00d8e
Instruction ID: ae597beb3306e1fdc3f25dbed6d3e94422f78f5bc36d8f2f725dbb5d2a883548
Opcode Fuzzy Hash: 1cf7a54c97e60bef16fcd10ba4131139055d6af13305405cc8e8f641dcc00d8e
Instruction Fuzzy Hash: 04E06D702057418BDB20DF28E5093467AE8BF40744F00897DE456C7381E7B8D848CBA1

Function 009A1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 009A1775

Part of subcall function 009DBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,009A195E,?), ref: 009DBFFE
Part of subcall function 009DBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009A196D

Strings

WIN_XPe, xrefs: 009A1788

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 8cc6e0d17121425aeddd5fd9df270399659dbe5634aa628465fa0eb887b7d757
Instruction ID: f86ae302f616082b9bab024033a949a21c72e0e3dbf8fa90f9bf3317690dc4e1
Opcode Fuzzy Hash: 8cc6e0d17121425aeddd5fd9df270399659dbe5634aa628465fa0eb887b7d757
Instruction Fuzzy Hash: B6F06D7080400DDFCB15DB94CAD4BECBBF8BB08300F102496E102A6090C7344F85DFA0

Function 009E5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E59AE
PostMessageW.USER32(00000000), ref: 009E59B5

Part of subcall function 009C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C52BC

Strings

Shell_TrayWnd, xrefs: 009E59A7

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: db5cf7943d0817de3ba208e3c2386fe36bc7ca8a85054028585b0ae5d47a4081
Instruction ID: 5029cd6fcc251a0706542361cd5be5640fcc4f1c4f6bceaec9eaa4aeb0871825
Opcode Fuzzy Hash: db5cf7943d0817de3ba208e3c2386fe36bc7ca8a85054028585b0ae5d47a4081
Instruction Fuzzy Hash: A8D0A9313843007BE664AB309C8BFD22A10BB80B10F00082AB206AE0D0C9E0AC00C664

Function 009E5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E5981

Part of subcall function 009C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C52BC

Strings

Shell_TrayWnd, xrefs: 009E5967

Memory Dump Source

Source File: 00000000.00000002.1372030134.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.1371977071.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372583364.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372671902.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1372698774.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0cb9616985050a7d71d2da2da5babd9d298570e7fc2fa409b5700c89fbc959b5
Instruction ID: 0f278b1d76a5e0c563aa93f1ec72088caa968a204964a4fd0769e3ac4a91de34
Opcode Fuzzy Hash: 0cb9616985050a7d71d2da2da5babd9d298570e7fc2fa409b5700c89fbc959b5
Instruction Fuzzy Hash: FED0A931398300B7E664AB309C9BFE22A10BB80B10F00082AB20AAE0D0C9E0AC00C660

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut21E2.tmp

C:\Users\user\AppData\Local\Temp\aut2241.tmp

C:\Users\user\AppData\Local\Temp\aut2722.tmp

C:\Users\user\AppData\Local\Temp\aut282C.tmp

C:\Users\user\AppData\Local\Temp\aut59BB.tmp

C:\Users\user\AppData\Local\Temp\aut5A0A.tmp

C:\Users\user\AppData\Local\Temp\kinematical

C:\Users\user\AppData\Local\Temp\nonsubmerged

C:\Users\user\AppData\Local\hypopygidium\retrofit.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retrofit.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Function 00963B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 009649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00964E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00963015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00963041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0096708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00963A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00963633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00963766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01800920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 009639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0096407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 0098541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre